Data Processing Agreement
Last Updated: April 11, 2026 Effective Date: April 11, 2026
Last Updated: April 11, 2026 Effective Date: April 11, 2026
This Data Processing Agreement ("DPA") is entered into between:
Controller: The entity identified in the Shielda subscription account ("Customer" or "Controller") Processor: Shielda Security, Inc. ("Shielda" or "Processor")
This DPA supplements the Shielda Terms of Service ("Agreement") and governs the processing of Personal Data by Shielda on behalf of the Customer.
---
Definitions
"Personal Data" — Any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws. "Data Protection Laws" — GDPR (EU 2016/679), UK GDPR, CCPA, and any other applicable privacy legislation. "Processing" — Any operation performed on Personal Data (collection, storage, access, transfer, deletion, etc.). "Data Subject" — An identified or identifiable natural person whose Personal Data is processed. "Sub-processor" — A third party engaged by Shielda to process Personal Data on behalf of the Customer. "Security Incident" — A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
---
Scope and Roles
2.1 Controller and Processor The Customer is the Controller: You determine the purposes and means of processing Personal Data through your use of the Service. This includes deciding which systems to scan, which team members have access, and how findings are used. Shielda is the Processor: We process Personal Data only on your behalf, as necessary to provide the Service, and in accordance with your documented instructions.
2.2 Categories of Data Subjects Category Examples Customer employees and contractors Dashboard users, analysts, administrators Customer's end users (indirect) Users whose data appears in scanned systems (e.g., email addresses in configuration files, credentials in secret scans)
2.3 Types of Personal Data Processed Data Type Purpose Email addresses and names Account management, access control, notifications IP addresses Audit logging, rate limiting, access grant tracking User-agent strings Session management, audit logging Authentication tokens Secure access to the Service Security scan results May contain Personal Data discovered in scanned environments (hostnames, email addresses, credentials, configuration values)
2.4 Processing Activities Activity Description Account provisioning Creating and managing user accounts and organizations Authentication Verifying user identity via Auth0 Security scanning Processing scan results transmitted by the Agent Compliance evaluation Assessing scan results against compliance frameworks AI agent processing Using AI to analyze, triage, and recommend fixes for findings Notifications Sending email and in-app notifications about security events Billing Processing subscription and usage data via Stripe Audit logging Recording administrative actions for accountability
---
Processor Obligations
3.1 Processing Instructions Shielda shall: Process Personal Data only on documented instructions from the Controller (this DPA and the Agreement constitute such instructions) Not process Personal Data for any purpose other than providing the Service Immediately inform the Controller if an instruction infringes Data Protection Laws
3.2 Confidentiality Shielda shall ensure that persons authorized to process Personal Data: Have committed themselves to confidentiality or are under an appropriate statutory obligation Process Personal Data only on instructions from the Controller Receive appropriate training on data protection
3.3 Security Measures Shielda implements the following technical and organizational measures:
Technical Measures: Measure Implementation Encryption in transit TLS 1.2+ on all connections Encryption at rest AES-256 (AWS RDS, S3) Access control RBAC with org-scoped data isolation Authentication Auth0 with MFA support Secret management SHA-256 hashing for tokens, AES-GCM for secrets Network security VPC isolation, security groups, private subnets Rate limiting 4-layer Redis-backed rate limiting Input validation Zod schema validation, parameterized queries Vulnerability management Automated dependency scanning, regular security audits
Organizational Measures: Measure Implementation Access minimization Least-privilege principle; role-based access Audit logging Comprehensive audit trail of all data access and modifications Employee training Security awareness training for all personnel Incident response Documented incident response plan with escalation procedures Vendor management DPAs with all sub-processors
3.4 Sub-processors Current sub-processors:
Sub-processor Purpose Location Data Processed Amazon Web Services (AWS) Infrastructure hosting, database (RDS), storage (S3) US (us-east-1, configurable) All service data Auth0 (Okta, Inc.) Authentication and identity management US User identity data Stripe, Inc. Payment processing US Billing data Sentry (Functional Software, Inc.) Error tracking US Error metadata (no scan data)
Sub-processor changes: Shielda will notify the Controller at least 30 days before engaging a new sub-processor Notification will be sent via email to the Organization admin The Controller may object within 15 days of notification If the Controller objects and Shielda cannot accommodate the objection, the Controller may terminate the Agreement All sub-processors are bound by written agreements imposing data protection obligations no less protective than this DPA
---
Data Subject Rights
4.1 Assistance Shielda shall assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by: Providing self-service data export tools in the dashboard Supporting organization and user deletion workflows Responding to Controller requests within 10 business days
4.2 Self-Service Capabilities Right How to Exercise Access Dashboard → Settings → Export Data Rectification Dashboard → Settings → Profile / Organization Erasure Dashboard → Settings → Danger Zone → Delete Organization Portability Dashboard → Settings → Export Data (JSON/CSV formats) Restriction Contact support@shielda.dev
---
Security Incident Notification
5.1 Notification Timeline In the event of a Security Incident involving Customer Personal Data, Shielda shall: Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the incident Provide notification via email to the Organization admin and any designated security contact
5.2 Notification Content The notification shall include: Nature of the Security Incident, including categories and approximate number of Data Subjects affected Name and contact details of the Shielda Data Protection Officer Description of likely consequences of the Security Incident Description of measures taken or proposed to address the incident and mitigate adverse effects
5.3 Ongoing Updates Shielda shall provide updated information as it becomes available and cooperate with the Controller's investigation and remediation efforts.
5.4 Documentation Shielda shall document all Security Incidents, including facts, effects, and remedial actions taken, and make this documentation available to the Controller upon request.
---
Data Transfers
6.1 Transfer Mechanisms Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequate level of data protection, Shielda relies on: EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor), as approved by the European Commission (Decision 2021/914) UK International Data Transfer Agreement (IDTA) — for UK-originating transfers Swiss-US Data Privacy Framework — where applicable
6.2 SCC Implementation The SCCs are hereby incorporated by reference: Clause 9 (Sub-processors): Option 2 (general written authorization) with the notification procedure described in Section 4.4 above Clause 13 (Supervision): The supervisory authority of the EEA member state where the Controller is established, or the ICO (for UK transfers) Clause 17 (Governing Law): The laws of the EEA member state where the Controller is established Clause 18 (Jurisdiction): The courts of the EEA member state where the Controller is established
6.3 Transfer Impact Assessment Shielda maintains a transfer impact assessment evaluating the legal framework of the destination country (US), including: Access by public authorities Legal remedies available to Data Subjects Supplementary measures implemented (encryption, access controls, contractual commitments)
---