Data Processing Addendum

Last updated: Pending finalization

Draft template — not yet legal advice. This document is a starting template provided for completeness. It must be reviewed, customized, and approved by qualified legal counsel before it is relied upon.

1. Scope and roles

This Data Processing Addendum ("DPA") forms part of the agreement between SecureAware ("Processor") and the customer organization ("Controller") for the SecureAware Service. It applies to the processing of personal data that the Controller submits to the Service about its employees and contractors ("Controller Personal Data").

2. Processing instructions

The Processor processes Controller Personal Data only on the documented instructions of the Controller, which include the configuration and use of the Service, and as required by applicable law. The Processor informs the Controller if, in its opinion, an instruction infringes GDPR, Law 18-07, or other applicable data protection law.

3. Confidentiality

The Processor ensures that personnel authorized to process Controller Personal Data are bound by appropriate confidentiality obligations.

4. Security measures

The Processor implements appropriate technical and organizational measures, including encryption in transit, encryption of sensitive secrets at rest, multi-tenant isolation, role-based access control, administrator two-factor authentication, session revocation on credential change, audit logging, and regular backups.

5. Sub-processors

The Controller authorizes the Processor to engage sub-processors (e.g. hosting, email delivery, payment processing) provided the Processor imposes data protection terms no less protective than this DPA and remains responsible for their performance. The Processor makes the current sub-processor list available and provides notice of intended changes.

6. Data subject requests

Taking into account the nature of the processing, the Processor assists the Controller by appropriate measures, insofar as possible, to fulfil the Controller's obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). The Service provides erasure tooling that anonymizes an individual's records.

7. Personal data breach

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data, and provides information reasonably necessary for the Controller to meet its notification obligations (including GDPR's 72-hour timeline).

8. Audit

The Processor makes available information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, subject to reasonable confidentiality and security conditions.

9. Return and deletion

Upon termination of the Service, the Processor deletes or returns Controller Personal Data as instructed by the Controller, except where retention is required by law.

10. Annex — details of processing

  • Subject matter: provision of security awareness training and simulation services.
  • Duration: the term of the subscription, plus any legally required retention.
  • Nature and purpose: hosting, training delivery, simulation, analytics, and reporting.
  • Categories of data subjects: the Controller's employees and contractors.
  • Categories of personal data: identity and contact data, organizational data, training and simulation activity, technical/usage data.