Data Processing Agreement
Last updated: March 2026
Effective date: March 2026
Version: 1.0
This Data Processing Agreement ("DPA") forms part of the agreement between Intelsieve, LLC ("Intelsieve", "Processor", "we", "our", or "us") and the entity or individual accepting this DPA ("Customer", "Controller", "you", or "your") for the provision of threat intelligence services (the "Services") as described in our Terms of Service (the "Agreement").
This DPA applies where and to the extent that Intelsieve processes Personal Data on behalf of the Customer in the course of providing the Services.
1. Definitions
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR, UK GDPR, CCPA/CPRA, and other applicable data protection legislation.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Intelsieve on behalf of the Customer in connection with the Services.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission Decision (EU) 2021/914.
- "Sub-processor" means a third party engaged by Intelsieve to process Personal Data on behalf of the Customer.
2. Scope and Roles
2.1 Relationship of the Parties
For the purposes of Applicable Data Protection Law:
- Customer is the Controller: You determine the purposes and means of processing Personal Data
- Intelsieve is the Processor: We process Personal Data on your behalf and in accordance with your documented instructions
2.2 Categories of Data Subjects
Personal Data processed under this DPA may relate to the following categories of Data Subjects:
- Customer's employees and authorized users of the Services
- Individuals whose data appears in threat intelligence results (e.g., individuals whose credentials appear in breach databases)
2.3 Types of Personal Data
| Category | Examples |
|---|---|
| Account data | Names, email addresses, job titles |
| Authentication data | Hashed passwords, SSO tokens (via WorkOS) |
| Usage data | Search queries, platform interactions, IP addresses |
| Threat intelligence data | Email addresses, usernames, and credentials found in breach databases; domain and IP data |
| Billing data | Payment information (processed by Stripe) |
2.4 Duration of Processing
Processing will continue for the duration of the Agreement plus any retention periods specified in our Privacy Policy or required by law.
3. Obligations of Intelsieve as Processor
3.1 Instructions
We will process Personal Data only in accordance with your documented instructions, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. If such a legal requirement applies, we will inform you of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
3.2 Confidentiality
We ensure that all persons authorized to process Personal Data are subject to binding confidentiality obligations, whether contractual or statutory.
3.3 Security Measures
We implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access controls: Role-based access control (RBAC), multi-factor authentication for administrative access
- Data isolation: Multi-tenant row-level data isolation
- Monitoring: Continuous monitoring and logging of access to Personal Data
- Incident response: Documented incident response procedures
- Employee training: Regular data protection training for all staff with access to Personal Data
- Regular testing: Periodic security assessments and penetration testing
- Backup and recovery: Regular backups with tested recovery procedures
3.4 Sub-processors
We will not engage a new Sub-processor without providing you with at least 30 days prior written notice, including the Sub-processor's name, location, and the processing activities to be performed. You may object to a new Sub-processor within 14 days of notification. If you object on reasonable data protection grounds and we cannot accommodate your objection, either party may terminate the affected Services.
Current Sub-processors are listed in Annex III of this DPA.
We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. We remain fully liable for the acts and omissions of our Sub-processors.
3.5 Data Subject Rights
We will promptly assist you in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection). We will notify you promptly if we receive a request directly from a Data Subject, and will not respond to the request without your authorization unless required by law.
3.6 Data Protection Impact Assessments
We will provide reasonable assistance to you in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required by Applicable Data Protection Law.
3.7 Deletion and Return of Data
Upon termination of the Agreement, at your choice, we will:
(a) Return all Personal Data to you in a commonly used, machine-readable format (JSON); or
(b) Delete all Personal Data within 30 days, except where retention is required by applicable law.
We will certify deletion upon your request.
4. Personal Data Breach Notification
4.1 Notification Timeline
We will notify you of a Personal Data Breach without undue delay, and in any event within 48 hours of becoming aware of the breach.
4.2 Content of Notification
The notification will include, to the extent available:
- A description of the nature of the breach, including (where possible) the categories and approximate number of Data Subjects concerned
- The name and contact details of our data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
4.3 Cooperation
We will cooperate with you and provide reasonable assistance in investigating and remediating the breach, including in your communications with supervisory authorities and affected Data Subjects.
5. International Data Transfers
5.1 Data Residency
We offer data residency in the United States and the European Union. Data is processed in the region selected by the Customer during account setup.
5.2 Transfer Mechanisms
For transfers of Personal Data from the EEA, UK, or Switzerland to countries that do not benefit from an adequacy decision:
- We rely on the Standard Contractual Clauses (SCCs) approved by European Commission Decision (EU) 2021/914
- For UK transfers, we apply the UK International Data Transfer Addendum to the SCCs
- For Swiss transfers, we rely on the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner
5.3 Transfer Impact Assessments
We conduct Transfer Impact Assessments for international data transfers and implement supplementary measures as necessary to ensure adequate protection of Personal Data.
6. Audit Rights
6.1 Information and Audit
We will make available to you all information necessary to demonstrate compliance with this DPA. You (or your mandated auditor) may conduct audits and inspections, including inspections of our facilities and systems, to verify compliance with this DPA, subject to the following conditions:
- Audits must be conducted during normal business hours with at least 30 days' advance written notice
- Audits must not unreasonably interfere with our business operations
- You will bear the costs of any audit
- Audit findings are treated as confidential information
6.2 Third-Party Certifications
We will provide copies of relevant compliance certifications and audit reports (e.g., SOC 2) upon request, subject to confidentiality obligations. Where available, these certifications may satisfy your audit rights.
7. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service). Nothing in this DPA limits either party's liability for breaches of confidentiality obligations, for Personal Data Breaches caused by that party's negligence or willful misconduct, or to the extent such limitation is not permitted by Applicable Data Protection Law.
8. Term and Termination
This DPA commences on the date the Customer accepts it (or the date the Agreement takes effect, whichever is earlier) and remains in effect for the duration of the Agreement. Obligations related to the security and confidentiality of Personal Data survive termination.
9. Governing Law
This DPA shall be governed by and construed in accordance with the laws that govern the Agreement (State of Wyoming), except to the extent that Applicable Data Protection Law requires the application of the law of another jurisdiction.
10. Conflict
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
Annex I: Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of threat intelligence services |
| Duration | Duration of the Agreement |
| Nature and purpose | Account management, authentication, threat monitoring, alerting, billing |
| Categories of Data Subjects | Customer employees and authorized users; individuals referenced in threat intelligence data |
| Types of Personal Data | Account data, authentication data, usage data, threat intelligence data, billing data |
| Sensitive data | Potentially: credentials found in breach databases (passwords, security questions) |
| Processing operations | Collection, storage, retrieval, analysis, correlation, alerting, deletion |
Annex II: Technical and Organizational Measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.3 |
| Access control | Role-based (RBAC), least privilege, MFA for admin access |
| Data isolation | Multi-tenant row-level isolation in PostgreSQL |
| Logging | Structured audit logging of all data access |
| Backup | Encrypted daily backups with 30-day retention |
| Incident response | Documented procedures, 48-hour notification SLA |
| Employee access | Background checks, NDAs, annual data protection training |
| Vulnerability management | Regular patching, penetration testing, dependency scanning |
| Network security | Firewall rules, VPC isolation, DDoS protection |
Annex III: List of Sub-processors
| Sub-processor | Location | Processing Activities |
|---|---|---|
| Amazon Web Services (AWS) | US / EU (per customer region selection) | Cloud infrastructure, hosting, storage |
| Stripe, Inc. | United States | Payment processing |
| WorkOS, Inc. | United States | Authentication and SSO |
| ClickHouse, Inc. | United States | Analytics and query processing |
| Redis Labs | United States | Caching and session management |
This list is current as of the effective date. Changes will be communicated with at least 30 days' prior notice.
Contact
For DPA-related inquiries:
- Data protection: dpo@intelsieve.com
- Legal: legal@intelsieve.com
- Privacy: privacy@intelsieve.com