Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Subnomic ("Processor") for the provision of the Services, and reflects the parties' agreement regarding the processing of personal data in accordance with applicable data protection laws, including the GDPR.

1. Roles of the parties

For personal data processed in connection with the Services, the Controller is the customer and the Processor is Subnomic. Subnomic processes personal data only on the documented instructions of the Controller, including as set out in the agreement and this DPA.

2. Subject matter & duration

The subject matter is the provision of Zero Trust access and observability Services. Processing continues for the duration of the agreement and until deletion or return of personal data as described below.

3. Nature & purpose of processing

Processing is carried out to provide secure access, session recording and replay, RBAC enforcement, metrics collection, audit logging, and related support, as instructed by the Controller.

4. Categories of data & data subjects

• Data subjects: the Controller's authorized users, administrators and personnel.
• Categories of data: account and contact details, authentication identifiers, connection and session metadata, session recordings, and host telemetry. The agent does not process application data unless the Controller explicitly grants access via policy.

5. Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed on our Subprocessors page. The Processor imposes data protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance. We will provide notice of intended changes to sub-processors, giving the Controller the opportunity to object on reasonable grounds.

6. Security measures

The Processor implements appropriate technical and organizational measures, including encryption in transit (TLS) and at rest, least-privilege access controls, audit logging, and the Zero Trust architecture described on our Security page.

7. Data subject requests

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate measures to fulfil its obligation to respond to requests from data subjects exercising their rights.

8. Personal data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and will provide information reasonably required to enable the Controller to meet its breach-notification obligations.

9. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses, which are incorporated by reference where applicable.

10. Audits

The Processor will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, subject to reasonable confidentiality and security conditions.

11. Deletion & return of data

Upon termination of the Services, the Processor will, at the Controller's choice, delete or return personal data, save where retention is required by applicable law. Self-hosted deployments retain data within the Controller's own infrastructure.

12. Contact

For questions about this DPA, contact legal@subnomic.com.