CybeDefend
Voltar à página inicial
Legal · DPA

Data Processing Addendum

GDPR Article 28 Data Processing Addendum between CybeDefend SAS (Processor) and the Customer (Controller). Auto-incorporated into our Terms of Use; counter-signed copies on request.

Last updated [email protected]

This Data Processing Addendum ("DPA") forms part of the agreement between CYBEDEFEND SAS ("Processor") and the customer entity that subscribes to the Services ("Controller"). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the use of the CybeDefend Services.

Preamble

The Parties wish to establish the terms under which the Processor processes personal data on behalf of the Controller in compliance with Article 28 of Regulation (EU) 2016/679 (the "GDPR") and, where applicable, the UK Data Protection Act 2018 ("UK GDPR") and the Swiss Federal Act on Data Protection ("FADP").

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the GDPR or in the Order Form. For clarity:

  • "Customer Personal Data" means personal data submitted to the Services by or on behalf of the Controller, including personal data contained within Customer Code, repository metadata, user accounts, audit logs and configuration.
  • "Processing" has the meaning given in Article 4(2) GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data on behalf of the Controller.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission Decision 2021/914 of 4 June 2021.

2. Scope and roles of the Parties

The Controller acts as data controller and the Processor acts as data processor with respect to Customer Personal Data. Where the Controller acts itself as a processor for an underlying client, the Processor will act as a sub-processor. The processing activities are described in Annex 1.

3. Processor instructions

The Processor processes Customer Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. The Order Form, the Documentation, the Privacy Policy and this DPA constitute the Controller's complete and final instructions to the Processor at the date of execution. Additional instructions outside the scope of these documents require prior written agreement between the Parties.

The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4. Confidentiality

The Processor shall ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality, are appropriately trained, and process Customer Personal Data only in accordance with the Controller's instructions. The Processor maintains an internal access policy under which only employees with a need-to-know may access Customer Personal Data.

5. Security measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A current description of those measures is included as Annex 2 to this DPA and updated on the Security page. The Controller acknowledges that the security measures are subject to technical progress and development; the Processor may update them provided that the level of protection is not materially decreased.

6. Sub-processors

The Controller provides general written authorization for the Processor to engage Sub-processors. A current list of Sub-processors is published at /legal/subprocessors.

The Processor:

  • imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA;
  • remains fully liable to the Controller for the performance of each Sub-processor's obligations;
  • gives the Controller 30 days' prior written notice (via the Sub-processors page or by email to enterprise customers) of any intended change concerning the addition or replacement of Sub-processors.

The Controller may object to a new Sub-processor on legitimate data protection grounds. If the Parties cannot reach a resolution, the Controller may terminate the affected portion of the Services without penalty.

7. Data subject rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under the GDPR (access, rectification, erasure, restriction, portability, objection). Standard self-service tools are available in the Controller's account dashboard.

8. Personal data breaches

The Processor shall notify the Controller of any Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 48 hours after becoming aware of it. Notification will include, to the extent then known, the nature of the breach, categories and approximate number of data subjects and records concerned, the likely consequences and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

The Processor shall reasonably assist the Controller in fulfilling its own breach-notification obligations under Articles 33-34 GDPR.

9. International data transfers

Where the Processor (or a Sub-processor) transfers Customer Personal Data outside the European Economic Area to a country not benefiting from an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module Two, Controller-to-Processor, or Module Three, Processor-to-Sub-processor, as applicable), incorporated by reference into this DPA.

The Processor will conduct Transfer Impact Assessments in line with EDPB recommendation 01/2020 and supplement the SCCs with additional safeguards where required (encryption in transit and at rest, pseudonymisation, minimisation). A copy of the most recent TIA is available on request.

10. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA, in particular the most recent SOC 2 Type II report, ISO 27001 certificate (where in scope) and the current Sub-processor list.

The Controller may, once per twelve-month period, conduct an audit (or commission an independent third party bound by confidentiality to do so) at its own expense, on 30 days' written notice and during business hours, in a manner that does not unreasonably interfere with the Processor's normal operations. The Controller bears the cost of audits beyond review of standard documentation.

11. Return and deletion of Customer Personal Data

Upon termination of the Services, the Processor will, at the Controller's choice, delete or return all Customer Personal Data to the Controller and delete existing copies, unless Union or Member State law requires storage. Backups containing Customer Personal Data are deleted on the standard backup-rotation cycle, which is 30 days for our EU region.

12. Term and termination

This DPA enters into force on the effective date of the Order Form and remains in force for as long as the Processor processes Customer Personal Data on behalf of the Controller.

13. Liability

The liability of each Party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Use, regardless of the legal basis on which the claim is brought.

14. Governing law

This DPA is governed by French law. Disputes are subject to the non-exclusive jurisdiction of the courts of Lille (France), without prejudice to any mandatory rules of the data subject's country of habitual residence.

Annex 1, Description of the Processing

Subject matter

Provision of the CybeDefend MCP-native Application Security Testing platform, including SAST, SCA, IaC scanning, container security, secret detection and AI-powered analysis & remediation.

Duration

For the term of the Order Form between the Parties.

Nature and purpose

The Processor processes Customer Personal Data for the purpose of:

  • providing the Services as described in the Order Form and the Documentation;
  • performing security analysis on Customer Code submitted by the Controller;
  • producing remediation suggestions and verified patches;
  • providing user account, billing, support and audit-log functionality.

Categories of data subjects

  • The Controller's users (developers, security engineers, administrators);
  • Individuals identifiable from data submitted within Customer Code (committers, code reviewers, internal user identifiers);
  • Individuals identifiable from configuration or access-control metadata.

Categories of personal data

  • Identification data, name, email address, username, profile picture, role.
  • Authentication data, hashed passwords, OAuth tokens, session identifiers, IP address, device identifiers.
  • Account & billing data, billing address, VAT number, subscription details (no full PAN, held by Stripe).
  • Usage data, log files, audit trails, in-product activity.
  • Customer Code metadata, file paths, commit identifiers, repository URLs, contributor identifiers.
  • Customer Code content as ingested for security analysis (which may incidentally contain identifiers depending on what the Controller submits).

Special categories of data

The Services are not designed to process special-category data. The Controller undertakes not to submit special-category personal data to the Services and acknowledges that the Processor relies on this undertaking when configuring controls.

Recipients

Sub-processors as listed in Annex 3 and at /legal/subprocessors.

Annex 2, Technical and Organisational Measures (TOMs)

A current and detailed description is published at /security. Headline controls:

  • Encryption, TLS 1.2+ in transit, AES-256 at rest, secret manager with hardware-backed keys.
  • Access control, SSO + hardware MFA for the team, just-in-time production access, least-privilege per service, customer-side SSO (SAML/OIDC) and SCIM on Enterprise.
  • Network security, segmented VPCs, default-deny network policies, mTLS between internal services, WAF on public endpoints.
  • Operational security, annual third-party penetration test, continuous internal security review of every deployment, 24×7 monitoring with paging on anomalies.
  • Resilience, daily backups with 30-day retention (EU region), disaster-recovery procedures, multi-AZ deployments.
  • AI-specific guardrails, no model training on Customer Personal Data, zero-retention contracts with AI providers, per-tenant scopes, sandboxed prompts.

Annex 3, Sub-processors

The current list of named Sub-processors, including the entity, the data processed, the purpose, and the location of processing, is published at /legal/subprocessors and incorporated by reference. The Processor will notify the Controller of any material change at least 30 days in advance.

Table of contents
  1. 01Preamble
  2. 021. Definitions
  3. 032. Scope and roles of the Parties
  4. 043. Processor instructions
  5. 054. Confidentiality
  6. 065. Security measures
  7. 076. Sub-processors
  8. 087. Data subject rights
  9. 098. Personal data breaches
  10. 109. International data transfers
  11. 1110. Audits
  12. 1211. Return and deletion of Customer Personal Data
  13. 1312. Term and termination
  14. 1413. Liability
  15. 1514. Governing law
  16. 16Annex 1, Description of the Processing
  17. 17Annex 2, Technical and Organisational Measures (TOMs)
  18. 18Annex 3, Sub-processors
Contact

Precisa de uma cópia assinada do DPA?

[email protected]Open the contact form
Começar

Instala grátis no teu IDE. Primeiro scan em 5 minutos.

Sem cartão de crédito. Sem chamada de setup. Escolhe o agente, cola o comando e o Cybe aplica as tuas regras a partir do próximo prompt.

Região
claude mcp add cybedefend --transport http https://mcp-eu.cybedefend.com/mcp

MCP alojado, sem instalação. Basta registar o URL no teu agente.

Marcar uma demo de 20 min