Skip to main content

Data Processing Agreement (DPA)

For Enterprise Customers Only

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CyberSecFeed ("Processor") and Customer ("Controller") for the provision of the CyberSecFeed API Service.

1. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person
  • "Processing": Any operation performed on Personal Data
  • "Data Subject": The individual to whom Personal Data relates
  • "Subprocessor": Any third party engaged by Processor to process Personal Data

2. Processing of Personal Data

2.1 Scope and Roles

  • Customer is the Data Controller
  • CyberSecFeed is the Data Processor
  • Processing is limited to providing the API Service as described in the Terms of Service

2.2 Customer Instructions

Processor shall process Personal Data only on documented instructions from Customer, unless required by law.

2.3 Duration

Processing shall continue for the duration of the Service agreement.

3. Processor Obligations

3.1 Confidentiality

Processor ensures all personnel authorized to process Personal Data are bound by confidentiality obligations.

3.2 Security Measures

Processor implements appropriate technical and organizational measures, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures

3.3 Subprocessors

Current approved subprocessors:

  • Cloudflare (Infrastructure)
  • Stripe (Payment processing - no CVE data access)
  • Postmark (Email delivery - limited to email addresses)

Customer consents to these subprocessors. Processor will notify Customer of any changes.

3.4 Data Subject Rights

Processor will assist Customer in responding to data subject requests, considering the nature of processing and available information.

3.5 Data Breach Notification

Processor will notify Customer without undue delay (within 72 hours) after becoming aware of a Personal Data breach.

4. International Transfers

4.1 Transfer Mechanisms

For transfers outside the EEA, parties rely on:

  • Standard Contractual Clauses (available upon request)
  • Appropriate safeguards per GDPR Article 46

4.2 Data Transfer Impact Assessment

Processor maintains assessments of data transfer risks and implements supplementary measures as needed.

5. Audit Rights

5.1 Information and Audit

Processor will make available information necessary to demonstrate compliance and allow for audits by Customer or appointed auditor.

5.2 Audit Conditions

  • Reasonable notice required (minimum 30 days)
  • During normal business hours
  • Subject to confidentiality agreements
  • Customer bears audit costs

6. Data Return and Deletion

Upon termination:

  • Customer data is automatically deleted per Privacy Policy
  • No data retention beyond active subscription period
  • Deletion is immediate and permanent

7. Liability

Liability is governed by the limitation of liability provisions in the Terms of Service.

8. Governing Law

This DPA is governed by the same law as the Terms of Service.

Note: This is a template. Enterprise customers should contact [email protected] to execute a customized DPA for their specific needs.