1. Definitions
Capitalized terms have the meaning given in the Terms of Service or in applicable Data Protection Laws (including the EU GDPR, UK GDPR, Swiss FADP, and US state privacy statutes such as the CCPA/CPRA).
2. Roles and scope
For Customer Personal Data, Customer is the Controller and SOCPilot, INCis the Processor. SOCPilot processes Customer Personal Data only to provide the service in accordance with documented instructions from the Customer, including those embedded in the platform's configuration.
3. Nature, purpose and categories
- Nature & purpose — ingest, correlate and analyze security telemetry; generate investigation cases, briefs, and compliance evidence; route approval-gated response actions.
- Data subjects — Customer personnel and authenticated end-users referenced in security events (employees, contractors, service principals).
- Data categories — identifiers (email, account IDs, device IDs, IPs), authentication metadata, security event metadata, audit log entries, analyst notes.
- Sensitive data — not required; Customer is responsible for not forwarding special-category data unnecessarily.
4. Processor obligations
- Process Customer Personal Data only on documented instructions.
- Ensure persons authorized to process Customer Personal Data are bound by confidentiality.
- Maintain the technical and organizational measures described in the Security Annex.
- Engage sub-processors only under written terms providing protections equivalent to this DPA.
- Assist the Controller with data-subject requests, DPIAs and prior consultations to the extent reasonably required.
- Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach.
- Delete or return Customer Personal Data on termination, subject to legal retention obligations.
5. Sub-processors
The current list of authorized sub-processors is published in the Trust Center. SOCPilot will give prior notice before authorizing any new sub-processor. Customer may object on reasonable data-protection grounds within 30 days; if the parties cannot agree on an alternative, Customer may terminate the affected service for cause.
6. International transfers
Where Customer Personal Data originating in the EEA, UK or Switzerland is transferred to a country without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2: controller to processor), the UK International Data Transfer Addendum, and the Swiss equivalent. The transfer impact assessment is published in the Trust Center.
7. AI sub-processing
When Customer enables live AI features, prompts and minimum required context are sent to the contracted LLM gateway and underlying model providers. SOCPilot configures these endpoints for zero retention where supported. Customer Personal Data is not used to train SOCPilot or third-party foundation models.
8. Audits
Customer may, no more than once per 12-month period, audit SOCPilot's compliance with this DPA. SOCPilot will satisfy audit requests by providing its current SOC 2 Type II report (audit completed January 2026), the latest ISO 27001 audit status (Stage 2 scheduled August 2026), the annual penetration-test summary from Kestrel Cyber, and a completed CAIQ/SIG questionnaire. On-site audits are available for Enterprise customers under reasonable scope, advance notice and confidentiality terms.
9. Liability
Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service, except for amounts that cannot be excluded under applicable Data Protection Laws.
10. Order of precedence
In case of conflict between this DPA, the Terms of Service and an order form, the order of precedence is: (a) the SCCs (where applicable), (b) this DPA, (c) the order form, (d) the Terms of Service.
Annex A — Security measures
- Encryption: TLS 1.2+ in transit; AES-256 at rest; key rotation managed via cloud KMS.
- Access control: SSO + MFA on production; least-privilege RBAC; quarterly access reviews.
- Logging & monitoring: immutable audit logs; SIEM-monitored production access; 24×7 alerting.
- Vulnerability management: continuous dependency scanning; quarterly external penetration testing; coordinated disclosure program.
- Resilience: cross-AZ deployment; daily encrypted backups; documented DR runbook tested annually.
- People: background checks where lawful; mandatory annual security and privacy training.
Annex B — Sub-processors (summary)
Cloud infrastructure & managed Postgres, edge / serverless runtime, transactional email delivery, LLM inference (Google, OpenAI) via gateway, error & uptime monitoring. Region of processing and purpose for each is published in the Trust Center.