Data Processing Agreement

How we process personal data on your behalf as a data processor.

Last updated: 2026-05-15

Preamble

A downloadable PDF version is available: Download DPA (PDF).

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and Black Cat Security ("Processor") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Service.

1. Definitions

For the purposes of this DPA, the following terms have the meanings ascribed to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

"Controller" means the natural or legal person which determines the purposes and means of the processing of personal data — in this DPA, the Customer.
"Processor" means the natural or legal person which processes personal data on behalf of the Controller — in this DPA, Black Cat Security.
"Data Subject" means an identified or identifiable natural person whose personal data is processed.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

2. Scope and Roles

The Customer acts as the Controller and Black Cat Security acts as the Processor with respect to the personal data processed through the Service. This DPA supplements the Terms of Service and applies to all processing activities performed by the Processor on behalf of the Controller.

In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.

3. Processing Instructions

The Processor shall process personal data only in accordance with the Controller's documented instructions, as set out in this DPA and the Terms of Service. The Processor shall not process personal data for any purpose other than the provision of the Service unless required to do so by applicable EU or Member State law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection legislation.

4. Categories of Data Processed

The following categories of personal data are processed by the Processor on behalf of the Controller in connection with the Service:

Data Category	Data Subjects	Purpose
SaaS configuration data	End users of connected SaaS applications	Security posture assessment and compliance monitoring
Identity data (names, emails, roles)	Users of connected SaaS applications	Identity risk analysis and access review
Security findings	Users associated with misconfigured resources	Risk scoring and remediation guidance
Audit logs	Platform administrators	Accountability, troubleshooting, and compliance

5. Sub-processors

The Controller authorises the Processor to engage the following sub-processors for the processing of personal data:

Name	Purpose	Location
Cloudflare, Inc.	Hosting, CDN, edge compute, DDoS protection	USA (DPF) + EU edge
Paddle.com Market Ltd	Merchant of Record — billing, payments, VAT	United Kingdom (adequacy)
Functional Software, Inc. (Sentry)	Error monitoring	USA (DPF)
Ory Corp	Identity & authentication (Kratos)	Germany (EEA)

The complete and current list is published at /sub-processors.

The Processor shall notify the Controller of any intended changes to its sub-processors at least 30 days before the new sub-processor begins processing personal data. The Controller shall have a period of 30 days from receipt of such notification to object in writing on reasonable grounds relating to the protection of personal data. If the Controller raises a reasonable objection, the parties shall discuss the matter in good faith and, if no resolution is reached within 30 days of the objection, the Controller may terminate the affected services and shall receive a pro-rata refund of any prepaid fees for the remainder of the then-current subscription term.

Where transfer mechanisms above reference adequacy decisions or the EU-US Data Privacy Framework, the Standard Contractual Clauses (Module 2 of Commission Implementing Decision (EU) 2021/914) apply as a fallback should those mechanisms cease to be in force.

6. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Annex B. The measures described below represent the minimum standards maintained by the Processor and shall not be materially reduced during the term of this DPA.

6.1 Access Control

Role-based access control (RBAC) with the principle of least privilege for all systems processing personal data.
Mandatory multi-factor authentication (MFA) for all personnel with access to personal data or production systems.
Timely provisioning and de-provisioning of user access, including upon role change or termination.
Personal data logically segregated per Controller in the production environment.

6.2 Encryption

Encryption of personal data at rest using AES-256 or equivalent industry-standard algorithms.
Encryption of personal data in transit using TLS 1.2 or higher between all public networks.
Documented policies for the management of encryption mechanisms and cryptographic keys.

6.3 Business Continuity and Disaster Recovery

Business continuity, backup, and disaster recovery plans maintained and tested at regular intervals.
Backup data isolated from production systems and subject to the same security controls.

6.4 Change Control and Vulnerability Management

Documented policies and procedures for applying changes to the Service and underlying infrastructure.
Penetration testing of the Service and network infrastructure conducted at least annually by qualified personnel; identified vulnerabilities remediated per the Processor's vulnerability management policy.
Regular vulnerability scans of production systems; security patches applied in accordance with the Processor's patching schedule.
Separate testing and development environments from the production environment.

6.5 Data Security and Audit Logging

Comprehensive audit logging of all access to and modifications of personal data.
Logs retained for a minimum of 12 months and protected against tampering.

6.6 Governance and Risk Management

Information security programme reviewed at least annually.
Risk assessments conducted at least annually to identify and address threats to personal data.

6.7 Personnel Security

Background verification checks for all personnel with access to personal data, subject to applicable law.
All personnel authorised to process personal data bound by appropriate confidentiality obligations.
Data protection and information security training conducted at onboarding and at least annually thereafter.

6.8 Incident Response

Documented incident response procedures with defined roles, escalation paths, and notification processes.
Post-incident review and remediation tracking.

7. Data Breach Notification

In the event of a Data Breach, the Processor shall notify the Controller without undue delay and in any case within 48 hours of becoming aware of the breach. This notification timeline is stricter than the 72-hour obligation owed by the Controller to the supervisory authority under Article 33 of the GDPR, in order to give the Controller adequate time to meet its own regulatory obligations. The notification shall include:

A description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and personal data records concerned.
The name and contact details of the data protection officer or other contact point.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8. Assistance with Controller Obligations

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under the GDPR (including access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond to such requests except on the Controller's instructions.

The Processor shall provide reasonable cooperation and assistance, taking into account the nature of the processing and the information available to the Processor.

In accordance with Article 28(3)(f) of the GDPR, the Processor shall provide the Controller with reasonable assistance in fulfilling its obligations under Articles 32 to 36 of the GDPR, including (i) ensuring the security of processing, (ii) notifying personal data breaches to the supervisory authority and to data subjects where applicable, and (iii) carrying out data protection impact assessments and prior consultations with the supervisory authority. Such assistance is provided taking into account the nature of the processing and the information available to the Processor.

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted with at least 30 days' written notice, during normal business hours, and in a manner that minimises disruption to the Processor's operations. The costs of the audit shall be borne by the Controller. The Processor may satisfy audit requirements by providing relevant certifications, audit reports, or compliance attestations from independent third parties.

10. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), the parties incorporate by reference, as if set out in full, the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (full text: SCC Module 2 PDF). The populated Annexes I, II, and III are available at SCC Annexes I/II/III PDF and form an integral part of this DPA.

The following SCC Modules apply:

Module Two (Controller-to-Processor): applies where the Customer acts as Controller and Black Cat Security acts as Processor.
Module Three (Processor-to-Processor): applies where the Customer itself acts as a Processor on behalf of its own customers and Black Cat Security acts as a Sub-processor.

For the purposes of the SCCs:

Clause 7 (optional docking clause) does not apply.
Clause 9(a): Option 2 (general written authorisation) applies, with the notice and objection periods set out in Section 5 of this DPA.
Clause 17 (governing law): the SCCs shall be governed by the laws of the French Republic.
Clause 18(b) (disputes): disputes arising under the SCCs shall be resolved before the courts of Paris, France.

In the event of any conflict between this DPA, the Terms of Service, and the SCCs, the order of precedence shall be: (1) Standard Contractual Clauses, (2) this DPA, (3) Terms of Service.

For transfers to the United States, the Processor primarily relies on the EU-US Data Privacy Framework (Cloudflare, Inc. and Functional Software, Inc. (Sentry) are DPF-certified) and uses the SCCs as a fallback should the relevant adequacy decision cease to apply. For transfers to the United Kingdom, the Processor relies on the UK adequacy decision (Commission Implementing Decision (EU) 2021/1772). The Processor has performed and documented Transfer Impact Assessments (TIAs) consistent with the EDPB Recommendations 01/2020.

11. Data Return and Deletion

Upon termination or expiry of the Terms of Service, the Processor shall, at the Controller's election, either return all personal data to the Controller or delete it. The Controller shall have a period of 30 days following termination to request the export of its data in a standard format (JSON or CSV).

After the 30-day export period, the Processor shall delete personal data according to the following timelines: (a) personal data in production systems shall be deleted within 60 days; (b) personal data in backup systems shall be isolated from further processing and deleted within 180 days. During the period between isolation and deletion, backup data shall be protected by the same security measures described in Section 6 and shall not be used for any purpose other than disaster recovery. These timelines apply except where longer retention is required by applicable law, in which case this DPA continues to apply to the retained data.

Upon the Controller's request, the Processor shall provide a written certificate of destruction confirming the deletion of all personal data, specifying the date of deletion and the categories of data deleted.

12. Duration and Termination

This DPA shall remain in effect for the duration of the Terms of Service and shall automatically terminate upon the termination or expiry of the Terms of Service. The obligations of the Processor regarding data protection, security, and confidentiality shall survive termination for as long as the Processor retains any personal data of the Controller.

13. Annexes

The following annexes form an integral part of this DPA:

Annex A — Details of Processing: the categories of data processed, the Data Subjects concerned, and the purposes of processing are described in Section 4 of this DPA.
Annex B — Technical and Organisational Measures: the security measures implemented by the Processor are detailed in Section 6 of this DPA (subsections 6.1 through 6.8).
Annex C — Standard Contractual Clauses (EU 2021/914 Modules 2 and 3): incorporated by reference; full text at scc-module-2-2021-914.pdf and populated Annexes I/II/III at scc-annex-i-ii-iii.pdf. SCC parameters populated in Section 10 of this DPA.

Change history

2026-04-18 — Annexed EU 2021/914 Module 2 SCCs by reference with populated Annexes I/II/III; named DPF + UK adequacy mechanisms explicitly.
2026-04-18 — Sub-processor inventory expanded (Sentry, Ory) and canonical list published at /sub-processors.
2026-04-18 — Added DPIA / prior-consultation assistance clause (GDPR Art. 28(3)(f) / 32–36); §8 renamed to 'Assistance with Controller Obligations'.
2026-04-18 — Added explicit SCC fallback statement under sub-processor table.
2026-05-15 — Data deletion timelines specified: 60 days for production, 180 days for backups; added certificate of destruction clause (§11).
2026-05-15 — Added SCC Module 3 (Processor-to-Processor); populated SCC Clause 17 (French law) and Clause 18(b) (Paris courts); added order of precedence (§10).
2026-05-15 — Security measures restructured into formal Annex B with 8 sections: Access Control, Encryption, BC/DR, Change Control, Data Security, Governance, Personnel Security, Incident Response (§6).
2026-05-15 — Sub-processor objection clause now includes explicit pro-rata refund on termination (§5).
2026-05-15 — Breach notification tightened from 72 hours to 48 hours (§7).