Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into by and between the Customer (as defined in the Principal Agreement) (“Customer” or “Controller”) and CentralCSP (“Processor”) (each a “Party” and together the “Parties”) and is incorporated into and forms an integral part of the Principal Agreement.

This DPA will become effective on the date the Customer electronically accepts or executes the Principal Agreement

WHEREAS

(A) The Customer, acting as a Data Controller, has entered into an agreement for the provision of Services by the Processor (the “Principal Agreement”).

(B) The provision of the Services by the Processor to the Customer involves the processing of personal data on behalf of the Customer.

(C) This DPA is intended to ensure the processing of personal data by the Processor is conducted in compliance with the requirements of applicable Data Protection Laws, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”).

(D) The Parties wish to lay down their respective rights and obligations concerning the processing of personal data under the Principal Agreement.

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

• 1.1.1. Customer Data means any data, including Personal Data, that the Customer or its End-Users submit to the Services for processing by the Processor on behalf of the Customer.
• 1.1.2. Data Protection Laws means all applicable laws and regulations relating to the processing of personal data and privacy, including but not limited to the GDPR and any national implementing laws, regulations, and secondary legislation.
• 1.1.3. End-User means a natural person (Data Subject) who accesses or uses the Customer's websites, applications, or online services that are monitored or protected by the Services.
• 1.1.4. EEA means the European Economic Area.
• 1.1.5. Principal Agreement means the Terms of Service, Master Services Agreement, or other written or electronic agreement between the Processor and the Customer for the provision of the Services.
• 1.1.6. Services means the provision of web security and compliance services by the Processor, including but not limited to Content Security Policy (CSP) management, CSP violation report collection and analysis via a reporting endpoint, CSP scanning and evaluation, and automated CSP policy building, as more fully described in the Principal Agreement.
• 1.1.7. Standard Contractual Clauses or SCCs means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as adopted by the European Commission.
• 1.1.8. Sub-processor means any third-party processor engaged by the Processor to process Customer Data.
• 1.2. The terms Controller, Data Subject, Personal Data, Personal Data Breach, Processing, and Supervisory Authority shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
• 1.3. This DPA shall supersede any and all prior agreements, clauses, or understandings between the Parties with respect to the subject matter hereof. In the event of any conflict or inconsistency between this DPA and the Principal Agreement, the terms of this DPA shall prevail with regard to the processing of Personal Data.

2. Roles and Responsibilities; Processing of Personal Data

2.1. Roles of the Parties

The Parties acknowledge and agree that for the purposes of the Data Protection Laws, the Customer is the Controller and the Processor is the Processor of the Customer Data. Each Party will be responsible for its own compliance with its obligations under Data Protection Laws.

2.2. Processor’s Obligations

The Processor shall process Customer Data only on behalf of the Customer and in accordance with the Customer's documented instructions. The Customer's initial instruction to the Processor for the processing of Customer Data is the Customer's execution of the Principal Agreement and its use of the Services. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects for the processing are set forth in Annex 1 (Details of the Processing) to this DPA.The Processor shall not process Customer Data for any other purpose unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.3. Customer’s Obligations

The Customer represents and warrants that it has established and will maintain a valid legal basis for the processing of Customer Data as contemplated by the Principal Agreement and this DPA. The Customer is solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which it acquired the Customer Data. The Customer's instructions to the Processor for the processing of Customer Data shall comply with all Data Protection Laws.

2.4. Infringing Instructions

The Processor shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes Data Protection Laws. This obligation serves to protect both parties by ensuring that processing activities remain within the bounds of legality, reflecting the Processor's role as an expert service provider while affirming the Controller's ultimate authority over the data.

3. Security and Confidentiality

3.1. Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures are designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. The specific technical and organizational measures implemented by the Processor are described in Annex 2 (Technical and Organizational Security Measures).

The establishment of a detailed annex for security measures, rather than a brief mention in the main body, provides a dynamic and transparent framework. It allows the Processor to update its security practices to reflect technological advancements and evolving threats without requiring an amendment to the core legal agreement. This approach demonstrates a mature commitment to state-of-the-art security, a critical factor for customers in the web security space.

3.2. Confidentiality

The Processor shall ensure that any personnel authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Data shall be strictly limited to those individuals who need such access to perform their duties in connection with the Services.

4. Sub-processing

4.1. General Authorization

The Customer provides a general written authorization to the Processor to engage Sub-processors to process Customer Data on the Customer's behalf, provided that the Processor complies with the requirements of this Section 4. This model of general authorization is a practical necessity for SaaS providers who rely on a dynamic ecosystem of underlying cloud services to deliver their product.

4.2. List of Sub-processors

The Processor shall maintain a list of its current Sub-processors, as set out in Annex 3 (Authorized Sub-processors), and shall make this list available to the Customer. This list shall include the identities of the Sub-processors, their location, and the purpose of the sub-processing activities.

4.3. Notification of New Sub-processors

The Processor shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors. The Processor will provide such notification by a reasonable mechanism (e.g., via email or through the service portal) at least thirty (30) days in advance of the new Sub-processor beginning to process Customer Data. This notification period provides the Customer with a meaningful opportunity to assess the proposed change.

4.4. Right to Object

The Customer may object to the appointment of a new Sub-processor within fourteen (14) days of receiving the notification from the Processor, provided such objection is based on reasonable grounds relating to data protection. If the Customer objects, the Parties will work together in good faith to find a commercially reasonable solution. If no such solution can be found, either Party may terminate the Principal Agreement. This objection mechanism is a critical control for the Customer, reinforcing their role as the Data Controller and ensuring they retain ultimate authority over where and by whom their data is processed.

4.5. Sub-processor Obligations

The Processor shall enter into a written agreement with each Sub-processor that imposes on the Sub-processor data protection obligations that are no less protective than those imposed on the Processor under this DPA. The Processor shall remain fully liable to the Customer for the performance of that Sub-processor's data protection obligations.

5. Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR. The Processor shall promptly notify the Customer if it receives a request from a Data Subject. The Processor shall not respond to any such request itself, except on the documented instructions of the Customer or as required by applicable law. Given the nature of the Services, where Customer Data primarily consists of technical violation reports, the Processor may not be able to directly identify an End-User from the data it processes. Therefore, the responsibility to verify and respond to the Data Subject remains with the Customer, with the Processor providing necessary assistance.

6. Personal Data Breach

The Processor shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. The Processor shall provide the Customer with sufficient information to allow the Customer to meet its obligations to report the breach to the Supervisory Authority and/or inform Data Subjects. Such notification shall, at a minimum:

• (a) describe the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned.
• (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
• (c) describe the likely consequences of the Personal Data Breach.
• (d) describe the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

The Processor shall cooperate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

7. Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities which the Customer reasonably considers to be required under Articles 35 and 36 of the GDPR or equivalent provisions of any other Data Protection Law. Such assistance shall be provided solely in relation to the processing of Customer Data by the Processor and taking into account the nature of the processing and the information available to the Processor.

8. Return and Deletion of Data

Upon termination of the Principal Agreement, the Processor shall, at the choice of the Customer, delete or return all Customer Data to the Customer. The Processor shall delete all existing copies of Customer Data within ninety (90) days of the termination date, unless applicable law requires storage of the Personal Data. A 90-day retention period is a practical timeframe for a SaaS provider, allowing for orderly data deletion from complex, multi-layered storage and backup systems, which contrasts with the overly ambitious 10-day period in the generic template.

9. Audit Rights

The Processor shall make available to the Customer, upon request, all information necessary to demonstrate compliance with its obligations under this DPA. To satisfy this requirement, the Processor may provide the Customer with copies of relevant third-party audit reports and certifications (e.g., PCI DSS SAQ A). This approach is standard for multi-tenant cloud environments, as it provides robust assurance of compliance without exposing the Processor's infrastructure or the data of other customers to the risks associated with direct, on-site audits by every customer.

10. International Transfers

The Processor shall not transfer Customer Data to any country outside the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Where the Processor transfers Customer Data from the EEA to a country not deemed to provide an adequate level of data protection by the European Commission, the Parties agree that such transfers shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into this DPA by reference. This proactive inclusion of SCCs is a critical legal safeguard that addresses a primary due diligence concern for European customers, streamlining international business operations.

11. General Provisions

• 11.1. Liability. Each Party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Principal Agreement.
• 11.2. Confidentiality. The Parties agree that this DPA and any information exchanged in connection with it are confidential and shall be handled in accordance with the confidentiality provisions of the Principal Agreement.
• 11.3. Notices. All notices and communications given under this DPA must be in writing and will be delivered in accordance with the notice provisions of the Principal Agreement.
• 11.4. Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other provisions shall remain in force.

12. Governing Law and Jurisdiction

• 12.1. This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of France.
• 12.2. The Parties irrevocably agree that the courts of France shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA.

Annex 1: Details of the Processing

This Annex forms part of the DPA and describes the processing of Personal Data performed by the Processor on behalf of the Controller. The inclusion of this detailed annex is a direct requirement of GDPR Article 28(3) and is fundamental to a compliant DPA. It translates the technical functions of the CentralCSP service into the precise legal language required by data protection regulations, providing clarity and transparency to both the customer and any supervisory authorities.

Annex 2: Technical and Organizational Security Measures

This Annex describes the technical and organizational security measures (TOMs) implemented by the Processor to protect Customer Data. As a security-focused company, CentralCSP's customers will have high expectations for these measures. This detailed list demonstrates a robust security posture aligned with industry best practices and provides the assurance required by security professionals and IT directors.

1. Access Control

• Personnel Access: Access to systems processing Customer Data is granted on a need-to-know basis according to the principle of least privilege. Access rights are reviewed periodically and revoked upon termination of employment or change in job function.
• Authentication: All personnel access to production environments requires multi-factor authentication (MFA).
• Logging: Access to production systems is logged and monitored for unauthorized activity.

2. Encryption

• In Transit: All Customer Data transmitted over public networks (e.g., from an End-User's browser to the reporting endpoint, or between the Processor's internal services) is encrypted using strong, industry-standard protocols (e.g., TLS 1.2 or higher).
• At Rest: All Customer Data stored on the Processor's systems is encrypted at rest using robust encryption standards (e.g., AES-256).

3. System Security and Resilience

• Vulnerability Management: The Processor conducts regular vulnerability scans of its systems and applications. Critical security patches are applied in a timely manner.
• Network Security: The Processor employs firewalls, network segmentation, and other measures to protect its network from unauthorized access.
• Availability and Resilience: The Processor utilizes redundant, fault-tolerant infrastructure hosted with leading cloud providers to ensure the ongoing availability and resilience of the Services. Regular backups of Customer Data are performed to enable timely restoration in the event of a physical or technical incident.

4. Incident Response and Management

• Incident Response Plan: The Processor maintains a formal incident response plan that includes procedures for detecting, containing, investigating, and remediating security incidents.
• Breach Notification: The Processor has established procedures to ensure timely and effective notification to Customers in the event of a Personal Data Breach, in accordance with Section 6 of the DPA.

5. Personnel Security

• Training: All personnel undergo regular security and data privacy awareness training
• Confidentiality: All personnel are subject to binding confidentiality obligations as a condition of their employment.

6. Data Deletion

• Secure Disposal: The Processor utilizes secure data disposal methods to ensure that Customer Data is permanently and irretrievably deleted from its systems upon the expiration of the retention period defined in Section 8 of the DPA.

7. Physical Security

• Data Centers: The Processor utilizes data centers provided by major cloud infrastructure providers that maintain high standards of physical security. These data centers are protected by measures including 24/7 security personnel, video surveillance, and strict physical access controls. These providers maintain third-party certifications such as SOC 2 and ISO 27001 to attest to their physical security controls.

Annex 3: Authorized Sub-processors

This Annex lists the Sub-processors authorized by the Customer to process Customer Data. Transparency regarding sub-processors is a key requirement of the GDPR and a critical component of customer due diligence. This list allows customers to understand the complete data processing chain and conduct their own risk assessments.

As of the Effective Date of this DPA, the Processor engages the following Sub-processors: