Data Processing Agreement

1. Definitions

• Data Protection Laws: the UK GDPR, the EU GDPR (Regulation 2016/679), the Data Protection Act 2018, and any other applicable laws relating to the processing of Personal Data.
• Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach: as defined in the Data Protection Laws.
• Sub-processor: any third party engaged by the Processor to Process Personal Data on the Controller’s behalf.
• Standard Contractual Clauses (SCCs): the clauses approved by the European Commission for transfers of Personal Data to third countries; UK Addendum: the UK International Data Transfer Addendum to the SCCs issued by the ICO.

2. Roles and Scope

For the Personal Data Processed under the Service, the Customer is the Controller and Cyber Horizon Intelligence is the Processor. The Processor shall Process Personal Data only on the Controller’s documented instructions (including as set out in the Agreement and Annex I), unless required to do otherwise by law, in which case the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the Data Protection Laws.

3. Processor Obligations

• Process Personal Data only for the purposes set out in Annex I and on documented instructions.
• Ensure that persons authorised to Process Personal Data are bound by confidentiality obligations.
• Implement and maintain the technical and organisational measures set out in Annex II.
• Assist the Controller, taking into account the nature of Processing, in fulfilling its obligations under the Data Protection Laws (including security, breach notification, data protection impact assessments, and responses to Data Subjects).
• Make available to the Controller information necessary to demonstrate compliance with this DPA.

4. Security

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. A description of those measures is set out in Annex II. The Processor may update its measures from time to time provided that the updates do not materially reduce the overall level of security.

5. Sub-processing

The Controller grants the Processor general authorisation to engage Sub-processors, subject to this Section. The Sub-processors engaged as at the Effective Date are listed in Annex III. The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains fully liable to the Controller for the performance of each Sub-processor’s obligations. The Processor shall give the Controller prior notice of the addition or replacement of any Sub-processor, and the Controller may object on reasonable data protection grounds within fifteen (15) days; the parties shall then work in good faith to resolve the objection.

6. International Transfers

The Processor’s primary data store is located in the European Union. Certain Sub-processors (see Annex III) Process limited Personal Data in the United States or other third countries. Where Personal Data originating in the UK or EEA is transferred to a third country that is not subject to an adequacy decision, such transfers are made subject to appropriate safeguards, including the Standard Contractual Clauses and the UK Addendum, which are incorporated into this DPA by reference and completed by the parties as applicable. Where the parties are required to enter into the SCCs, the SCCs prevail over this DPA in the event of conflict in relation to such transfers.

7. Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). If the Processor receives a request directly from a Data Subject, it shall not respond other than to acknowledge receipt, and shall forward the request to the Controller without undue delay.

8. Personal Data Breach

The Processor shall notify the Controller without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification shall include, to the extent available, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. The Processor shall cooperate with the Controller and take reasonable steps to mitigate the breach.

9. Audits

The Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it. Such audits shall be on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a Personal Data Breach), during business hours, and subject to confidentiality. The Processor may satisfy audit obligations by providing relevant third-party reports or certifications where available.

10. Return and Deletion

Upon termination of the Service, the Processor shall, at the Controller’s choice, delete or return all Personal Data and delete existing copies within ninety (90) days, unless the Data Protection Laws require continued storage, in which case the Processor shall protect the Personal Data and Process it only as required by law.

11. Liability and Precedence

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of conflict, the order of precedence is: (1) the SCCs (in respect of restricted transfers); (2) this DPA; (3) the Agreement.

12. Governing Law

This DPA is governed by the laws of England and Wales, without prejudice to the governing law and jurisdiction provisions of the SCCs where they apply.

Annex I — Details of Processing

• Parties: Controller (the Customer) and Processor (Cyber Horizon Intelligence Ltd).
• Subject matter: provision of the Cyber Horizon Intelligence governance, risk, compliance, and threat-intelligence platform.
• Duration: the term of the Agreement, plus the return/deletion period in Section 10.
• Nature and purpose: hosting, storage, organisation, structuring, retrieval, analysis, and deletion of Personal Data in order to provide and support the Service.
• Categories of Data Subjects: the Customer’s personnel and authorised users; and individuals referenced within data the Customer uploads (for example vendor contacts, risk and control owners, and personnel named in records).
• Categories of Personal Data: identifiers (names, business email addresses), authentication and account data, role and access data, technical identifiers (IP addresses, device and log data), and any Personal Data contained in content the Customer uploads to the Service.
• Special categories: the Service is not intended for special-category data. The Customer should not upload special-category Personal Data unless separately agreed in writing.
• Frequency: continuous, for the duration of the Agreement.

Annex II — Technical and Organisational Measures

• Encryption: Personal Data is encrypted in transit using TLS, and at rest using AES-256 by the underlying managed infrastructure providers.
• Access control: role-based access control (RBAC) on a least-privilege basis; multi-factor authentication and single sign-on (SAML/OIDC) are available to customers.
• Tenant isolation: each customer organisation’s data is logically separated and scoped by a unique organisation identifier, enforced at the application layer and backed by database row-level security.
• Infrastructure: the application and primary data store are hosted on established cloud providers (see Annex III), inheriting their physical, network, and platform security controls.
• Logging and monitoring: audit logging of key actions and application error monitoring.
• Secret management: credentials and secrets are held as server-side configuration and are not exposed in client code.
• Vulnerability management: dependency monitoring and timely patching; a penetration-testing programme is being established.
• Resilience and backups: automated, managed backups of the primary data store.
• Incident response: documented procedures for detecting, responding to, and notifying Personal Data Breaches.
• Certifications: the Processor is working towards SOC 2 and pursuing ISO 27001; these are not yet certified and should not be relied upon as completed certifications.

Annex III — Sub-processors

The following Sub-processors are engaged to deliver the Service. See our Sub-processors page for the maintained list.

Transfers to Sub-processors outside the UK/EEA are made under the Standard Contractual Clauses and UK Addendum (see Section 6).

Contact

Questions about this DPA or to exercise rights under it: dpo@cyberhorizon.co