Data Processing Agreement

1. Parties and Roles

This Data Processing Agreement (“DPA”) governs the processing of personal data when the customer (the “Controller”) uses the Cloudarq cloud infrastructure auditing platform operated by Abdallah Khaldi (the “Processor” or “Cloudarq”). Where the Controller is itself a processor for an upstream controller (a typical B2B-SaaS resale or MSP arrangement), this DPA flows the corresponding obligations to that upstream relationship.

Capitalised terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and the UK GDPR. Where a UK-only or EU-only term is referenced, the equivalent term in the other regime applies mutatis mutandis.

2. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller solely to provide the Service as described in the Terms of Service. Processing continues for as long as the Controller’s subscription is active and ends on the deletion of the Controller’s account (subject to the retention windows in §5 of the Privacy Policy for compliance and forensic data).

3. Categories of Data and Data Subjects

The personal data processed under this DPA includes:

• Account data — email addresses, names, hashed passwords, role assignments, and similar identifiers for the Controller’s authorised users.
• AWS credentials — access keys or IAM role ARNs the Controller provides for read-only scans (encrypted at rest with AES-256-GCM).
• AWS infrastructure metadata — resource configuration data returned by the AWS APIs we call. Not the contents of the Controller’s data stores.
• Operational metadata — scan history, finding triage state, audit log entries, support-ticket text, billing event records.

Data subjects are the Controller’s authorised personnel (employees, contractors, team members invited to the Cloudarq tenant). End-users of the Controller’s own products are not data subjects under this DPA — the Processor does not process their personal data through the Service.

4. Processor Obligations

4.1 Documented Instructions

The Processor processes personal data only on documented instructions from the Controller, which include this DPA, the Terms of Service, and any subsequent written instructions transmitted via the support channel. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

4.2 Confidentiality

The Processor ensures that personnel authorised to process personal data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

4.3 Security of Processing (Article 32)

The Processor implements appropriate technical and organisational measures including:

• Encryption of AWS credentials at rest using AES-256-GCM with a randomly generated initialization vector per operation
• Bcrypt password hashing with appropriate work factor
• JWT-based authentication with short-lived access tokens and HTTP-only secure refresh-token cookies
• HTTPS enforcement with HSTS preload
• Optional two-factor authentication (TOTP)
• Rate limiting and account lockout protections on authentication endpoints
• Audit logging of administrative actions retained for the period in §5.2 of the Privacy Policy
• Backup of customer data with documented restore procedures
• Network-edge filtering via Cloudflare; origin protected behind Cloudflare-only ingress in production
• PII scrubbing on telemetry events sent to Sentry (per §1.9 of the Privacy Policy)

The list above is the current technical posture and is reviewed against incident learnings. The Processor does not currently hold a SOC 2 Type II attestation or ISO 27001 certification — representations of such certifications are flagged on the subprocessors page; we will publish an authoritative letter the day either auditor signs off and not before.

4.4 Sub-processors (Article 28(2))

The Processor engages the sub-processors listed at /legal/subprocessors, which is the canonical list and supersedes any older enumeration. By signing this DPA, the Controller explicitly authorises the engagement of each sub-processor named on that page as of the signature date. The Controller is responsible for reviewing each sub-processor’s published Data Processing Agreement (linked from the subprocessors page) to understand how that sub-processor handles the Controller’s data. Where the Processor proposes to add or replace a sub-processor, it provides at least 30 days’ notice via in-app notification and email to the account’s billing contact, during which the Controller may object on reasonable data-protection grounds. If the Processor cannot reach a satisfactory accommodation, the Controller may terminate the affected portion of the subscription with a pro-rata refund (no penalty).

4.5 Assistance to the Controller (Articles 32–36)

The Processor provides reasonable assistance to the Controller in fulfilling its own GDPR obligations, including responding to data-subject requests (Article 15–22), notifying personal data breaches (Article 33), conducting Data Protection Impact Assessments (Article 35), and consulting the supervisory authority where required (Article 36). Routes for each are described in §11 of the Privacy Policy.

4.6 Personal Data Breach Notification

The Processor notifies the Controller without undue delay, and in any event within 72 hours of becoming aware of a confirmed personal data breach affecting the Controller’s data. A breach is considered confirmed when the Processor’s security team has established that unauthorised access or disclosure occurred and the categories and approximate scope of affected data are known or reasonably estimated. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed. This timeline mirrors the Controller’s own Article 33(1) obligation; the Processor’s notification is what the Controller relies on to start its own clock.

4.7 Audit Rights (Article 28(3)(h))

The Processor makes available to the Controller all information necessary to demonstrate compliance with this DPA. Once per calendar year (or more frequently in case of a documented breach), the Controller may conduct an audit of the Processor’s relevant facilities and processing activities, on at least 30 days’ written notice, during normal business hours, at the Controller’s expense, subject to reasonable confidentiality obligations protecting the Processor’s other customers and trade secrets. A reasonable third-party assessor (for example, an auditor under engagement-letter NDA) is acceptable in place of Controller personnel.

5. International Transfers

The Processor’s primary infrastructure is in the European Union (Hetzner, Helsinki, Finland). Several sub-processors operate outside the EEA / UK / Switzerland; the canonical list and locations are at /legal/subprocessors. For transfers to recipients outside the EEA / UK / Switzerland, the parties incorporate by reference the European Commission’s Standard Contractual Clauses (Decision 2021/914), Modules 1 and 2 as applicable, with the Processor as “data exporter” and each sub-processor as “data importer” in the relevant module configuration. The UK International Data Transfer Addendum is incorporated for transfers subject to UK GDPR. A transfer-impact assessment is reviewed annually and triggered ad hoc by material changes (new sub-processor, jurisdictional change, withdrawn adequacy decision).

6. Return or Deletion of Data

On termination of the Controller’s subscription, the Processor returns or deletes all personal data processed on behalf of the Controller, at the Controller’s choice, except for records the Processor must retain to comply with applicable law (the audit log retention window in §5.2 of the Privacy Policy is the principal example). Returned data is provided in JSON / CSV format suitable for re-import into another platform (per §18.11 of the Terms of Service).

7. Liability

Liability under this DPA mirrors the cap and carve-outs in §9 of the Terms of Service (tiered cap; mandatory-law unlimitable liabilities not capped). The DPA does not create separate liability on top of the ToS — that would invite double-counting and is not the intent. Where the Controller is a processor for an upstream controller, the Controller’s own DPA with that upstream controller governs the upstream relationship.

8. Term, Termination, and Survival

This DPA takes effect on countersignature and runs concurrent with the Controller’s subscription. On termination of the subscription, §6 (Return or Deletion of Data) survives until completion of the deletion obligations; §7 (Liability) and §10 (Governing Law) survive indefinitely.

9. Order of Precedence

In the event of conflict, the order of precedence is: (1) any signed Order Form between the parties; (2) this DPA; (3) the Terms of Service; (4) the Privacy Policy and other linked legal pages.

10. Governing Law

This DPA is governed by the laws of the State of Israel (matching §15 of the Terms of Service). Where the Controller is established in the EEA / UK and the data subjects are in the EEA / UK, the parties acknowledge that the GDPR and applicable EU/UK supervisory authorities have jurisdiction over the data-protection aspects regardless of the chosen forum.

11. Signature Block

Email [email protected] with your legal entity name to receive a countersignable PDF carrying this template’s text. We will countersign and return it the same business day. The countersigned PDF, not this page, is the binding agreement.

12. Contact

Questions about this DPA: [email protected].

Cross-references: Terms of Service | Privacy Policy | Subprocessors | Refund Policy.