Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Resolute Security ("Processor") and the customer ("Controller") for the provision of the Resolute Security platform ("Service"). It governs Processor's processing of personal data on behalf of Controller in accordance with applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA) as amended.

1. Definitions

Capitalized terms not otherwise defined here have the meanings given in the GDPR. "Data Protection Laws" means all laws applicable to the processing of personal data under this DPA. "Customer Personal Data" means personal data processed by Processor on behalf of Controller in connection with the Service.

2. Subject matter and duration

Processor processes Customer Personal Data only to provide and support the Service, for the duration of the underlying subscription, plus any retention period set out in the Privacy Policy or required by law.

3. Nature and purpose of processing

Processor processes Customer Personal Data to deliver email-security scanning, continuous domain monitoring, web-security tooling, compliance self-assessment workflows, vendor-questionnaire automation, security-awareness training, and related features ordered by Controller.

4. Categories of data subjects and personal data

See Annex I below.

5. Controller's obligations

• Controller is solely responsible for the lawfulness of the personal data it submits to the Service and for ensuring it has the necessary consents, notices, and legal bases for processing.
• Controller is responsible for configuring the Service in line with its own compliance obligations (e.g. retention settings, access controls, data exports).

6. Processor's obligations

Processor will:

• Process Customer Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required by law (in which case Processor will notify Controller unless prohibited).
• Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
• Implement the technical and organizational measures described in Annex II.
• Assist Controller, taking into account the nature of processing, with responding to data subject requests and with compliance with Articles 32-36 of the GDPR.
• Make available to Controller the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in §13.

7. Security

Processor implements the technical and organizational measures set out in Annex II to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8. Personal data breach

Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.

9. Data subject rights

Processor will, to the extent legally permitted, promptly notify Controller of any request received from a data subject and will assist Controller in fulfilling its obligations to respond to such requests via the self-service tools available in the Service. Most rights can be exercised by the data subject through the data subject rights page.

10. Sub-processors

Controller authorizes Processor to engage the sub-processors listed at /sub-processors. Processor will:

• Enter into a written agreement with each sub-processor imposing data-protection obligations no less protective than those set out in this DPA.
• Remain liable to Controller for any sub-processor's performance.
• Give Controller at least 30 days' prior written notice of any new sub-processor or any replacement of an existing sub-processor; Controller may object in writing within that notice period.

11. International transfers

Customer Personal Data may be transferred to and processed in the United States and other jurisdictions where Processor or its sub-processors operate. Where required, the parties enter into the EU Standard Contractual Clauses (Module Two), the UK International Data Transfer Addendum, and equivalent mechanisms for transfers from the EEA, UK, and Switzerland to countries without an adequacy decision.

12. Return or deletion

On termination of the Service, Processor will, at Controller's choice, delete or return all Customer Personal Data within 30 days, unless retention is required by law. Controller may self-serve a complete data export from the in-app settings before termination.

13. Audits

Processor will make available to Controller, on reasonable request and no more than once per year (except as required by a supervisory authority), summary reports of its third-party security audits and answers to a reasonable security questionnaire. On-site audits may be conducted only if necessary to verify the foregoing and subject to mutually agreed scope and confidentiality.

14. CCPA addendum

For Customer Personal Data subject to the CCPA, Processor acts as a "Service Provider" (as defined in the CCPA) and will not retain, use, or disclose such data for any purpose other than performing the Service, or as otherwise permitted by the CCPA.

15. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section of the underlying agreement.

Annex I — Data processing details

• Data subjects:Controller's end users, employees, contractors, and the third-party contacts (vendors, prospects, recipients of phishing simulations) that Controller submits to the Service.
• Categories of personal data: name, email address, organization affiliation, authentication identifiers (hashed passwords, MFA secrets, OAuth ids), session metadata (IP address, user agent), billing contact data, compliance-evidence content uploaded by Controller, and content submitted to scanning / training / vendor features.
• Special categories: none collected by default. Controller is responsible for not uploading special-category data (Art. 9 GDPR) into free-form fields unless contractually agreed.
• Frequency: continuous for the duration of the Service.
• Retention: as set out in the Privacy Policy and the in-app retention controls.

Annex II — Technical and organizational measures

• Access control: SSO + MFA for all production access; least-privilege roles in code and infra; quarterly access reviews.
• Encryption: TLS 1.2+ in transit; AES-256 at rest (managed by Neon, Fly, and Upstash); secrets stored in Fly Secrets or env-managed vaults.
• Network: Cloudflare DDoS + WAF; application-layer rate limits; no public database endpoints.
• Tenant isolation: every customer record is scoped by organizationId at the schema level; row-level multi-tenancy enforced in code and audit-logged.
• Backups + recovery: daily Postgres snapshots; point-in-time recovery; documented restore runbook.
• Vulnerability management: dependency auditing on every CI run; Snyk + Dependabot for known vulnerabilities; security patches deployed within published SLAs.
• Logging + monitoring: append-only audit log of all configuration changes; Sentry for application errors; central application logs retained 30 days.
• Incident response: published security policy at SECURITY.md; 72-hour breach notification commitment.
• Personnel: all personnel sign a confidentiality agreement; background checks for production-access roles; annual security training.
• Vendor management: sub-processors listed publicly at /sub-processors; each bound by a DPA no less protective than this one.

Contact

Data Protection Officer / Privacy contact: privacy@resolute-security.com.