Data Processing Addendum

GDPR Article 28 terms for processing customer personal data.

Last updated May 12, 2026. This DPA supplements the SOCPilot Terms of Service and applies whenever SOCPilot processes personal data on behalf of a Customer.

Processor role

Customer is the controller of personal data submitted to SOCPilot. SOCPilot acts as the processor and processes the data only on documented instructions from the controller.

International transfers

EEA / UK / Swiss data is transferred under Standard Contractual Clauses, the UK Addendum and the Swiss-equivalent decision, supplemented by encryption and access controls. EU and US region pinning available on Enterprise.

Security measures

TLS 1.3 in transit; AES-256 at rest via AWS KMS. Least-privilege production access, MFA mandatory for Admin and Engineer roles, immutable audit logs (180 days), continuous monitoring. SOC 2 Type II compliant (audit completed January 2026); ISO 27001 Stage 2 audit scheduled August 2026.

Sub-processors

Listed publicly in the Trust Center. We notify customers of additions before they take effect and offer a reasonable objection window.

1. Definitions

Capitalized terms have the meaning given in the Terms of Service or in applicable Data Protection Laws (including the EU GDPR, UK GDPR, Swiss FADP, and US state privacy statutes such as the CCPA/CPRA).

2. Roles and scope

For Customer Personal Data, Customer is the Controller and SOCPilot, INCis the Processor. SOCPilot processes Customer Personal Data only to provide the service in accordance with documented instructions from the Customer, including those embedded in the platform's configuration.

3. Nature, purpose and categories

  • Nature & purpose — ingest, correlate and analyze security telemetry; generate investigation cases, briefs, and compliance evidence; route approval-gated response actions.
  • Data subjects — Customer personnel and authenticated end-users referenced in security events (employees, contractors, service principals).
  • Data categories — identifiers (email, account IDs, device IDs, IPs), authentication metadata, security event metadata, audit log entries, analyst notes.
  • Sensitive data — not required; Customer is responsible for not forwarding special-category data unnecessarily.

4. Processor obligations

  • Process Customer Personal Data only on documented instructions.
  • Ensure persons authorized to process Customer Personal Data are bound by confidentiality.
  • Maintain the technical and organizational measures described in the Security Annex.
  • Engage sub-processors only under written terms providing protections equivalent to this DPA.
  • Assist the Controller with data-subject requests, DPIAs and prior consultations to the extent reasonably required.
  • Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach.
  • Delete or return Customer Personal Data on termination, subject to legal retention obligations.

5. Sub-processors

The current list of authorized sub-processors is published in the Trust Center. SOCPilot will give prior notice before authorizing any new sub-processor. Customer may object on reasonable data-protection grounds within 30 days; if the parties cannot agree on an alternative, Customer may terminate the affected service for cause.

6. International transfers

Where Customer Personal Data originating in the EEA, UK or Switzerland is transferred to a country without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2: controller to processor), the UK International Data Transfer Addendum, and the Swiss equivalent. The transfer impact assessment is published in the Trust Center.

7. AI sub-processing

When Customer enables live AI features, prompts and minimum required context are sent to the contracted LLM gateway and underlying model providers. SOCPilot configures these endpoints for zero retention where supported. Customer Personal Data is not used to train SOCPilot or third-party foundation models.

8. Audits

Customer may, no more than once per 12-month period, audit SOCPilot's compliance with this DPA. SOCPilot will satisfy audit requests by providing its current SOC 2 Type II report (audit completed January 2026), the latest ISO 27001 audit status (Stage 2 scheduled August 2026), the annual penetration-test summary from Kestrel Cyber, and a completed CAIQ/SIG questionnaire. On-site audits are available for Enterprise customers under reasonable scope, advance notice and confidentiality terms.

9. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service, except for amounts that cannot be excluded under applicable Data Protection Laws.

10. Order of precedence

In case of conflict between this DPA, the Terms of Service and an order form, the order of precedence is: (a) the SCCs (where applicable), (b) this DPA, (c) the order form, (d) the Terms of Service.

Annex A — Security measures

  • Encryption: TLS 1.2+ in transit; AES-256 at rest; key rotation managed via cloud KMS.
  • Access control: SSO + MFA on production; least-privilege RBAC; quarterly access reviews.
  • Logging & monitoring: immutable audit logs; SIEM-monitored production access; 24×7 alerting.
  • Vulnerability management: continuous dependency scanning; quarterly external penetration testing; coordinated disclosure program.
  • Resilience: cross-AZ deployment; daily encrypted backups; documented DR runbook tested annually.
  • People: background checks where lawful; mandatory annual security and privacy training.

Annex B — Sub-processors (summary)

Cloud infrastructure & managed Postgres, edge / serverless runtime, transactional email delivery, LLM inference (Google, OpenAI) via gateway, error & uptime monitoring. Region of processing and purpose for each is published in the Trust Center.

Contact