Data Processing Agreement (DPA)

SecurityPassport

Last updated: June 3, 2026

This Data Processing Agreement ("Agreement") forms part of the Terms of Service between:

Customer — the organization using the SecurityPassport service, acting as the Data Controller

and

SecurityPassport — provider of the SecurityPassport platform, acting as the Data Processor.

This Agreement governs the processing of personal data in connection with the SecurityPassport service and is intended to comply with the requirements of General Data Protection Regulation (GDPR).

1. Definitions

For the purposes of this Agreement:

Controller The entity that determines the purposes and means of processing personal data.

Processor The entity that processes personal data on behalf of the Controller.

Personal Data Any information relating to an identified or identifiable natural person.

Processing Any operation performed on personal data including collection, storage, retrieval, use, disclosure, or deletion.

Service The SecurityPassport SaaS platform provided by the Processor.

2. Scope of Processing

The Processor processes personal data solely for the purpose of providing the SecurityPassport service to the Customer.

Processing activities may include:

hosting customer data

storing evidence files and associated metadata

managing user authentication

generating compliance exports

maintaining system logs and audit records

enabling controlled sharing of materials

The Processor shall not process personal data for any other purpose except where required by applicable law.

3. Duration of Processing

Processing shall continue for the duration of the service agreement between the Customer and the Processor.

Upon termination of the service:

the Customer may export its data, and

the Processor will delete or return personal data within a reasonable period unless retention is required by law.

4. Nature and Purpose of Processing

The nature of processing includes:

storage

organization

retrieval

transmission

deletion

The purpose of processing is to enable customers to:

manage compliance evidence

maintain audit documentation

securely share evidence with third parties

generate compliance exports

5. Categories of Personal Data

Depending on customer use of the platform, personal data may include:

Account data

names

email addresses

workspace roles

Authentication data

login timestamps

authentication tokens

password hashes

Operational data

audit logs

activity records

IP addresses

Customer-uploaded data

documents

reports

screenshots

compliance materials

The Customer determines which data is uploaded to the platform.

6. Categories of Data Subjects

Data subjects may include:

employees of the Customer

authorized platform users

individuals referenced in compliance documentation

external auditors or reviewers receiving shared materials

7. Processor Obligations

The Processor agrees to:

Process personal data only on documented instructions from the Customer.

Ensure that personnel with access to personal data are subject to confidentiality obligations.

Implement appropriate technical and organizational security measures.

Assist the Customer in fulfilling data protection obligations where reasonably required.

Notify the Customer of any confirmed personal data breach without undue delay.

Ensure subprocessors meet equivalent data protection requirements.

8. Security Measures

The Processor maintains technical and organizational safeguards designed to protect personal data, including:

encrypted communications using TLS

secure password hashing

role-based access control

system audit logging

infrastructure monitoring

restricted production access

security patch management

These measures are periodically reviewed and improved.

9. Subprocessors

The Processor may engage third-party subprocessors to provide infrastructure and operational services, including:

cloud infrastructure providers

object storage providers

monitoring and logging platforms

email delivery providers

payment processors

All subprocessors are bound by contractual data protection obligations.

The Processor remains responsible for subprocessors’ compliance with this Agreement.

10. International Data Transfers

Where personal data is transferred outside the European Economic Area, appropriate safeguards will be applied, including:

Standard Contractual Clauses approved by the European Commission

transfers to jurisdictions with adequacy decisions

additional safeguards where necessary

11. Data Subject Rights

The Processor will assist the Customer, where reasonably possible, in responding to requests related to:

access

rectification

deletion

restriction of processing

data portability

objection to processing

The Customer remains responsible for handling such requests.

12. Personal Data Breach

In the event of a confirmed personal data breach affecting Customer data, the Processor will:

notify the Customer without undue delay

provide relevant information about the incident

assist with mitigation and investigation where appropriate

13. Data Deletion and Return

Upon termination of the service, the Customer may export its data.

After a reasonable period, the Processor will delete stored personal data unless retention is required by law or necessary for legitimate security purposes.

14. Audit and Compliance

The Processor will provide reasonable information necessary to demonstrate compliance with this Agreement.

Formal audits must be reasonable in scope and subject to confidentiality obligations.

15. Governing Law

This Agreement shall be governed by the same law and jurisdiction specified in the SecurityPassport Terms of Service.