DATA PROCESSING AGREEMENT
Between:
SecValley Inc. (“Processor” or “SecValley”), a corporation organized under the laws of the United States, with its principal place of business in the United States, operating the SecValley cloud security posture management platform accessible at app.secvalley.com;
and
The Customer identified in the applicable SecValley subscription agreement or order form (“Controller” or “Customer”).
Collectively referred to as the “Parties” and individually as a “Party.”
Effective Date: This Data Processing Agreement (“DPA”) is effective as of the date the Customer accepts the SecValley Terms of Service or executes an order form referencing this DPA (the “Effective Date”).
RECITALS
WHEREAS, Customer has entered into a subscription agreement with SecValley for cloud security posture management services, including automated CIS benchmark assessments of Customer’s Microsoft Azure, Entra ID, and Microsoft 365 environments (the “Services”);
WHEREAS, in the course of providing the Services, SecValley will process Personal Data on behalf of Customer as a data processor;
WHEREAS, the Parties wish to ensure that such processing is conducted in compliance with applicable data protection laws, including but not limited to Regulation (EU) 2016/679 (the “GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), and other applicable US state privacy laws;
NOW, THEREFORE, the Parties agree as follows:
1. DEFINITIONS
1.1 “Applicable Data Protection Laws” means all laws and regulations relating to the processing of Personal Data that apply to the processing activities under this DPA, including but not limited to the GDPR, CCPA/CPRA, VCDPA, CPA, CTDPA, and any other applicable data protection legislation as amended, replaced, or superseded from time to time.
1.2 “Authorized Sub-processor” means a third party appointed by SecValley to process Personal Data on behalf of the Customer, as listed in Annex C and subject to the provisions of Section 9 of this DPA.
1.3 “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, the Customer is the Controller.
1.4 “Customer Data” means all data, including Personal Data, that is submitted to, stored in, or collected through the Services by or on behalf of the Customer.
1.5 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by SecValley on behalf of the Customer.
1.6 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.7 “EEA” means the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein, and Norway.
1.8 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.9 “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law. For CCPA/CPRA purposes, this includes “Personal Information” as defined in Cal. Civ. Code Section 1798.140(v). For GDPR purposes, this includes “personal data” as defined in Article 4(1).
1.10 “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.11 “Processor” means the entity that processes Personal Data on behalf of the Controller. For purposes of this DPA, SecValley is the Processor.
1.12 “Restricted Transfer” means a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the relevant authority.
1.13 “Scan Data” means the configuration metadata, security posture findings, control evaluation results, and related technical data collected by the Services during automated security assessments of Customer’s cloud environments.
1.14 “Services” means the SecValley cloud security posture management platform and all associated services as described in the applicable subscription agreement, including automated CIS benchmark assessments for Azure Security, Entra ID, and Microsoft 365 environments, with control coverage as published on SecValley’s website and updated periodically as security benchmarks evolve.
1.15 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1.16 “Sub-processor” has the same meaning as “Authorized Sub-processor.”
1.17 “Subscription Agreement” means the Terms of Service, order form, or other written agreement between Customer and SecValley governing the provision of the Services.
1.18 “Supervisory Authority” means an independent public authority that is established by a Member State pursuant to Article 51 of the GDPR, or any equivalent regulatory body under other Applicable Data Protection Laws.
1.19 “Technical and Organizational Measures” or “TOMs” means the security measures implemented by SecValley to protect Personal Data, as described in Annex B to this DPA.
2. SCOPE AND PURPOSE OF PROCESSING
2.1 Scope. This DPA applies to all Processing of Personal Data by SecValley on behalf of Customer in connection with the provision of the Services under the Subscription Agreement. This DPA supplements and is incorporated into the Subscription Agreement.
2.2 Roles. The Customer is the Controller and SecValley is the Processor with respect to Customer Data processed under this DPA. Where the Customer acts as a processor on behalf of a third-party controller, SecValley shall be considered a sub-processor, and Customer warrants that it has obtained all necessary authorizations from the relevant controller to engage SecValley as a sub-processor.
2.3 Purpose of Processing. SecValley processes Personal Data solely to provide the Services, which include:
Conducting automated read-only security assessments of Customer’s Azure, Entra ID, and Microsoft 365 environments using certificate-based service principal authentication (no agents installed, no write access);
Evaluating Customer’s security posture against industry benchmarks, including Center for Internet Security (CIS) benchmarks;
Storing assessment results, control evaluation outcomes, and vulnerability findings for historical comparison and trend analysis;
Generating optional AI-powered executive security reports (vCISO reports) using aggregated and anonymized scan metrics only, with no Personal Data transmitted to AI models;
Providing dashboards, compliance reports, and export capabilities for Customer’s security teams;
Delivering platform communications including security notifications, account verification, and service alerts; and
Maintaining audit logs and system logs for platform integrity, security incident investigation, and compliance purposes.
2.4 No Sale or Sharing. SecValley shall not sell, share (as those terms are defined under CCPA/CPRA), or otherwise make available Customer’s Personal Data to third parties for monetary or other valuable consideration, cross-context behavioral advertising, or any purpose other than providing the Services.
2.5 No Commingling. SecValley shall not combine Customer’s Personal Data with Personal Data received from or on behalf of other customers or collected from SecValley’s own interactions with Data Subjects, except as reasonably necessary for the provision of the Services (such as platform authentication and session management for Customer’s authorized users).
3. DURATION OF PROCESSING
3.1 SecValley shall process Personal Data for the duration of the Subscription Agreement, unless earlier terminated in accordance with its terms.
3.2 Upon termination or expiration of the Subscription Agreement, SecValley shall comply with its obligations under Section 16 (Data Return and Deletion) of this DPA.
3.3 The obligations under this DPA shall survive any termination or expiration of the Subscription Agreement to the extent SecValley continues to process Personal Data.
4. NATURE AND PURPOSE OF PROCESSING
4.1 The nature of processing involves the automated collection, storage, analysis, and display of configuration metadata and security posture data from Customer’s Microsoft cloud environments. Processing activities include:
Collection: Read-only API queries to Microsoft’s cloud management APIs to retrieve configuration metadata, user directory information, sign-in logs, risk detections, application registrations, resource configurations, and activity reports;
Storage: Persisting Scan Data in encrypted databases with per-organization logical segregation, and caching interim processing data in encrypted in-memory stores;
Analysis: Automated evaluation of collected data against security controls across three scanner types (Azure Security, Entra ID, Microsoft 365), producing control pass/fail determinations, severity classifications, and remediation recommendations;
Aggregation: Computing security scores, compliance percentages, trend analysis, and posture summaries;
AI Processing (optional): Generating vCISO executive reports using Azure OpenAI Service, with a data sanitization pipeline that masks all Personal Data (emails, names, IP addresses, identifiers) before transmission, sending only aggregated category scores, control titles, and summary statistics to the AI model;
Display and Export: Rendering assessment results in web dashboards and generating PDF/Excel reports for download by authorized users;
Retention Management: Enforcing configurable data retention policies (1 to 7 years) with automated deletion of expired data and PII stripping from historical evaluation records; and
Credential Management: Storing Customer-provided service principal credentials using industry-standard encryption at the application layer, with certificate material secured in enterprise secrets management infrastructure.
4.2 SecValley does not access the content of Customer’s emails, chat messages, documents, calendar entries, database records, storage blob contents, Key Vault secret values, virtual machine disk data, or network traffic. The Services collect only configuration metadata and activity summary metrics necessary for security posture assessment.
5. TYPES OF PERSONAL DATA PROCESSED
5.1 The categories of Personal Data processed by SecValley in connection with the Services include:
User Directory Metadata: User principal names (email addresses), display names, account status (enabled/disabled), MFA registration status and method types (excluding phone numbers), role assignments (such as Global Administrator), last sign-in timestamps, and group memberships from Customer’s Entra ID directory;
Sign-in and Risk Data: Sign-in log metadata including timestamps, IP addresses, geographic location (city and country), device information (browser, operating system), and success/failure status; Identity Protection risk detections including risky user identifiers, risk levels, and risk event types;
Application and Service Principal Data: Application registrations, service principal configurations, OAuth consent grants, delegated permissions, and credential expiration status, which may include names of individuals who registered applications;
Activity Reports (Microsoft 365): Per-user email activity metrics (send/receive/read counts), Teams activity metrics (message/meeting/call counts), and OneDrive/SharePoint usage metrics, linked to user display names and email addresses;
Platform Account Data: Customer’s authorized user email addresses, display names, organization membership, and role assignments within the SecValley platform;
Authentication and Session Data: Hashed passwords, session identifiers, refresh tokens (cryptographically generated, rotated on use), and time-limited one-time password codes for SecValley platform authentication; and
Billing Data (passed to Stripe): Customer billing contact name, email address, and payment method identifiers, processed by Stripe Inc. under its own data processing terms.
5.2 SecValley does not intentionally collect special categories of data (Article 9 GDPR) or sensitive personal information (as defined under CCPA/CPRA). If such data is inadvertently present in Customer’s cloud environment metadata, SecValley’s PII masking pipeline will redact it from logs and AI processing inputs.
6. CATEGORIES OF DATA SUBJECTS
6.1 The Data Subjects whose Personal Data may be processed under this DPA include:
Customer’s Employees and Contractors: Users listed in Customer’s Entra ID directory whose identity metadata, sign-in activity, MFA status, role assignments, and productivity metrics are collected during security assessments;
Customer’s IT Administrators: Users with privileged roles (Global Administrator, Security Administrator, etc.) whose configuration actions and access patterns are evaluated;
Customer’s Authorized Platform Users: Individuals granted access to the SecValley platform by Customer, whose platform account data and authentication events are processed;
Application Owners: Individuals identified as owners or creators of application registrations and service principals in Customer’s Entra ID environment; and
Guest and External Users: External users present in Customer’s Entra ID directory (B2B guests) whose directory metadata may be included in scan results.
7. OBLIGATIONS OF THE PROCESSOR (SecValley)
7.1 Processing Instructions. SecValley shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. If SecValley is required by law to process Personal Data for any other purpose, SecValley shall inform the Customer of that legal requirement before processing, unless prohibited from doing so by law. The Customer’s instructions are documented in this DPA (including Annex A), the Subscription Agreement, and any additional written instructions agreed upon by the Parties.
7.2 Confidentiality. SecValley shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Data is restricted through role-based access control to SecValley personnel who require such access for the provision of the Services.
7.3 Security. SecValley shall implement and maintain appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, as described in Annex B to this DPA and in accordance with Article 32 of the GDPR. SecValley shall regularly test, assess, and evaluate the effectiveness of these measures.
7.4 Sub-processor Engagement. SecValley shall comply with the requirements of Section 9 of this DPA with respect to the engagement of Sub-processors.
7.5 Data Subject Rights Assistance. SecValley shall assist the Customer, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, as further described in Section 11.
7.6 Assistance with Compliance Obligations. SecValley shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 through 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to SecValley.
7.7 Data Deletion and Return. Upon termination of the Services, SecValley shall, at the Customer’s election, return or delete all Personal Data as described in Section 16, unless applicable law requires continued storage.
7.8 Audit and Inspection. SecValley shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, as described in Section 15.
7.9 Notification of Conflicting Instructions. SecValley shall immediately inform the Customer if, in SecValley’s opinion, an instruction infringes the GDPR or other applicable data protection provisions.
7.10 Data Minimization. SecValley shall process only the minimum amount of Personal Data necessary to provide the Services. The Services operate on a read-only basis, collecting only configuration metadata and summary metrics required for security assessment. SecValley’s scan architecture is specifically designed to exclude content data (email bodies, documents, chat messages) from collection.
7.11 PII Masking. SecValley implements automated PII detection and masking in the following contexts:
Logging: All application logs are processed through a PII masking pipeline that redacts personal identifiers, credentials, financial data, and authentication tokens before storage;
AI Processing: Before any data is transmitted to Azure OpenAI Service for vCISO report generation, a dedicated data sanitization service removes or masks all Personal Data categories before transmission; and
AI Input Validation: Automated safeguards to prevent unauthorized data extraction through adversarial inputs.
7.12 Records of Processing Activities. SecValley shall maintain a record of all categories of processing activities carried out on behalf of the Customer, in accordance with Article 30(2) of the GDPR.
8. OBLIGATIONS OF THE CONTROLLER (Customer)
8.1 Lawful Basis. Customer warrants that it has a lawful basis for the processing of Personal Data under this DPA, including obtaining any necessary consents or providing any required notices to Data Subjects.
8.2 Instructions. Customer is responsible for ensuring that its processing instructions to SecValley comply with Applicable Data Protection Laws. Customer acknowledges that the Services operate by making read-only API calls to Customer’s Microsoft cloud environments and that Customer is responsible for granting appropriate API permissions to SecValley’s service principal.
8.3 Data Accuracy. Customer is responsible for the accuracy of Personal Data provided to or accessible by SecValley through Customer’s cloud environments.
8.4 Compliance Assessment. Customer is responsible for determining that SecValley’s processing of Personal Data under this DPA meets Customer’s obligations under Applicable Data Protection Laws.
8.5 Security Configuration. Customer is responsible for:
Configuring appropriate access permissions for the service principal used by SecValley, following the principle of least privilege (read-only access);
Managing authorized user accounts and roles within the SecValley platform;
Implementing MFA for all platform user accounts;
Protecting service principal certificates and revoking access if compromise is suspected; and
Configuring data retention settings within the platform to meet Customer’s legal and regulatory obligations, within the range of 1 to 7 years provided by the Services.
8.6 Notification of Issues. Customer shall promptly notify SecValley of any Data Subject request, regulatory inquiry, or complaint related to the processing of Personal Data under this DPA.
9. SUB-PROCESSING
9.1 General Authorization. Customer hereby grants SecValley general written authorization to engage Sub-processors for the purpose of providing the Services, subject to the requirements of this Section 9.
9.2 Current Sub-processors. The Sub-processors authorized by Customer as of the Effective Date are listed in Annex C to this DPA.
9.3 Notification of Changes. SecValley shall notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, giving the Customer the opportunity to object to such changes.
9.4 Objection Procedure. If Customer objects to a new or replacement Sub-processor on reasonable grounds related to data protection, SecValley and Customer shall work in good faith to find a mutually acceptable solution. If no resolution is reached within thirty (30) days of SecValley’s receipt of the objection, Customer may terminate the affected Services without penalty by providing written notice to SecValley, and SecValley shall refund any prepaid fees for the terminated Services covering the period after the date of termination.
9.5 Sub-processor Obligations. SecValley shall:
Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA;
Ensure each Sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures;
Remain fully liable to Customer for the performance of each Sub-processor’s obligations; and
Conduct due diligence on each Sub-processor’s data protection practices before engagement.
9.6 Sub-processor List. SecValley shall maintain and make available upon request an up-to-date list of Sub-processors, including the nature and location of processing performed by each Sub-processor.
10. INTERNATIONAL DATA TRANSFERS
10.1 Processing Location. SecValley processes all Customer Data within the United States, on Microsoft Azure infrastructure. All infrastructure components are deployed in the same Azure region.
10.2 Restricted Transfers. Where Customer’s Personal Data originates from Data Subjects in the EEA, the United Kingdom, or Switzerland, and is transferred to SecValley in the United States for processing, the Parties acknowledge this constitutes a Restricted Transfer. To provide appropriate safeguards for such transfers, the Parties agree to the Standard Contractual Clauses as set out in Annex D.
10.3 Standard Contractual Clauses (EEA). For transfers of Personal Data from the EEA, the Parties agree to be bound by the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller to Processor), as set forth in Annex D. The SCCs are incorporated into and form part of this DPA.
10.4 UK Transfers. For transfers of Personal Data from the United Kingdom, the Parties agree to be bound by the UK Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018), which is incorporated by reference.
10.5 Swiss Transfers. For transfers of Personal Data from Switzerland, the SCCs shall apply with the modifications required to comply with the Swiss Federal Act on Data Protection (“FADP”), including references to the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority.
10.6 Supplementary Measures. In addition to the SCCs, SecValley implements the following supplementary measures to protect Personal Data transferred from the EEA, UK, or Switzerland:
Encryption in transit: All data transmitted between Customer’s Microsoft environments and SecValley infrastructure, and between SecValley components, is encrypted using TLS 1.2 or higher;
Encryption at rest: All Personal Data stored in databases and secrets management systems is encrypted using AES-256 encryption. Customer credentials are additionally encrypted at the application layer;
Access controls: Multi-layered access control including certificate-based service principal authentication (read-only), role-based access control with least privilege, mandatory MFA, and network segmentation;
Data minimization: The Services collect only configuration metadata and summary metrics, not content data, minimizing the volume and sensitivity of transferred Personal Data;
PII masking: Automated PII detection and masking in all log processing and AI data pipelines;
Transparency reporting: SecValley shall promptly notify Customer of any legally binding request for disclosure of Personal Data by a law enforcement authority or government body, unless otherwise prohibited by law; and
Legal assessment: SecValley has assessed that, in light of the nature and scope of processing, the measures described herein, and the applicable legal framework, the transfer does not undermine the level of protection guaranteed by the GDPR and the SCCs.
10.7 Transfer Impact Assessment. SecValley has conducted a transfer impact assessment in accordance with the guidance of the European Data Protection Board and has concluded that the supplementary measures described in Section 10.6, together with the SCCs, provide an essentially equivalent level of protection for Personal Data transferred to the United States. SecValley shall update this assessment as required by changes in law or circumstances.
11. DATA SUBJECT RIGHTS ASSISTANCE
11.1 SecValley shall assist the Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including but not limited to:
Right of access (GDPR Article 15; CCPA Section 1798.100; VCDPA Section 59.1-577; CPA Section 6-1-1303; CTDPA Section 42-520);
Right to rectification (GDPR Article 16; VCDPA Section 59.1-577; CPA Section 6-1-1303; CTDPA Section 42-520);
Right to erasure / deletion (GDPR Article 17; CCPA Section 1798.105; VCDPA Section 59.1-577; CPA Section 6-1-1303; CTDPA Section 42-520);
Right to restriction of processing (GDPR Article 18);
Right to data portability (GDPR Article 20; VCDPA Section 59.1-577; CPA Section 6-1-1303; CTDPA Section 42-520);
Right to object (GDPR Article 21);
Right to opt out of sale/sharing (CCPA Section 1798.120; VCDPA Section 59.1-577; CPA Section 6-1-1306; CTDPA Section 42-520); and
Right to non-discrimination for exercising privacy rights (CCPA Section 1798.125).
11.2 If SecValley receives a request directly from a Data Subject relating to Customer Data, SecValley shall promptly redirect the Data Subject to the Customer and notify the Customer of the request, unless legally prohibited from doing so.
11.3 SecValley shall provide reasonable technical assistance to enable Customer to comply with Data Subject requests, including:
Providing data export functionality in structured, commonly used, machine-readable formats (PDF and Excel);
Deleting or anonymizing specific Personal Data upon Customer’s written instruction;
Providing information about the Personal Data categories processed in relation to specific Data Subjects; and
Implementing processing restrictions as directed by Customer.
11.4 SecValley may charge a reasonable fee for assistance with Data Subject requests that are manifestly unfounded, excessive, or that require disproportionate effort, provided that SecValley notifies Customer of the fee in advance.
12. DATA PROTECTION IMPACT ASSESSMENT COOPERATION
12.1 SecValley shall provide reasonable assistance to the Customer with any data protection impact assessment (“DPIA”) required under Article 35 of the GDPR, or any similar assessment required under other Applicable Data Protection Laws, where such assessment relates to the processing of Personal Data under this DPA.
12.2 Such assistance shall include providing:
A description of the processing activities performed by SecValley;
Information about the Technical and Organizational Measures implemented by SecValley (as described in Annex B);
Information about Sub-processors and their processing activities (as described in Annex C);
The results of any security audits, penetration tests, or vulnerability assessments conducted by SecValley, to the extent reasonably relevant and not subject to confidentiality restrictions; and
Any other information reasonably required by the Customer to complete the DPIA.
12.3 SecValley shall assist the Customer with any prior consultation with a Supervisory Authority under Article 36 of the GDPR where such consultation relates to processing under this DPA.
13. SECURITY MEASURES
13.1 SecValley shall implement and maintain the Technical and Organizational Measures described in Annex B to this DPA. These measures are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
13.2 SecValley shall regularly monitor, test, and update the security measures to ensure continued effectiveness. SecValley performs security assessments of its platform, including code review and security testing as part of its secure software development lifecycle.
13.3 SecValley may update the Technical and Organizational Measures from time to time, provided that any update does not materially diminish the overall level of protection afforded to Personal Data. SecValley shall notify Customer of any material changes to the security measures.
13.4 Customer acknowledges that the security measures are subject to technical progress and development and that SecValley may update the measures as necessary, provided SecValley does not materially decrease the overall security of the Services during the term of the Subscription Agreement.
14. DATA BREACH NOTIFICATION
14.1 Notification to Customer. SecValley shall notify the Customer without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a Data Breach affecting Customer Data. Notification shall be made to the email address associated with the Customer’s organization owner account, or to such other contact as the Customer may designate in writing.
14.2 Content of Notification. The notification shall include, to the extent reasonably available:
A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
The name and contact details of SecValley’s data protection contact point;
A description of the likely consequences of the Data Breach;
A description of the measures taken or proposed to be taken by SecValley to address the Data Breach, including measures to mitigate its possible adverse effects; and
A timeline of events related to the Data Breach.
14.3 Ongoing Cooperation. SecValley shall:
Take immediate steps to contain and mitigate the Data Breach;
Cooperate with the Customer’s investigation of the Data Breach;
Provide the Customer with timely updates as additional information becomes available;
Preserve and provide to the Customer relevant forensic evidence and logs; and
Assist the Customer in fulfilling any obligation to notify Supervisory Authorities (within the GDPR’s 72-hour timeline under Article 33) and Data Subjects (under Article 34, CCPA Section 1798.150, and other applicable laws).
14.4 No Public Disclosure. SecValley shall not make any public disclosure regarding a Data Breach affecting Customer Data without Customer’s prior written consent, unless required by applicable law.
14.5 Customer Notification Obligations. The Customer is responsible for determining whether a Data Breach triggers notification obligations under Applicable Data Protection Laws and for making any required notifications to Supervisory Authorities and Data Subjects. SecValley shall provide reasonable cooperation to support such notifications.
15. AUDIT RIGHTS
15.1 Information and Documentation. SecValley shall make available to the Customer all information reasonably necessary to demonstrate compliance with SecValley’s obligations under this DPA and under Article 28 of the GDPR.
15.2 Audit Right. Customer, or a qualified independent third-party auditor appointed by Customer and approved by SecValley (such approval not to be unreasonably withheld), may conduct audits, including inspections, of SecValley’s processing activities under this DPA, subject to the following conditions:
Customer shall provide SecValley with at least thirty (30) days’ prior written notice of any audit;
Audits shall be conducted during SecValley’s normal business hours and shall not unreasonably disrupt SecValley’s operations;
Customer’s auditor shall execute a confidentiality agreement acceptable to SecValley before accessing any SecValley premises or systems;
Audits shall be limited to verification of compliance with this DPA and shall not extend to accessing other customers’ data or SecValley’s proprietary intellectual property;
Customer shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by SecValley, in which case SecValley shall bear reasonable audit costs; and
Customer shall be entitled to conduct no more than one (1) audit per twelve (12) month period, unless a Data Breach has occurred or a Supervisory Authority requires or requests an additional audit.
15.3 Alternative Compliance Evidence. SecValley may satisfy the audit requirement by providing the Customer with:
Copies of relevant third-party audit reports, certifications, or attestations (such as SOC 2 Type II reports, ISO 27001 certificates, or equivalent);
Responses to reasonable written questions regarding SecValley’s data protection practices; and/or
Results of penetration testing or vulnerability assessment reports, redacted as necessary to protect security.
Customer may still exercise its audit rights under Section 15.2 if the alternative compliance evidence is insufficient to demonstrate compliance.
15.4 Supervisory Authority Audits. SecValley shall cooperate with any audit or inspection conducted by a Supervisory Authority, to the extent such audit relates to the processing of Customer Data under this DPA.
16. DATA RETURN AND DELETION
16.1 During the Subscription. During the term of the Subscription Agreement, Customer may:
Export Scan Data at any time through the Services’ built-in PDF and Excel export functionality;
Configure data retention periods for scan assessment data, evaluation PII, and resolved vulnerability data within a range of 1 year (365 days) to 7 years (2,555 days);
Request deletion of specific Scan Data or Personal Data by contacting SecValley support; and
Delete connections (tenants) through the platform interface, which will trigger credential deletion.
16.2 Upon Termination. Upon termination or expiration of the Subscription Agreement:
Transition Period. SecValley shall make Customer Data available for export for a period of thirty (30) days following termination (“Transition Period”);
Deletion. Following the Transition Period, SecValley shall delete all Customer Data, including Personal Data, from its production systems and active databases within thirty (30) days, subject to Section 16.3;
Credential Destruction. Service principal certificates and encrypted credential data shall be deleted within ninety (90) days following subscription expiry;
Backup Deletion. Customer Data in backup systems shall be deleted in the normal course of backup rotation, within ninety (90) days following deletion from production systems; and
Confirmation. SecValley shall provide written confirmation of deletion upon Customer’s written request.
16.3 Exceptions to Deletion. SecValley may retain limited Personal Data after the periods described in Section 16.2 where:
Retention is required by applicable law or regulation;
Data is contained in system logs required for security incident investigation or compliance purposes (SecValley retains system logs for 12 months and audit logs as required for compliance);
Data has been anonymized such that it can no longer be attributed to an identified or identifiable Data Subject; or
Data is necessary for the establishment, exercise, or defense of legal claims.
Where data is retained under this Section, SecValley shall continue to protect it in accordance with this DPA and process it only for the stated retention purpose.
16.4 Anonymization. Where SecValley retains data in anonymized form for statistical, benchmarking, or service improvement purposes, such anonymization shall be irreversible, and the resulting data shall not constitute Personal Data under Applicable Data Protection Laws.
17. LIABILITY
17.1 The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability set out in the Subscription Agreement, to the extent permitted by applicable law.
17.2 Nothing in this DPA shall limit either Party’s liability for:
Breaches of confidentiality obligations;
Indemnification obligations under the SCCs;
Liability that cannot be excluded or limited under applicable law; or
Either Party’s obligations to Data Subjects under Applicable Data Protection Laws.
17.3 Processor Liability. SecValley shall be liable for damage caused by processing only where it has not complied with obligations of Applicable Data Protection Laws specifically directed to processors, or where it has acted outside of or contrary to the Customer’s lawful instructions.
17.4 Indemnification. Each Party shall indemnify the other Party against all claims, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising from the indemnifying Party’s breach of this DPA, subject to the limitations set forth in the Subscription Agreement.
18. US STATE PRIVACY LAW PROVISIONS
This Section 18 applies to the extent that SecValley processes Personal Data that is subject to US state privacy laws on behalf of the Customer.
18.1 California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
18.1.1 Service Provider Status. To the extent that SecValley processes Personal Information (as defined in Cal. Civ. Code Section 1798.140(v)) on behalf of Customer, SecValley acts as a “Service Provider” (as defined in Cal. Civ. Code Section 1798.140(ag)). SecValley certifies that it understands and will comply with the restrictions applicable to Service Providers under the CCPA/CPRA.
18.1.2 Processing Limitations. SecValley shall not:
Sell or share (as defined in Cal. Civ. Code Sections 1798.140(ad) and 1798.140(ah)) the Personal Information;
Retain, use, or disclose the Personal Information for any purpose other than the business purposes specified in the Subscription Agreement and this DPA, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the Services;
Retain, use, or disclose the Personal Information outside of the direct business relationship between SecValley and the Customer;
Combine the Personal Information with Personal Information received from or on behalf of another person, or collected from SecValley’s own consumer interactions, except as permitted under Cal. Civ. Code Section 1798.140(ag)(1)(A)(i)-(iv); or
Use any deidentified data derived from Customer’s Personal Information except as permitted under applicable law.
18.1.3 CCPA Consumer Rights Cooperation. SecValley shall cooperate with Customer to enable Customer’s compliance with consumer rights requests under CCPA/CPRA Sections 1798.100 through 1798.125, including requests to know, delete, correct, and opt out. SecValley shall enable Customer to comply with such requests through the data export, deletion, and management features of the Services, and through direct cooperation as described in Section 11.
18.1.4 Notification of Inability to Comply. SecValley shall notify the Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA as a Service Provider. Upon such notification, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, including terminating the Subscription Agreement.
18.1.5 Compliance Certification. SecValley certifies that it understands and will comply with the requirements of Sections 18.1.1 through 18.1.4 and the obligations of a Service Provider under the CCPA/CPRA.
18.2 Virginia Consumer Data Protection Act (VCDPA)
18.2.1 Processor Status. To the extent that SecValley processes Personal Data subject to the VCDPA, SecValley acts as a “Processor” (as defined in Va. Code Section 59.1-575). SecValley shall adhere to the instructions of the Customer and shall assist the Customer in meeting its obligations under the VCDPA.
18.2.2 Obligations. SecValley shall:
Ensure that each person processing Personal Data is subject to a duty of confidentiality with respect to the data;
At the Customer’s direction, delete or return all Personal Data to the Customer at the end of the provision of the Services, unless retention is required by law;
Upon reasonable request, make available to the Customer all information in SecValley’s possession necessary to demonstrate SecValley’s compliance with the obligations in the VCDPA;
Allow and cooperate with reasonable assessments by the Customer, or arrange for a qualified assessor to conduct an assessment of SecValley’s policies and technical and organizational measures for compliance;
Engage Sub-processors only pursuant to a written contract that requires the Sub-processor to meet the obligations of the Processor with respect to the Personal Data; and
Provide assistance to the Customer with Consumer Rights Requests under VCDPA Section 59.1-577, including the right to access, correct, delete, obtain a copy of, and opt out of the processing of Personal Data for targeted advertising.
18.3 Colorado Privacy Act (CPA)
18.3.1 Processor Status. To the extent that SecValley processes Personal Data subject to the CPA, SecValley acts as a “Processor” (as defined in C.R.S. Section 6-1-1303(17)). This DPA constitutes the binding contract required by C.R.S. Section 6-1-1305(2).
18.3.2 Obligations. SecValley shall:
Adhere to the Customer’s instructions and assist the Customer in meeting its obligations under the CPA, including obligations related to the security of processing Personal Data and notification of a security breach;
Ensure that each person processing Personal Data is subject to a duty of confidentiality;
At the Customer’s direction, delete or return all Personal Data upon the end of the provision of the Services;
Make available to the Customer, upon reasonable request, all information necessary to demonstrate compliance with the CPA;
Allow and cooperate with reasonable assessments by the Customer or arrange for a qualified assessor to conduct an assessment, and provide the results to the Customer upon request;
Engage Sub-processors only pursuant to a written contract that requires the Sub-processor to meet SecValley’s obligations under this DPA; and
Provide reasonable assistance with data protection assessments required under C.R.S. Section 6-1-1309.
18.4 Connecticut Data Privacy Act (CTDPA)
18.4.1 Processor Status. To the extent that SecValley processes Personal Data subject to the CTDPA, SecValley acts as a “Processor” (as defined in Conn. Gen. Stat. Section 42-515(27)). This DPA constitutes the binding contract required by Conn. Gen. Stat. Section 42-522(a).
18.4.2 Obligations. SecValley shall:
Ensure that each person processing Personal Data is subject to a duty of confidentiality;
At the Customer’s direction, delete or return all Personal Data at the end of the provision of the Services, unless retention is required by law;
Upon reasonable request, make available to the Customer all information in SecValley’s possession necessary to demonstrate compliance with the CTDPA;
Allow and cooperate with reasonable assessments by the Customer, or arrange for a qualified assessor to conduct an assessment;
Engage Sub-processors only pursuant to a written contract that requires compliance with the CTDPA; and
Provide reasonable assistance for data protection assessments required under Conn. Gen. Stat. Section 42-524.
18.5 Additional US State Privacy Laws
18.5.1 To the extent that other US state privacy laws apply to the processing of Customer Data (including but not limited to the Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Montana Consumer Data Privacy Act, and Utah Consumer Privacy Act), SecValley shall comply with the obligations imposed on processors under such laws, consistent with the obligations described in Sections 18.1 through 18.4 above.
18.5.2 SecValley shall monitor the enactment and effective dates of new US state privacy laws and shall update its processing practices as necessary to maintain compliance. SecValley shall notify the Customer of any material changes required by new legislation.
19. GENERAL PROVISIONS
19.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws specified in the Subscription Agreement, except that the SCCs (Annex D) shall be governed by the law of the EU Member State in which the data exporter is established, or, where the data exporter is not established in an EU Member State, the laws of Ireland.
19.2 Order of Precedence. In the event of a conflict between this DPA and the Subscription Agreement, the terms of this DPA shall prevail with respect to data protection matters. In the event of a conflict between the body of this DPA and the SCCs (Annex D), the SCCs shall prevail.
19.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, that provision shall be enforced to the maximum extent permissible, and the other provisions shall remain in full force and effect.
19.4 Amendments. This DPA may be amended only by a written instrument signed by both Parties. SecValley may update the Technical and Organizational Measures (Annex B) and the Sub-processor List (Annex C) in accordance with Sections 13.3 and 9.3, respectively.
19.5 Entire Agreement. This DPA, together with the Subscription Agreement and the Annexes hereto, constitutes the entire agreement between the Parties regarding the subject matter hereof and supersedes all prior negotiations, representations, and agreements relating to this subject matter.
19.6 Notices. All notices under this DPA shall be in writing and delivered to the addresses specified in the Subscription Agreement, or to such other addresses as the Parties may designate in writing.
19.7 No Third-Party Beneficiaries. Except as provided in the SCCs with respect to Data Subjects, this DPA does not confer any rights on any third party.
ANNEX A: PROCESSING DETAILS
Required by GDPR Article 28(3)
A.1 Subject Matter and Duration of Processing
| Element | Detail |
|---|---|
| Subject matter | Processing of Personal Data in connection with cloud security posture management services |
| Duration | The term of the Subscription Agreement between Customer and SecValley |
| Post-termination | 30-day transition period for data export, followed by deletion within 30 days (production) and 90 days (backups); credential deletion within 90 days of subscription expiry |
A.2 Nature and Purpose of Processing
| Processing Activity | Purpose | Lawful Basis (Controller’s Determination) |
|---|---|---|
| Collection of Entra ID user directory metadata via Microsoft Graph API | Evaluate identity security controls (MFA enforcement, privileged role assignments, account hygiene, sign-in risk) | Legitimate interest in security / Contractual necessity |
| Collection of sign-in logs and risk detections | Assess authentication security, detect anomalies, evaluate conditional access effectiveness | Legitimate interest in security |
| Collection of application and service principal configurations | Identify excessive permissions, expired credentials, OAuth consent risks | Legitimate interest in security |
| Collection of Azure resource configuration metadata | Evaluate infrastructure security against CIS benchmarks | Legitimate interest in security / Contractual necessity |
| Collection of M365 activity reports (per-user metrics) | Assess adoption of security features, identify inactive accounts, evaluate productivity tool usage patterns | Legitimate interest in security |
| Storage of assessment results in encrypted database | Historical comparison, trend analysis, compliance reporting | Contractual necessity |
| Automated control evaluation against CIS benchmark controls | Security posture scoring, gap identification, remediation prioritization | Contractual necessity |
| AI-powered report generation (vCISO) | Executive-level security insights using aggregated/anonymized data only (no PII sent to AI model) | Contractual necessity / Consent (opt-in feature) |
| Platform authentication and session management | Verify identity of authorized users, prevent unauthorized access | Contractual necessity |
| Billing data processing via Stripe | Subscription management and payment processing | Contractual necessity |
| System and audit logging | Platform integrity, security investigation, compliance | Legitimate interest / Legal obligation |
A.3 Categories of Personal Data
| Category | Specific Data Elements | Sensitivity Level |
|---|---|---|
| Identity data | User principal names (email), display names | Standard |
| Account data | Account enabled/disabled status, creation date, last sign-in | Standard |
| Authentication data | MFA registration status, method types (no phone numbers), conditional access policy evaluation results | Standard |
| Authorization data | Role assignments (Global Admin, etc.), group memberships, admin unit assignments | Standard |
| Sign-in metadata | Timestamps, IP addresses, geographic location (city/country), device info (browser/OS), success/failure | Standard |
| Risk data | Risk levels, risk event types, risky user flags | Standard |
| Application data | App registration owner names, OAuth consent grants, permission assignments | Standard |
| Activity metrics | Per-user email/Teams/OneDrive/SharePoint usage counts linked to names and emails | Standard |
| Platform account data | User email, display name, organization role, session data, hashed password | Standard |
| Billing data | Billing contact name, email, payment method (processed by Stripe) | Standard |
A.4 Categories of Data Subjects
| Category | Relationship to Controller |
|---|---|
| Customer employees and contractors | Listed in Customer’s Entra ID directory |
| Customer IT administrators | Privileged role holders in Customer’s environment |
| Customer authorized platform users | Individuals granted access to SecValley platform |
| Application owners | Owners/creators of app registrations in Customer’s Entra ID |
| Guest/external users | B2B guest accounts in Customer’s Entra ID directory |
| Customer billing contacts | Individuals associated with Customer’s billing account |
A.5 Data Retention Schedule
| Data Type | Default Retention | Customer-Configurable Range | Post-Retention Action |
|---|---|---|---|
| Scan assessment data | 1 year (365 days) | 1-7 years (365-2,555 days) | Automated deletion |
| User directory PII in evaluations | 1 year (365 days) | 1-7 years (365-2,555 days) | PII auto-stripped, anonymized records retained |
| Resolved vulnerabilities | 1 year (365 days) | 1-7 years (365-2,555 days) | Automated deletion |
| Connection credentials | Duration of subscription | Not configurable | Deleted within 90 days of subscription expiry |
| System logs | 12 months | Not configurable | Automated rotation |
| Audit logs | 7 years | Not configurable | Retained for compliance and regulatory purposes (anonymized where possible) |
| Platform account data | Duration of account | Not configurable | Deleted upon account termination + transition period |
ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES
Pursuant to GDPR Article 32 and Article 28(3)(c)
B.1 Encryption
| Measure | Implementation |
|---|---|
| Encryption in transit | Industry-standard TLS encryption enforced on all connections. HSTS enabled with preload directives. Web application firewall and DDoS protection on all public endpoints. |
| Encryption at rest (infrastructure) | AES-256 encryption for all infrastructure components including database, cache, storage, and secrets management. |
| Encryption at rest (application) | Customer service principal credentials encrypted using industry-standard encryption with per-record salts and key derivation. Key rotation supported. Certificate material stored in enterprise secrets management infrastructure. |
| Cookie security | HttpOnly flag on all authentication cookies. Secure flag enforced in production. SameSite attributes configured per cookie type to balance security with cross-origin functionality. |
B.2 Access Control
| Measure | Implementation |
|---|---|
| Authentication | Multi-factor authentication required for all platform users. Email/password with industry-standard password hashing followed by time-limited one-time password via email. Short-lived access tokens with rotating refresh tokens (reuse detection enabled). |
| Account lockout | Failed login attempts within a defined window trigger account lockout. Rate limiting on authentication endpoints. |
| Role-based access control | Multi-tier organization role system with granular permissions. Fail-closed permission model (access denied by default). |
| Tenant isolation | Centralized tenant access validation ensures organization membership before granting access to any tenant data. All data queries enforce organization-level isolation. |
| Service principal access | Certificate-based authentication to Customer Microsoft environments. Read-only permissions only. No write access, no agent installation, no persistent credentials in Customer environments. |
| CSRF protection | Token-based CSRF protection with cryptographically secure tokens. Constant-time comparison to prevent timing attacks. Enforced on all state-changing requests. |
B.3 Network Security
| Measure | Implementation |
|---|---|
| Azure Front Door | Web Application Firewall (WAF) with DDoS protection. Origin validation blocks direct access to API in production. |
| Network segmentation | Database and cache infrastructure deployed with network isolation and private endpoints. Not accessible from public internet. |
| Rate limiting | Multi-tier rate limiting applied across platform endpoints to prevent abuse and ensure service availability. |
B.4 Data Minimization and Privacy
| Measure | Implementation |
|---|---|
| Read-only scanning | All security assessments performed exclusively through read-only API calls to Customer’s cloud environments. No modifications or write operations are performed. |
| Content exclusion | Services architecturally exclude collection of email content, chat messages, documents, calendar entries, database records, storage contents, vault secrets, and network traffic. |
| PII masking in logs | Automated logging pipeline with multi-category PII masking covering credentials, personal identifiers, financial data, and authentication tokens. Sensitive values are redacted before log persistence. |
| PII masking in AI pipeline | Personal data is automatically sanitized before transmission to AI services. Input validation safeguards prevent unauthorized data extraction. |
| Data retention enforcement | Customer-configurable retention with database-enforced constraints (minimum 1 year, maximum 7 years). Automated cron-based deletion of expired data. PII auto-stripping from historical evaluation records. |
B.5 Incident Detection and Response
| Measure | Implementation |
|---|---|
| Security alerting | Centralized security event alerting service with structured logging and email notification for security events. |
| Audit logging | Comprehensive audit trail for security-relevant actions including authentication events, permission changes, scan operations, and data access. Audit logs retained for compliance. |
| Log correlation | Correlation ID system (UUID per request) enables end-to-end tracing across API, queue, and worker components. |
| System logging | Application logs stored with automated partitioning and 12-month retention. |
| Breach notification | 72-hour notification commitment to Customer. Internal incident response procedures for containment, investigation, and remediation. |
B.6 Application Security
| Measure | Implementation |
|---|---|
| Input validation | Schema validation middleware on all state-changing API routes. Unknown fields stripped by default (mass assignment prevention). |
| Secure SDLC | Code review required for all changes. Security testing integrated into development lifecycle. |
| Dependency management | Regular dependency updates and vulnerability scanning. |
| JWT security | Token signing algorithm pinned to prevent algorithm confusion attacks. Minimum secret length enforced at startup. |
| Webhook security | Stripe webhook signature verification. Idempotency through transactional “last INSERT” pattern. |
| Refresh token security | Cryptographic token generation. Single-use rotation. Reuse detection with family revocation. Active token limits enforced per user. |
B.7 Organizational Measures
| Measure | Implementation |
|---|---|
| Personnel | Confidentiality obligations for all personnel with access to Customer Data. |
| Access reviews | Regular review of access permissions and role assignments. |
| Vendor management | Data protection assessments for all Sub-processors. Written agreements with data protection obligations. |
| Business continuity | Azure-hosted infrastructure with built-in redundancy. Database backups with point-in-time recovery. |
| Data segregation | Multi-tenant architecture with organization-level data segregation enforced at application, middleware, and database query layers. |
ANNEX C: AUTHORIZED SUB-PROCESSOR LIST
As of the Effective Date of this DPA
C.1 Sub-processor List
| Sub-processor | Processing Activity | Data Processed | Location |
|---|---|---|---|
| Microsoft Corporation | Cloud infrastructure hosting (compute, database, caching, secrets management, network security, email delivery) | All Customer Data as necessary for Service provision, encrypted at rest and in transit | United States |
| Microsoft Corporation (Azure OpenAI Service) | AI-powered vCISO executive report generation (optional) | Aggregated and anonymized scan metrics only. No Personal Data, no user directory data, no credentials. Data sanitization enforced before transmission. Microsoft does not use customer data for model training. | United States |
| Stripe, Inc. | Payment processing, subscription management, billing | Customer billing contact name, email address, payment method tokens. No Scan Data shared with Stripe. Stripe acts as an independent controller for cardholder data under its own privacy policy. | United States |
C.2 Sub-processor Management
SecValley maintains this Sub-processor list and will:
Notify Customer at least thirty (30) days before adding or replacing any Sub-processor;
Provide updated Sub-processor lists upon request;
Enter into written agreements with each Sub-processor imposing data protection obligations consistent with this DPA;
Conduct due diligence on Sub-processor data protection practices before engagement; and
Remain fully liable for the acts and omissions of Sub-processors.
ANNEX D: STANDARD CONTRACTUAL CLAUSES
EU Commission Implementing Decision (EU) 2021/914, Module 2: Controller to Processor
D.1 Incorporation of SCCs
The Parties agree that the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, Module 2 (Controller to Processor), are incorporated into this DPA by reference and shall apply to all Restricted Transfers of Personal Data from the EEA to SecValley in the United States.
The full text of the SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
D.2 Completion of the SCCs
The SCCs are completed as follows:
Clause 7 (Docking Clause): The optional docking clause IS included. Third parties may accede to the SCCs as a data exporter or data importer with the agreement of the existing Parties.
Clause 9(a) (Use of Sub-processors): OPTION 2 is selected (General written authorization). The data importer has the data exporter’s general authorization for the engagement of Sub-processors from the agreed list in Annex C. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
Clause 11(a) (Redress): The optional clause on independent dispute resolution IS NOT included.
Clause 13(a) (Supervision): The supervisory authority of the EU Member State in which the data exporter is established shall act as the competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR under Article 3(2) and has appointed a representative pursuant to Article 27(1), the supervisory authority of the Member State in which the representative is established shall act as the competent supervisory authority. Where the data exporter is not established in an EU Member State and is not required to appoint a representative, the Irish Data Protection Commission shall act as the competent supervisory authority.
Clause 17 (Governing Law): OPTION 1 is selected. The SCCs shall be governed by the law of the EU Member State in which the data exporter is established, provided such law allows for third-party beneficiary rights. Where the data exporter is not established in an EU Member State, the laws of Ireland shall govern.
Clause 18(b) (Choice of Forum and Jurisdiction): Any dispute arising from the SCCs shall be resolved by the courts of the EU Member State in which the data exporter is established. Where the data exporter is not established in an EU Member State, the courts of Ireland shall have jurisdiction.
D.3 SCC Annex I: Parties and Transfer Details
A. List of Parties
Data Exporter:
| Element | Detail |
|---|---|
| Name | The Customer identified in the Subscription Agreement |
| Address | As specified in the Subscription Agreement |
| Contact person | The organization owner or designated privacy contact |
| Activities relevant to the data transferred | Using SecValley’s cloud security posture management Services, which requires the transfer of configuration metadata, user directory data, and activity metrics from Customer’s Microsoft cloud environments to SecValley’s US-based infrastructure |
| Role | Controller |
Data Importer:
| Element | Detail |
|---|---|
| Name | SecValley Inc. |
| Address | As specified in the Subscription Agreement |
| Contact person | SecValley Data Protection Contact, privacy@secvalley.com |
| Activities relevant to the data transferred | Providing cloud security posture management services including automated CIS benchmark assessments, control evaluations, compliance reporting, and AI-powered executive reports |
| Role | Processor |
B. Description of Transfer
| Element | Detail |
|---|---|
| Categories of Data Subjects | Customer employees, contractors, IT administrators, application owners, guest/external users, billing contacts, and authorized platform users (as detailed in Annex A, Section A.4) |
| Categories of Personal Data | Identity data, account data, authentication data, authorization data, sign-in metadata, risk data, application data, activity metrics, platform account data, and billing data (as detailed in Annex A, Section A.3) |
| Sensitive data transferred | None intentionally. The Services do not target special categories of data. If special category data is incidentally present in configuration metadata, SecValley’s PII masking controls will redact it from logs and AI processing. |
| Frequency of the transfer | Continuous during the Subscription term. Security scans may be initiated on demand or on a scheduled basis (daily, weekly, or monthly). Platform authentication occurs continuously. |
| Nature of the processing | Collection, storage, organization, structuring, analysis, retrieval, consultation, use, disclosure by transmission (to authorized users), and erasure of cloud security posture data, as detailed in Section 4 and Annex A. |
| Purpose of the transfer | Provision of cloud security posture management services as described in Section 2.3 and Annex A, Section A.2. |
| Period of retention | In accordance with Annex A, Section A.5. Scan data: 1-7 years (customer configurable). Credentials: deleted within 90 days post-subscription. System logs: 12 months. |
C. Competent Supervisory Authority
The competent supervisory authority shall be identified in accordance with Clause 13(a) of the SCCs as specified in Section D.2 above.
D.4 SCC Annex II: Technical and Organizational Measures
The technical and organizational measures implemented by the data importer (SecValley) are described in Annex B to this DPA, which is incorporated by reference into this Annex II.
These measures include, as summarized:
Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), with additional application-layer encryption for credentials;
Multi-factor authentication, role-based access control with granular permissions, and certificate-based service principal authentication;
Network segmentation with VNet integration, private endpoints, and Web Application Firewall;
PII masking in logging and AI processing pipelines;
Input validation on all state-changing operations, CSRF protection, JWT algorithm pinning;
Audit logging, correlation ID tracing, and 12-month system log retention;
72-hour breach notification, security alerting, and incident response procedures;
Customer-configurable data retention (1-7 years) with automated deletion and PII stripping;
Multi-tenant data isolation at application, middleware, and query layers; and
Secure SDLC practices and personnel confidentiality obligations.
D.5 SCC Annex III: List of Sub-processors
The list of Sub-processors authorized by the data exporter is set forth in Annex C to this DPA, which is incorporated by reference.
D.6 UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the UK Addendum to the EU SCCs (as issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, version B1.0 in force 21 March 2022) is incorporated by reference. The following additional information applies:
| UK Addendum Table | Detail |
|---|---|
| Table 1: Parties | As set out in Section D.3.A above |
| Table 2: Selected SCCs | Module 2 (Controller to Processor), with Clauses 7, 9(a) Option 2, 11(a) not included, 17 Option 1, 18(b), as specified in Section D.2 |
| Table 3: Appendix Information | As set out in Sections D.3, D.4, and D.5 above |
| Table 4: Ending the Addendum | Neither Party may end the UK Addendum as set out in Section 19 of the UK Addendum |
D.7 Swiss Federal Act on Data Protection
For transfers of Personal Data from Switzerland, the SCCs apply with the following modifications:
References to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
References to “EU,” “Union,” and “Member State law” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights;
References to the “competent supervisory authority” shall mean the Swiss Federal Data Protection and Information Commissioner; and
References to “applicable law” shall mean the FADP, as amended from time to time.
SIGNATURES
This DPA is entered into and becomes binding upon the Parties as of the Effective Date.
SecValley Inc. (Processor)
By: ___________________________
Name: _________________________
Title: __________________________
Date: __________________________
Customer (Controller)
By: ___________________________
Name: _________________________
Title: __________________________
Date: __________________________
IMPORTANT NOTICE
This Data Processing Agreement has been drafted based on SecValley’s technical architecture and processing activities as of the date of preparation. It is intended to be production-ready but should be reviewed by qualified privacy counsel in the applicable jurisdictions before execution. Regulatory interpretations can vary and are subject to change through enforcement actions, court decisions, and updated guidance from supervisory authorities. SecValley recommends that both parties obtain independent legal advice before relying on this DPA.