Data Processing Information

1. Controller and processor roles

• Where you (our customer) provide us with personal data of your employees, customers, or other individuals, you are typically the data controller and we are the data processor.
• In other contexts, for example when you use our website or contact us, we may be the data controller for the personal data you provide.

2. Scope and purpose of processing

When acting as a data processor for you, we process personal data:

• To provide and support the contracted services.
• To maintain and secure the systems you use.
• To enable reporting, analytics, and administration features.
• To comply with contractual obligations and legal requirements (e.g., security incidents, audits).

3. Categories of data and data subjects

Typical categories of personal data we may process on your behalf include:

• Identity and contact information (e.g., name, email, phone).
• Account and role information (e.g., username, role, department).
• Service‑related usage data (e.g., access logs, activity within the platform).

4. Legal basis and instructions

• As a processor, we only process personal data on your documented instructions (e.g., via the service agreement, DPA, or admin settings).
• In cases where you are controller, the legal basis for processing is determined by you; we act under the controller’s lawful basis (e.g., contractual necessity, legitimate interests, or consent).

5. Security and confidentiality

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit and at rest.
• Access controls and role‑based permissions.
• Regular security reviews and vulnerability management.
• Logging and monitoring for misuse or unauthorised access.

6. Sub‑processors and data flows

• We may use third‑party sub‑processors (e.g., cloud hosting, databases, monitoring, email, analytics) to provide the services.
• Where required, we obtain your approval before engaging new sub‑processors, or we notify you and allow you to object within a reasonable period.
• If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.
• An up-to-date list of subprocessors is available at: threatprevent.io/subprocessors.

7. Data retention and deletion

• Personal data processed on your behalf is retained only for the duration necessary to provide the services and meet legal or contractual obligations.
• At the end of the contractual relationship, or upon your request, we will return or securely delete your data (as agreed in the DPA or contract), unless we are legally required to retain it.

8. Data breaches and incident response

• If we become aware of a personal data breach that affects your data, we will notify you without undue delay, as required by law and our DPA.
• We have an incident response plan in place to contain the impact and cooperate with you on any required notifications to data subjects or supervisory authorities.

9. Data subject rights

• As processor, we assist you in fulfilling data‑subject rights (e.g., access, rectification, erasure, restriction, portability, objection) in accordance with the GDPR.
• Individuals exercising their rights should normally contact you first; where required, we will support you with technical or administrative steps within our systems.

10. Data Processing Agreement (DPA)

• For B2B engagements involving personal data processing, we maintain a Data Processing Agreement (DPA) that aligns with GDPR Article 28 and includes the required minimum clauses.
• A copy of our standard DPA is available on request at: privacy@threatprevent.io
• In some cases your internal DPA may be used instead, as long as it meets GDPR requirements and is mutually agreed.

11. Contact for data‑processing questions

If you have questions about how we process personal data for your B2B services, or you would like to request a copy of our DPA, contact us at: privacy@threatprevent.io