Data Processing Agreement
This Data Processing Agreement (DPA) applies to organizations using BreachSpider and forms part of the Terms of Service. Enterprise customers requiring a countersigned DPA should contact [email protected].
1. Definitions
- Controller: The organization using BreachSpider -- you.
- Processor: CITED Relevance LLC, operating BreachSpider.
- Personal Data: Any data relating to an identified or identifiable natural person that you provide to BreachSpider.
- Processing: Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
2. Scope of Processing
CITED Relevance LLC processes Personal Data on behalf of the Controller for the purpose of providing the BreachSpider platform.
| Category | Data Processed | Purpose |
|---|---|---|
| Account data | Name, email, organization name, role | Authentication and service delivery |
| Usage data | Pages visited, features used, session timestamps | Service operation and improvement |
| Asset data | Device names, IP addresses, vendor/model info | CVE matching and intelligence delivery |
| CVE interaction data | Watchlist, dismissed findings, acknowledged CVEs | Personalized intelligence service |
Duration: For the term of the subscription plus 90 days post-cancellation for account data, 30 days for asset data.
3. Processor Obligations
- Process data only on Controller's documented instructions (the Terms of Service and this DPA)
- Ensure all staff with data access are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Security page)
- Assist Controller with data subject rights requests within 30 days
- Delete or return data upon termination within 30 days of written request
- Provide reasonable cooperation with Controller audits upon written request
- Notify Controller of any Personal Data breach within 72 hours of discovery
4. Subprocessors
Current approved subprocessors:
| Subprocessor | Location | Purpose |
|---|---|---|
| OVHcloud | United States | Infrastructure hosting |
| Cloudflare | United States | CDN, DDoS protection, SSL termination |
| Stripe | United States | Payment processing |
| Resend | United States | Transactional email delivery |
| Anthropic | United States | AI inference for SAGE analysis |
| ElevenLabs | United States | Voice synthesis (Professional+ tier, when voice enabled) |
We provide 30 days email notice before adding new subprocessors. Controller may object to new subprocessors within the notice period. All subprocessors are bound by data processing agreements.
5. International Transfers
All data is stored and processed within the United States. No transfers to the EU, EEA, or other jurisdictions occur without Controller's prior written consent. US-based operations do not require Standard Contractual Clauses for US-domiciled Controllers.
6. Security Measures
Technical measures: TLS 1.2+ encryption in transit via Cloudflare; infrastructure-level encryption at rest via OVHcloud; access controls with row-level security enforced per organization; session token hashing; API key hashing; audit logging of all privileged actions.
Organizational measures: Data access limited to personnel who require it for service delivery; annual security review; incident response procedures documented; background checks on key personnel.
7. Breach Notification
In the event of a Personal Data breach, CITED Relevance LLC will:
- Notify Controller within 72 hours of becoming aware of the breach
- Provide information on: nature of breach, categories and volume of data affected, likely consequences, measures taken or proposed to mitigate
- Cooperate with Controller's investigation and regulatory reporting obligations
8. Termination and Data Return
Upon termination of the subscription, CITED Relevance LLC will delete all Personal Data within 30 days unless legally required to retain it. Controller may request a data export prior to termination by contacting [email protected].
9. Governing Law
This DPA is governed by the laws of the State of Georgia, USA. Disputes are subject to the dispute resolution terms in the Terms of Service.
Enterprise customers requiring a countersigned DPA, custom data processing terms, or security questionnaire responses:
Contact [email protected]