Data Processing Agreement

Last updated: June 7, 2026 - Governing law: State of Georgia, USA

This Data Processing Agreement (DPA) applies to organizations using BreachSpider and forms part of the Terms of Service. Enterprise customers requiring a countersigned DPA should contact [email protected].

1. Definitions

2. Scope of Processing

CITED Relevance LLC processes Personal Data on behalf of the Controller for the purpose of providing the BreachSpider platform.

CategoryData ProcessedPurpose
Account dataName, email, organization name, roleAuthentication and service delivery
Usage dataPages visited, features used, session timestampsService operation and improvement
Asset dataDevice names, IP addresses, vendor/model infoCVE matching and intelligence delivery
CVE interaction dataWatchlist, dismissed findings, acknowledged CVEsPersonalized intelligence service

Duration: For the term of the subscription plus 90 days post-cancellation for account data, 30 days for asset data.

3. Processor Obligations

4. Subprocessors

Current approved subprocessors:

SubprocessorLocationPurpose
OVHcloudUnited StatesInfrastructure hosting
CloudflareUnited StatesCDN, DDoS protection, SSL termination
StripeUnited StatesPayment processing
ResendUnited StatesTransactional email delivery
AnthropicUnited StatesAI inference for SAGE analysis
ElevenLabsUnited StatesVoice synthesis (Professional+ tier, when voice enabled)

We provide 30 days email notice before adding new subprocessors. Controller may object to new subprocessors within the notice period. All subprocessors are bound by data processing agreements.

5. International Transfers

All data is stored and processed within the United States. No transfers to the EU, EEA, or other jurisdictions occur without Controller's prior written consent. US-based operations do not require Standard Contractual Clauses for US-domiciled Controllers.

6. Security Measures

Technical measures: TLS 1.2+ encryption in transit via Cloudflare; infrastructure-level encryption at rest via OVHcloud; access controls with row-level security enforced per organization; session token hashing; API key hashing; audit logging of all privileged actions.

Organizational measures: Data access limited to personnel who require it for service delivery; annual security review; incident response procedures documented; background checks on key personnel.

7. Breach Notification

In the event of a Personal Data breach, CITED Relevance LLC will:

8. Termination and Data Return

Upon termination of the subscription, CITED Relevance LLC will delete all Personal Data within 30 days unless legally required to retain it. Controller may request a data export prior to termination by contacting [email protected].

9. Governing Law

This DPA is governed by the laws of the State of Georgia, USA. Disputes are subject to the dispute resolution terms in the Terms of Service.

Enterprise customers requiring a countersigned DPA, custom data processing terms, or security questionnaire responses:

Contact [email protected]