This Data Processing Addendum (the DPA) forms part of the Master Services Agreement or order form (the Agreement) between Secruna ([legal entity name TBD], the Processor) and the customer identified in the Agreement (the Customer, the Controller). It is drafted to satisfy GDPR Article 28 and the equivalent UK GDPR.
1. Definitions
Capitalised terms used but not defined here have the meanings given in the Agreement or in GDPR. In particular:
- Customer Personal Data — personal data processed by Secruna on behalf of the Customer in connection with the Service.
- Sub-processor — any third party engaged by Secruna to process Customer Personal Data.
- SCCs — the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914.
- Personal Data Breach — a breach of security as defined in GDPR Art 4(12).
2. Subject matter and duration
The subject matter of processing is the operation of the Service described in the Agreement. The duration of processing is the Subscription Term plus any post-termination period required by clause 11 (Return or deletion).
3. Nature and purpose of processing
Operation of an AI inventory and compliance platform: ingest of configuration and event metadata via connectors; classification of AI systems against the EU AI Act; storage of audit logs; generation of evidence packs for the Article 11 technical file; and product-support access on a time-bounded basis. Processing is automated; no decision having legal effect on a data subject is taken solely by the Service.
4. Categories of data and data subjects
4.1 Categories of data
- Identifiers and contact details of the Customer’s authorised users.
- Configuration metadata of the Customer’s AI systems (provider, model identifier, environment, owner, purpose).
- Metadata of detected AI usage events (timestamp, system identifier, classification, tenant identifier).
- Audit log entries.
- Evidence pack content the Customer chooses to generate.
The Service is not designed to process special category data within the meaning of GDPR Art 9. The Customer shall not configure connectors against data sources whose primary content is special category data without prior written agreement.
4.2 Categories of data subjects
- The Customer’s authorised users.
- The Customer’s employees and contractors whose activities are observed by the Service for shadow-AI detection purposes, to the extent unavoidable for that detection.
- The Customer’s data subjects, only where the Customer chooses to upload such data (which the Service does not require).
5. Sub-processors
The Customer authorises Secruna to engage the sub-processors listed at /subprocessors as of the effective date. Secruna shall provide at least 30 days’ advance written notice before adding a new sub-processor that handles Customer Personal Data. Notice is delivered by email to the Customer’s designated contact and by updating the Subprocessors page.
The Customer may object on reasonable data-protection grounds within the notice window. The parties shall negotiate in good faith; if no resolution is reached, the Customer may terminate the affected service for cause without penalty. Secruna remains liable to the Customer for the acts and omissions of its sub-processors.
6. Data residency and international transfers
Customer Personal Data is hosted exclusively within the European Economic Area, with Microsoft Azure Sweden Central as the primary region. No Customer Personal Data leaves the European Union under normal operation.
Where a sub-processor is established outside the EEA (for example, Anthropic, GitHub, CloudFront), transfers are governed by the EU Standard Contractual Clauses (Module 3, processor-to-processor) and, where the Customer is established in the United Kingdom, by the UK International Data Transfer Addendum.
7. Security measures
Secruna implements and maintains the following technical and organisational measures (TOMs). These are summarised here; full detail is available in Secruna’s Information Security Policy on request under NDA.
- Encryption at rest — Azure Storage Service Encryption and Postgres Transparent Data Encryption with AES-256.
- Encryption in transit — TLS 1.2 minimum for all external traffic; TLS 1.3 preferred where the client supports it.
- Identity and access management — Entra ID for personnel, with role-based access control and least-privilege defaults.
- Multi-factor authentication — required for all administrative access; phishing- resistant factors preferred.
- Time-bounded admin impersonation — support access to a customer tenant is short-lived, logged and subject to four-eye review before activation.
- Immutable audit log — structured audit log entries are append-only after write and retained for 7 years.
- Secrets management — secrets stored in Azure Key Vault with managed identities; no long-lived secrets in code or configuration.
- Network segmentation — private networking between application and data tiers; egress restricted to declared sub-processors.
- Tenant isolation — every query is tenant-scoped; cross-tenant data access is blocked at the data layer.
- Vulnerability management — continuous dependency scanning, monthly external scans, prompt patching of critical findings.
- Penetration testing — annual external penetration test (planned) with summary available to customers under NDA.
- Backups and disaster recovery — point-in-time-restore for Postgres (35 days); DR runbook tested at least twice yearly.
- Personnel — signed acceptable-use and confidentiality acknowledgements; documented onboarding and offboarding; background checks where lawful.
- Vendor management — vendors reviewed before engagement; sub-processor list published and version-controlled on the Subprocessors page.
- Secure development — peer code review, automated tests, signed commits and CI/CD with deploy-time scanning.
- Incident response — documented runbook with clear severity levels and customer-notification commitments.
- Logging and monitoring — central log aggregation, anomaly alerts, retention aligned with the audit log policy.
8. Personal data breach
Secruna shall notify the Customer of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay and within 24 hours of confirmation. The notification will provide the categories required by GDPR Art 33(3) to the extent then known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Secruna shall co-operate with the Customer to enable the Customer’s own notification to its supervisory authority within 72 hours.
9. Data subject rights
Taking into account the nature of the processing, Secruna shall assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to data subject requests under GDPR Articles 15 to 22. Where a data subject contacts Secruna directly with such a request, Secruna shall route the request to the Customer without undue delay and shall not respond on the Customer’s behalf without instruction.
10. Audit rights
The Customer may, at its cost and with at least 30 days’ written notice, audit Secruna’s compliance with this DPA no more than once per calendar year, except where law or a supervisory authority requires more frequent audit. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Secruna’s operations.
In lieu of an on-site audit, Secruna shall provide its most recent SOC 2 Type II report and ISO 27001 certificate once those attestations are available, together with the attestations of the principal sub-processors listed on the Subprocessors page.
11. Return or deletion on termination
Within 30 days of termination of the Agreement, Secruna shall, at the Customer’s choice, either return Customer Personal Data in a structured, commonly used machine-readable format, or delete it. Audit log entries scoped to the Customer’s tenant are deleted on the same schedule. Backups expire on the standard 35-day point-in-time- restore window. Sub-processors are notified to delete derived data per their respective contracts. After that period, Secruna shall delete all remaining copies, except where retention is required by applicable law (in which case the retained data remains subject to this DPA’s confidentiality and security obligations).
12. Liability
Each party’s liability under this DPA is subject to the liability cap and exclusions set out in the Agreement. For the avoidance of doubt, the cap applies to all claims under or in connection with this DPA, in aggregate with all other claims under the Agreement.
13. General
This DPA prevails over any conflicting term in the Agreement with respect to the processing of personal data. Where applicable law changes, the parties shall negotiate amendments in good faith to maintain compliance.
Annex — Sub-processors at the effective date
The current list is published at /subprocessors. A point-in-time snapshot is reproduced below.
| Sub-processor | Service | Region | Mechanism |
|---|---|---|---|
| Microsoft Azure | Compute, Postgres, Redis, Key Vault, Container Registry, Log Analytics | EEA — Sweden Central | Microsoft DPA |
| Anthropic, PBC | Extractor LLM for classification and evidence drafting | EU regional inference where available; otherwise US with SCCs | Anthropic DPA + SCCs |
| Amazon Web Services | Cross-cloud read access via STS; static asset storage | eu-central-1 (Frankfurt), eu-west-1 (Ireland) | AWS DPA + SCCs |
| Functional Software (Sentry) | Error monitoring | EU instance (Frankfurt) | Sentry DPA + SCCs |
| Amazon CloudFront | CDN — static assets only, no Customer Personal Data | Global edge; EEA origin | AWS DPA |
| GitHub, Inc. | Source code and employee identity; no Customer Personal Data | US with SCCs | GitHub DPA + SCCs |