Our commitment to GDPR compliance and data protection
This Data Processing Agreement ("DPA") forms part of the service agreement between the Controller (you) and Cyber Security Stack Ltd (the "Processor"). This DPA reflects the parties' commitment to comply with applicable data protection laws, including the UK GDPR and EU GDPR.
The terms of this DPA apply when Cyber Security Stack processes Personal Data on behalf of the Controller in the course of providing cybersecurity services, including the Resonance Protocol and MBDR technology.
'Controller' means the entity that determines the purposes and means of processing Personal Data.
'Processor' means Cyber Security Stack Ltd, which processes Personal Data on behalf of the Controller.
'Personal Data' means any information relating to an identified or identifiable natural person.
'Processing' means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
'Data Subject' means the individual to whom Personal Data relates.
'GDPR' means the UK General Data Protection Regulation and EU General Data Protection Regulation (EU) 2016/679.
Cyber Security Stack processes Personal Data as a Processor on behalf of the Controller for the purpose of providing cybersecurity services.
The types of Personal Data processed include: user credentials, IP addresses, system logs, security event data, and operational metadata.
Processing activities include: collection, storage, analysis, encryption, pseudonymization, and deletion of security-related data.
The duration of processing extends throughout the term of the service agreement and for any legally required retention period thereafter.
Data Subjects include employees, contractors, and authorized users of the Controller's systems.
We process Personal Data only on documented instructions from the Controller, unless required by applicable law.
We ensure that persons authorized to process Personal Data have committed to confidentiality or are under appropriate statutory obligations.
We implement appropriate technical and organizational measures to ensure security of Personal Data.
We assist the Controller in responding to Data Subject requests and meeting GDPR compliance obligations.
We delete or return all Personal Data to the Controller at the end of services, unless required to retain by law.
We make available all information necessary to demonstrate compliance and allow for audits.
Encryption of Personal Data both in transit (TLS 1.3) and at rest (AES-256).
Implementation of pseudonymization and data minimization techniques.
Regular security assessments, penetration testing, and vulnerability scanning.
Access controls based on principle of least privilege and role-based access.
Multi-factor authentication for all administrative access.
Continuous monitoring, logging, and audit trails of all data processing activities.
Incident response procedures and regular security training for personnel.
Regular backups with encrypted storage and tested recovery procedures.
We may engage sub-processors to assist in providing services, subject to the same data protection obligations.
Current sub-processors include: cloud infrastructure providers (AWS, Azure), analytics services, and security monitoring tools.
We maintain a current list of sub-processors available upon request.
The Controller grants general authorization for engagement of sub-processors, subject to notification.
We notify the Controller of any intended changes concerning addition or replacement of sub-processors.
The Controller may object to such changes on reasonable grounds within 30 days of notification.
We remain fully liable to the Controller for performance of sub-processor obligations.
Personal Data may be transferred to countries outside the UK and EEA as necessary for service provision.
All international transfers are subject to appropriate safeguards as required by GDPR.
We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers.
Additional measures include encryption, access controls, and contractual commitments from recipients.
We maintain records of all international data transfers and transfer mechanisms.
In case of government data access requests, we notify the Controller unless legally prohibited.
We notify the Controller without undue delay upon becoming aware of a Personal Data breach.
Notification is provided within 24 hours of discovery, or as soon as reasonably practicable.
Breach notifications include: nature of breach, categories and approximate numbers affected, likely consequences, and measures taken.
We cooperate with the Controller in investigating and remediating any breach.
We provide reasonable assistance to the Controller in notifying supervisory authorities and Data Subjects as required.
We maintain detailed documentation of all data breaches, including facts, effects, and remedial actions.
We assist the Controller in fulfilling Data Subject requests for access, rectification, erasure, and data portability.
We implement technical measures to facilitate Data Subject rights, including data export capabilities.
We respond to Controller requests regarding Data Subject rights within 10 business days.
We maintain records of all Data Subject requests and responses.
We provide necessary information and tools to enable the Controller to comply with rights requests.
In cases where requests are made directly to us, we promptly forward them to the Controller.
The Controller has the right to conduct audits and inspections to verify compliance with this DPA, subject to reasonable notice and confidentiality obligations.
We maintain third-party security certifications including ISO 27001 and SOC 2 Type II, and make audit reports available upon request.
We undergo regular independent security assessments and penetration testing, with results available to Controllers under appropriate confidentiality agreements.
This Data Processing Agreement shall be governed by and construed in accordance with the laws of England and Wales.
Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
This DPA shall remain in effect for the duration of the service agreement and any period during which we process Personal Data on behalf of the Controller.
Questions about our Data Processing Agreement or GDPR compliance?
Contact Our Data Protection Officer