Data Processing Addendum

This Data Processing Addendum ("DPA") applies where ThreatSpot AI processes personal data on behalf of a customer that acts as a controller under applicable data protection laws.

1. Roles

The customer is the controller and ThreatSpot AI is the processor (or equivalent terms under applicable law) for personal data submitted to the Services.

2. Purpose

We process personal data only to provide the Services, perform our obligations under the main agreement, and comply with law.

3. Processor Obligations

• Process personal data only on documented instructions from the customer.
• Implement appropriate technical and organizational measures to protect personal data.
• Ensure personnel are bound by confidentiality obligations.
• Assist the customer with data subject requests where reasonably possible.

4. Subprocessors

We may use subprocessors to support the Services and will impose data protection obligations on them that are no less protective than those in this DPA.

5. International Transfers

Where personal data is transferred internationally, we will use appropriate safeguards as required by applicable law (for example, contractual clauses).

6. Return or Deletion

Upon termination of the Services, we will delete or return personal data in accordance with the customers instructions and our Data Retention & Deletion Policy, subject to legal retention requirements.