Data Processing Addendum

Encryption Standards

• AES-256-GCM encryption for data at rest (FIPS 140-2 Level 3 validated modules)
• TLS 1.3 with PFS for data in transit (X25519 key exchange)
• HSM-backed key management (AWS CloudHSM) with 90-day rotation

Access Controls

• RBAC with JIT provisioning and MFA enforcement
• Privileged Access Workstations (PAWs) for admin operations
• Quantum-resistant session tokens (CRYSTALS-Kyber)

Infrastructure Security

• VPC architecture with zero-trust segmentation
• Runtime application self-protection (RASP) integration
• Weekly vulnerability scans + quarterly pen tests by CREST-certified teams

Customers may request audits through our compliance portal, subject to:

• 30-day advance notice for scheduled reviews
• NDA execution with third-party auditors
• Maximum audit duration of 14 consecutive days

Available audit artifacts include:

• SOC 2 Type II reports (annual)
• Penetration test results (quarterly)
• Certificate of Destruction for retired media

• EU-US transfers protected by SCCs (2021/914)
• UK Addendum for GDPR adequacy decisions
• APAC data localization through Singapore & Sydney regions

Transfer Impact Assessments available upon request (Article 46 GDPR)

Security Incidents triggering notification:

• Potential compromise of ≥100 user accounts
• Exposure of sensitive detection rulesets
• Unauthorized access to production key material

Notification timeline:

• Initial alert within 1 hour of incident classification
• Detailed report within 72 hours (MITRE ATT&CK mapped)

Authorized subprocessors include:

• AWS (Global Infrastructure)
• Auth0 (Enterprise Authentication)
• Snowflake (Analytics Processing)

Subprocessor changes require 45-day advance notice via registered email.