Data Processing Agreement
Contents
01Parties and scope
This DPA is entered into between the Customer ("Controller") and ctOS:BLADE ("Processor"). It applies to all processing of Customer Personal Data carried out by ctOS:BLADE in the course of providing the Services.
In the event of conflict, the order of precedence is: (1) a signed Customer-specific DPA, (2) this DPA, (3) the Terms of Service.
02Definitions
Capitalised terms not defined here have the meaning given in the Terms of Service or in applicable data protection law (including the GDPR, UK GDPR, and equivalent frameworks in the GCC region).
| Customer Personal Data | Personal data processed by Processor on behalf of Controller in connection with the Services. |
| Data Protection Law | All laws and regulations applicable to the processing of Customer Personal Data, including GDPR, UK GDPR, and equivalent regional laws. |
| Data Subject | An identified or identifiable natural person whose data is part of Customer Personal Data. |
| Sub-processor | Any third party engaged by Processor to process Customer Personal Data on behalf of Controller. |
03Roles and instructions
Controller determines the purposes and means of processing Customer Personal Data. Processor processes Customer Personal Data only on documented instructions from Controller, including as set out in the Terms, in this DPA, or as separately agreed in writing, except where required by law (in which case Processor will inform Controller unless prohibited).
Processor will ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and trained on data protection.
04Security measures
Processor implements and maintains appropriate technical and organisational measures ("TOMs") designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Current TOMs are described in Schedule 3.
Processor reviews TOMs at least annually and may update them, provided the overall level of security is not diminished.
05Sub-processors
Controller authorises Processor to engage Sub-processors to process Customer Personal Data, subject to the conditions in this section.
- Processor will enter into a written agreement with each Sub-processor imposing data protection obligations substantially equivalent to those in this DPA.
- Processor remains liable to Controller for the acts and omissions of its Sub-processors.
- The current list of Sub-processors is in Schedule 2. Processor will give Controller at least 30 days' prior notice of any new Sub-processor. Controller may object on reasonable data protection grounds; if the parties cannot agree on a resolution, Controller may terminate the affected Services with a pro-rated refund.
06International transfers
Where the processing of Customer Personal Data involves a transfer outside the jurisdiction of collection that requires additional safeguards (e.g. outside the EEA under GDPR), Processor will ensure such transfers are made under an appropriate transfer mechanism, including the EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, or an equivalent mechanism recognised under applicable law.
For Sovereign-tier deployments, Controller may require processing to remain within a specific geography (including fully on-premises or air-gapped).
07Data subject rights
Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Law.
If a Data Subject contacts Processor directly, Processor will promptly forward the request to Controller and will not respond except to acknowledge receipt, unless instructed otherwise.
08Personal data breaches
Processor will notify Controller without undue delay — and in any event within 48 hours — after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known:
- Nature of the breach, including categories and approximate number of Data Subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
- Contact point for further information
Where not all information is available at the initial notification, Processor will provide it in phases as it becomes available.
09Audits
Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, including summaries of independent audits and penetration-test reports (subject to confidentiality).
Controller may request an audit not more than once per 12-month period, on at least 30 days' prior written notice, during business hours, and in a manner that does not unreasonably disrupt Processor's operations. Audits may be conducted by Controller or a mutually agreed third-party auditor bound by confidentiality. Controller bears its own costs for audits except where the audit reveals material non-compliance.
10Return or deletion
On termination of the Services, Processor will, at Controller's choice, return or delete all Customer Personal Data within 90 days, unless retention is required by applicable law. Processor will provide written certification of deletion on request.
11Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability to a Data Subject under Data Protection Law.
12Schedules
Schedule 1 — Details of processing
| Subject matter | Provision of the ctOS:BLADE platform as described in the Terms. |
| Duration | The Subscription Term plus any retention period required for return / deletion. |
| Nature and purpose | Ingestion, normalisation, storage, analysis, and presentation of security findings and related operational data to enable Controller to manage its vulnerability remediation programme. |
| Categories of Data Subjects | Controller's personnel who use the platform; individuals whose personal data may appear within security findings (e.g. user IDs in affected systems). |
| Categories of Personal Data | Professional contact data, account credentials (hashed), user activity logs; incidental personal data present in security findings (e.g. usernames, IP addresses) depending on scanner configuration. |
| Special category data | None intended. Controller agrees not to submit special-category data except with prior written agreement. |
Schedule 2 — Sub-processors
| Provider | Service | Location |
|---|---|---|
| Cloudflare, Inc. | Edge network, DNS, DDoS protection, email routing | Global edge; US headquarters |
| Google LLC | Inbound email delivery to administrative inbox | US / EU |
For Sovereign-tier deployments, this list may be reduced or replaced by customer-managed infrastructure. A deployment-specific Schedule 2 will be agreed at contract signature.
Schedule 3 — Technical and organisational measures
- Encryption in transit — TLS 1.2 or higher for all platform traffic
- Encryption at rest — for tenant data stores and backups
- Access control — role-based access, least privilege, mandatory MFA for administrative access
- Network segmentation — tenant isolation, separation of production / staging / development environments
- Logging and monitoring — audit logs for privileged actions; centralised log retention; anomaly detection
- Personnel — confidentiality obligations, background checks where permitted, annual security training
- Secure development — code review, dependency scanning, static analysis, periodic penetration testing by independent third parties
- Incident response — documented runbooks, defined roles, tested annually
- Business continuity — regular backups, tested recovery procedures
- Physical security — inherited from sub-processor data centres with SOC 2 / ISO 27001 or equivalent attestations
A more detailed, per-control description is available to Customers under NDA.