This Data Processing Agreement ("DPA") forms part of the Terms of Service between NegevSecure, Inc. ("Processor," "we," "us") and the customer ("Controller," "you") and governs the processing of personal data by NegevSecure on behalf of the Controller.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other relevant legislation.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Purpose of Processing
2.1 Subject Matter
This DPA applies to the processing of Personal Data by NegevSecure in connection with providing security testing services, including vulnerability scanning, penetration testing, and related security assessments.
2.2 Nature and Purpose of Processing
NegevSecure will process Personal Data solely for the purpose of providing the Services as described in the Terms of Service, which may include:
- Scanning and analyzing target systems for security vulnerabilities
- Storing scan results, findings, and evidence
- Generating security reports and documentation
- Providing customer support and technical assistance
2.3 Duration of Processing
Processing will continue for the duration of the service agreement plus any retention period required by applicable laws or as specified in your subscription plan.
2.4 Categories of Data Subjects
Personal Data processed may relate to:
- Controller's employees and contractors
- Controller's customers and end users
- Any individuals whose data may be present in scanned systems
2.5 Types of Personal Data
Personal Data processed may include:
- Names and contact information
- Login credentials (hashed/encrypted)
- IP addresses and device information
- Any data exposed through vulnerability testing
- Technical logs and access records
3. Obligations of the Processor
3.1 Processing Instructions
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Inform the Controller if any instruction is considered unlawful
- Not process Personal Data for any purpose other than providing the Services
3.2 Confidentiality
The Processor shall ensure that persons authorized to process Personal Data:
- Have committed to confidentiality or are under statutory obligation of confidentiality
- Process Personal Data only as instructed
- Receive appropriate training on data protection
3.3 Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of data in transit and at rest (AES-256, TLS 1.3)
- Access controls and authentication mechanisms
- Regular security testing and vulnerability assessments
- Intrusion detection and prevention systems
- Physical security controls for data centers
- Employee security training programs
- Incident response procedures
- Business continuity and disaster recovery plans
3.4 Sub-processors
The Processor may engage Sub-processors subject to the following conditions:
- The Controller grants general authorization for the use of Sub-processors
- The Processor maintains a list of current Sub-processors
- The Processor will notify the Controller of any intended changes 30 days in advance
- Sub-processors must be bound by data protection obligations no less protective than this DPA
3.5 Current Sub-processors
The following Sub-processors are currently authorized:
- Amazon Web Services (AWS): Cloud infrastructure - USA/EU
- MongoDB Atlas: Database hosting - USA/EU
- Stripe: Payment processing - USA
- Intercom: Customer support - USA
- SendGrid: Email delivery - USA
4. Obligations of the Controller
The Controller shall:
- Ensure it has a lawful basis for providing Personal Data to the Processor
- Provide clear written instructions regarding Processing
- Ensure data subjects are informed of the Processing
- Respond to data subject requests in a timely manner
- Notify the Processor of any changes affecting Processing
5. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests, including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure of Personal Data
- Restriction of Processing
- Data portability
- Objection to Processing
The Processor will notify the Controller promptly of any data subject request received directly.
6. Security Incidents
6.1 Notification
The Processor shall notify the Controller of any Security Incident without undue delay and no later than 48 hours after becoming aware of the incident.
6.2 Incident Response
The notification shall include:
- Description of the nature of the incident
- Categories and approximate number of data subjects affected
- Likely consequences of the incident
- Measures taken or proposed to address the incident
6.3 Cooperation
The Processor shall cooperate with the Controller and provide all necessary assistance to fulfill any notification obligations to supervisory authorities or data subjects.
7. International Transfers
For transfers of Personal Data outside the EEA, the Processor shall ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Processing only in countries with adequacy decisions
- Supplementary measures as required by applicable law
8. Audits and Compliance
8.1 Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA, subject to:
- Reasonable advance notice (minimum 30 days)
- Execution of appropriate confidentiality agreements
- Limitation to once per year (unless required by regulators)
8.2 Certifications
The Processor maintains the following certifications, which the Controller may rely upon as evidence of compliance:
9. Return and Deletion of Data
Upon termination of the Services:
- The Processor shall return all Personal Data to the Controller upon request
- The Processor shall delete all Personal Data within 90 days unless retention is required by law
- The Processor shall provide written certification of deletion upon request
10. Liability
Each party's liability under this DPA shall be subject to the limitations set forth in the Terms of Service. Each party shall be liable for damages caused by its breach of this DPA or applicable Data Protection Laws.
11. Term and Termination
This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. The provisions regarding confidentiality, data return/deletion, and liability shall survive termination.
12. Contact Information
For questions about this DPA or data protection matters:
13. Amendments
This DPA may be amended to reflect changes in Data Protection Laws or processing activities. Material changes will be communicated to the Controller with at least 30 days' notice.
