How we process personal data on your behalf as a data processor.
Last updated: 2026-03-18
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and Black Cat Security ("Processor") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Service.
For the purposes of this DPA, the following terms have the meanings ascribed to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"):
The Customer acts as the Controller and Black Cat Security acts as the Processor with respect to the personal data processed through the Service. This DPA supplements the Terms of Service and applies to all processing activities performed by the Processor on behalf of the Controller.
In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.
The Processor shall process personal data only in accordance with the Controller's documented instructions, as set out in this DPA and the Terms of Service. The Processor shall not process personal data for any purpose other than the provision of the Service unless required to do so by applicable EU or Member State law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection legislation.
The following categories of personal data are processed by the Processor on behalf of the Controller in connection with the Service:
| Data Category | Data Subjects | Purpose |
|---|---|---|
| SaaS configuration data | End users of connected SaaS applications | Security posture assessment and compliance monitoring |
| Identity data (names, emails, roles) | Users of connected SaaS applications | Identity risk analysis and access review |
| Security findings | Users associated with misconfigured resources | Risk scoring and remediation guidance |
| Audit logs | Platform administrators | Accountability, troubleshooting, and compliance |
The Controller authorises the Processor to engage the following sub-processors for the processing of personal data:
| Name | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, and DDoS protection | USA / EU |
| Paddle.com Market Ltd | Billing and payment processing | United Kingdom |
The Processor shall notify the Controller of any intended changes to its sub-processors at least 30 days before the new sub-processor begins processing personal data. The Controller shall have a period of 30 days from receipt of such notification to object in writing. If the Controller raises a reasonable objection, the parties shall discuss the matter in good faith and, if no resolution is reached, the Controller may terminate the affected services.
The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to:
In the event of a Data Breach, the Processor shall notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification shall include:
The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under the GDPR (including access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond to such requests except on the Controller's instructions.
The Processor shall provide reasonable cooperation and assistance, taking into account the nature of the processing and the information available to the Processor.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with at least 30 days' written notice, during normal business hours, and in a manner that minimises disruption to the Processor's operations. The costs of the audit shall be borne by the Controller. The Processor may satisfy audit requirements by providing relevant certifications, audit reports, or compliance attestations from independent third parties.
Where personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission, adequacy decisions, or other GDPR-approved transfer mechanisms. The Processor shall inform the Controller of any transfer and provide details of the safeguards applied.
Upon termination or expiry of the Terms of Service, the Processor shall, at the Controller's election, either return all personal data to the Controller or delete it. The Controller shall have a period of 30 days following termination to request the export of its data in a standard format (JSON or CSV). After this period, the Processor shall securely delete all personal data, except where retention is required by applicable law.
The Processor shall provide written confirmation of deletion upon the Controller's request.
This DPA shall remain in effect for the duration of the Terms of Service and shall automatically terminate upon the termination or expiry of the Terms of Service. The obligations of the Processor regarding data protection, security, and confidentiality shall survive termination for as long as the Processor retains any personal data of the Controller.
The following annexes form an integral part of this DPA: