Skip to main content
Join our exclusive AI security workshopRequest a spot
EnigmaLabsEnigma Labs

Data Processing Agreement

Effective Date · January 1, 2025

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or other written agreement between EnigmaCyber LLC ("Processor," "we," "us," or "our") and the customer entity ("Controller," "you," or "your") for the provision of cybersecurity services.

This DPA sets forth the terms and conditions under which we will process personal data on your behalf.

1. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by the Processor to Process Personal Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
  • "Services" means the cybersecurity services provided by the Processor to the Controller.
  • "Applicable Data Protection Laws" means all applicable laws relating to data protection and privacy, including but not limited to the California Consumer Privacy Act (CCPA) and other US state privacy laws.

2. Scope and Purpose

2.1 Subject Matter

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services.

2.2 Nature and Purpose of Processing

The Processor will Process Personal Data solely for the purpose of providing the Services as described in the Master Services Agreement, which may include:

  • Security assessment and incident response
  • Security monitoring and incident response
  • Log collection and analysis
  • Vulnerability assessment and reporting

2.3 Types of Personal Data

The categories of Personal Data Processed may include:

  • Network identifiers (IP addresses, device IDs)
  • User account information
  • Authentication logs
  • System and application logs
  • Network traffic metadata

2.4 Categories of Data Subjects

Data Subjects may include:

  • Controller's employees and contractors
  • Controller's customers and end users
  • Third parties whose data traverses Controller's network

2.5 Duration of Processing

Processing will continue for the duration of the Services Agreement unless terminated earlier in accordance with its terms.

3. Processor Obligations

The Processor agrees to:

3.1 Processing Instructions

  • Process Personal Data only on documented instructions from the Controller
  • Inform the Controller if any instruction infringes Applicable Data Protection Laws
  • Not Process Personal Data for any purpose other than providing the Services

3.2 Confidentiality

  • Ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who need access to perform the Services

3.3 Security Measures

  • Implement appropriate technical and organizational measures to protect Personal Data
  • Regularly assess and improve security measures as appropriate

3.4 Assistance

  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations

3.5 Deletion and Return

  • Upon termination of the Services, delete or return all Personal Data as instructed by the Controller
  • Certify deletion upon Controller's request

4. Controller Obligations

The Controller agrees to:

4.1 Lawful Basis

  • Ensure there is a lawful basis for Processing Personal Data
  • Obtain any necessary consents from Data Subjects
  • Provide clear privacy notices to Data Subjects

4.2 Instructions

  • Provide documented Processing instructions to the Processor
  • Ensure instructions comply with Applicable Data Protection Laws

4.3 Data Accuracy

  • Ensure Personal Data provided to the Processor is accurate and up to date
  • Promptly notify the Processor of any corrections or updates

4.4 Cooperation

  • Cooperate with the Processor in fulfilling obligations under this DPA
  • Respond promptly to Processor inquiries regarding Processing activities

5. Data Security

5.1 Security Measures

The Processor implements and maintains appropriate security measures, including:

Technical Measures:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Network security monitoring and intrusion detection
  • Regular security testing and vulnerability assessments
  • Secure data backup and recovery procedures

Organizational Measures:

  • Information security policies and procedures
  • Employee security awareness training
  • Background checks for personnel with data access
  • Incident response and management procedures
  • Regular security audits and assessments

5.2 Security Certifications

The Processor maintains industry-standard security certifications and undergoes regular third-party security assessments.

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors to assist in providing the Services.

6.2 Sub-processor Requirements

The Processor will:

  • Enter into written agreements with Sub-processors imposing data protection obligations comparable to this DPA
  • Remain liable for Sub-processor compliance with this DPA
  • Maintain a list of current Sub-processors

6.3 Notification

The Processor will notify the Controller of any intended changes to Sub-processors, providing the Controller an opportunity to object to such changes.

6.4 Current Sub-processors

A list of current Sub-processors is available upon request and may include:

  • Cloud infrastructure providers
  • Security tool vendors
  • Analytics and monitoring services

7. International Data Transfers

7.1 Transfer Mechanisms

If Personal Data is transferred outside the United States, the Processor will ensure appropriate safeguards are in place, which may include:

  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Other approved transfer mechanisms

7.2 Data Localization

Upon request, the Processor will provide information about the locations where Personal Data is Processed and stored.

8. Data Subject Rights

8.1 Assistance

The Processor will assist the Controller in responding to requests from Data Subjects to exercise their rights, including:

  • Right to access Personal Data
  • Right to correct inaccurate Personal Data
  • Right to delete Personal Data
  • Right to data portability
  • Right to opt out of sales (where applicable)

8.2 Response Timeline

The Processor will promptly notify the Controller of any Data Subject requests received directly and will not respond to such requests without Controller authorization unless legally required.

8.3 Cooperation

The Processor will provide reasonable cooperation and assistance to enable the Controller to respond to Data Subject requests within required timeframes.

9. Audits and Inspections

9.1 Audit Rights

The Controller may audit the Processor's compliance with this DPA, subject to:

  • Reasonable advance notice (minimum 30 days)
  • Confidentiality obligations
  • Minimizing disruption to Processor operations

9.2 Third-Party Audits

The Processor may satisfy audit requests by providing:

  • Third-party audit reports (SOC 2, ISO 27001, etc.)
  • Security certifications and attestations
  • Completed security questionnaires

9.3 Costs

Each party bears its own costs associated with audits, unless an audit reveals material non-compliance by the Processor.

10. Data Breach Notification

10.1 Notification Timeline

The Processor will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting Controller's data.

10.2 Notification Content

Breach notifications will include, to the extent known:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

10.3 Cooperation

The Processor will cooperate with the Controller in investigating and remediating the breach and in meeting any notification obligations to regulators or Data Subjects.

11. Term and Termination

11.1 Term

This DPA remains in effect for the duration of the Services Agreement.

11.2 Survival

Provisions relating to confidentiality, data deletion, and liability survive termination of this DPA.

11.3 Data Handling Upon Termination

Upon termination:

  • The Processor will cease Processing Personal Data except as necessary for deletion
  • The Processor will delete or return Personal Data within 90 days
  • The Processor will certify deletion upon Controller's request

12. Liability

12.1 Limitation

Liability under this DPA is subject to the limitations set forth in the Master Services Agreement.

12.2 Indemnification

Each party will indemnify the other for damages arising from its breach of this DPA or violation of Applicable Data Protection Laws.

13. Contact Information

For questions about this DPA or to exercise rights under this agreement:

EnigmaCyber LLC

  • Address: 1209 Mountain Road Pl NE, Ste N, 87110 Albuquerque, United States
  • Email: hello@enigmacyber.com
  • Website: https://enigmacyber.com

To request a signed copy of this DPA or to discuss specific data processing requirements, please contact us at the email address above.