Data Processing Agreement

Overview

This Data Processing Agreement ("DPA") governs the processing of personal data by DfenAI on behalf of our enterprise customers. It forms part of the DfenAI Terms of Service and ensures compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

The DPA incorporates the EU Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision 2021/914 and provides comprehensive data protection safeguards for international data transfers.

1. Key Definitions

2. Scope and Purpose of Processing

Nature of Processing

DfenAI processes personal data to provide cybersecurity threat intelligence services, including:

• Threat intelligence monitoring across 15+ layers (dark web, Telegram, phishing detection)
• Domain security analysis and brand protection monitoring
• AI-powered threat analysis with MITRE ATT&CK mapping
• Team collaboration and organization management features
• Executive reporting and threat intelligence dashboards

Categories of Data Subjects

• Customer employees, contractors, and authorized users
• Organization members and team collaborators
• Individuals mentioned in threat intelligence data (e.g., leaked credentials)
• Technical contacts in domain registration records (WHOIS)

Types of Personal Data

• Account Data: Email, name, job title, phone, organization name, authentication credentials
• Usage Data: IP addresses, browser/device info, session data, API logs
• Threat Data: Breach emails, WHOIS data, phishing detections, dark web mentions
• Organization Data: Team member lists, roles, organization profile information

3. Security Measures

DfenAI implements comprehensive technical and organizational measures to ensure data security:

Technical Security

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication (MFA) for all users
• JWT token authentication with short expiration times
• Automated vulnerability scanning and security assessments
• Intrusion detection and prevention systems
• Regular security patches and updates

Organizational Security

• Role-based access control (RBAC) with least privilege principle
• Employee security awareness training
• Incident response procedures and 72-hour breach notification
• Secure software development lifecycle (SDLC)
• Regular security audits and compliance reviews
• Vendor security assessment program

4. Sub-processors

DfenAI engages the following sub-processors with equivalent data protection obligations:

For detailed sub-processor information including DPAs and safeguards, see Sub-processors List.

5. International Data Transfers

DfenAI may transfer personal data to countries outside the European Economic Area (EEA) where sub-processors are located. We ensure appropriate safeguards:

• EU Standard Contractual Clauses (SCCs): Module Two (Controller-to-Processor) from Commission Implementing Decision 2021/914
• Data Processing Agreements: All sub-processors execute DPAs with equivalent GDPR protections
• Technical Safeguards: Encryption in transit and at rest, access controls, monitoring
• Adequacy Decisions: Where applicable (e.g., UK, Switzerland adequacy)

In the event of government access requests, DfenAI will challenge unlawful requests and notify customers unless legally prohibited.

6. Data Subject Rights Support

DfenAI provides technical capabilities to assist customers in fulfilling data subject rights:

• Right of Access: Self-service data export in JSON format via API
• Right to Rectification: User profile editing in dashboard and via API
• Right to Erasure: Account deletion feature with 30-day hard deletion
• Right to Data Portability: Machine-readable data export (JSON)
• Right to Object: Marketing opt-out, notification preferences, AI processing opt-out

Response Time: DfenAI aims to respond to data subject requests within 10 business days (up to 30 days for complex requests).

7. Data Breach Notification

DfenAI shall notify customers without undue delay (within 72 hours) after becoming aware of a personal data breach. The notification will include:

• Description of the breach nature and scope
• Categories and approximate number of affected data subjects
• Contact details of Data Protection Officer or contact point
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. Audit Rights

Customers may request compliance documentation and audits to verify DfenAI's adherence to this DPA:

• Annual compliance attestations (SOC 2, ISO 27001 when available)
• Security questionnaire responses
• On-site or remote audits (upon reasonable notice, max once/year, at customer expense)

Contact legal@dfen.ai to request audit documentation or schedule an audit.

9. Data Retention and Deletion

DfenAI retains personal data only as long as necessary to provide services or as required by law:

• Active subscription: Data retained for service provision
• After termination: Data deleted or returned within 30 days (customer choice)
• Legal retention: Compliance with tax, financial, and regulatory requirements
• Backups: Deleted on next backup rotation cycle

Upon request, DfenAI will provide written certification of data deletion.

10. Contact Information

For questions about this DPA or data protection inquiries: