Data Processing Agreement

This Data Processing Agreement ("DPA") applies to the processing of personal data by CSIRT Dashboard on behalf of you as a customer of our services. This DPA describes how we process your data and the measures we take to ensure compliance with applicable data protection laws.

For the purposes of this DPA, the terms "personal data," "data subject," "processing," "controller," "processor," and "supervisory authority" shall have the same meaning as in applicable data protection laws.

• Controller: The entity that determines the purposes and means of processing personal data.
• Processor: The entity that processes personal data on behalf of the controller.
• Data Subject: An identified or identifiable natural person whose personal data is processed.

CSIRT Dashboard will process personal data only in accordance with your documented instructions and solely for the purpose of providing the services, including:

• User account management and authentication
• Security incident and vulnerability reporting
• Team collaboration and communication
• Analytics and service improvement

CSIRT Dashboard will assist you in fulfilling your obligations to respond to data subjects' requests to exercise their rights under applicable data protection laws. This includes rights of access, rectification, erasure, restriction of processing, data portability, objection, and the right not to be subject to automated decision-making.

CSIRT Dashboard implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data during transmission and at rest
• Regular testing and evaluation of security measures
• Access controls and authentication requirements
• Data backup and recovery procedures

CSIRT Dashboard will not transfer personal data to a country outside the European Economic Area (EEA) without ensuring that appropriate safeguards are in place, such as standard contractual clauses or an adequacy decision by the European Commission.

CSIRT Dashboard may engage subprocessors to process personal data on your behalf. We will maintain a list of current subprocessors and notify you of any intended changes. All subprocessors will be bound by written agreements that require them to provide at least the same level of data protection required by this DPA.

CSIRT Dashboard will make available all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

In the event of a personal data breach, CSIRT Dashboard will notify you without undue delay after becoming aware of the breach. We will provide you with sufficient information to allow you to meet any obligations to report or inform data subjects or data protection authorities of the breach.

Upon termination of services, CSIRT Dashboard will, at your choice, delete or return all personal data to you and delete existing copies unless applicable law requires storage of the personal data.