Bonterms-derivative DPA. This Data Processing Addendum substantially follows the Bonterms Data Processing Addendum framework and satisfies the requirements of GDPR Article 28 for Processor terms. It is incorporated by reference into the Terms of Service and applies whenever ElasticD3M, LLC processes Personal Data on Customer's behalf.
1. Definitions
Capitalized terms used but not defined here have the meanings given in the Terms of Service. For this DPA:
- "Applicable Data Protection Law" means the laws governing the processing of Personal Data applicable to the parties, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and UK Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and analogous comprehensive U.S. state privacy laws.
- "Personal Data" means information relating to an identified or identifiable natural person that ElasticD3M, LLC processes on Customer's behalf in connection with the Services.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Processing" has the meaning given in Applicable Data Protection Law.
- "Subprocessor" means any third party engaged by ElasticD3M, LLC to process Personal Data on its behalf.
- "SCCs" means the Standard Contractual Clauses approved by the European Commission Decision (EU) 2021/914 of 4 June 2021, in the form applicable to the relevant transfer scenario.
- "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018.
2. Roles of the Parties
For Personal Data processed in connection with the Services: Customer is the "Controller" (or "Business" under CCPA/CPRA) and ElasticD3M, LLC is the "Processor" (or "Service Provider" under CCPA/CPRA). ElasticD3M, LLC will Process Personal Data only on documented instructions from Customer, including as set forth in the Terms of Service, this DPA, and via the configuration choices Customer makes within the Services (e.g., which clouds to connect, what intake answers to submit). ElasticD3M, LLC will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
3. Purpose and Duration of Processing
ElasticD3M, LLC Processes Personal Data for the purpose of providing the Aegis AI™ virtual-CISO Services described in the Terms of Service. Processing continues for the duration of Customer's subscription and the post-termination retention period described in Section 11.
4. Categories of Personal Data and Data Subjects (Annex I)
| Category | Examples | Data Subjects |
|---|---|---|
| Identity / Contact | Name, business email, business phone, job title | Customer's employees and authorized representatives |
| Configuration metadata | IAM principal names, account IDs, resource ARNs, security-control settings, audit-log metadata, identity-provider configuration | Indirectly: Customer's employees whose accounts appear in IAM/identity logs |
| Communications | Email content with ai4ciso.ai mailboxes, support tickets | Customer's personnel corresponding with ElasticD3M |
Out of scope. ElasticD3M, LLC does not knowingly process regulated payload contents (PHI under HIPAA, cardholder data under PCI-DSS, GDPR Article 9 special categories), customer-of-Customer Personal Data, or other regulated payloads. Customer agrees not to submit such data through the Services.
5. Subprocessors
ElasticD3M, LLC engages Subprocessors as listed in the Subprocessors List. Customer authorizes ElasticD3M, LLC to engage these Subprocessors and any future Subprocessors notified to Customer under this Section 5.
Change Notice. ElasticD3M, LLC will give Customer at least thirty (30) days' advance notice of any new Subprocessor that will process Customer Personal Data. Notice is given by updating the published Subprocessors List and emailing the primary account contact at the email on file. Customer may object to a new Subprocessor by written notice within thirty (30) days; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Services and receive a pro-rata refund of unused prepaid fees.
ElasticD3M, LLC remains liable for its Subprocessors' compliance with this DPA. Subprocessors are bound by data-protection obligations no less protective than those in this DPA.
6. Security Measures — Technical and Organizational Measures (Annex II)
ElasticD3M, LLC implements the following technical and organizational measures designed to protect Personal Data:
- Access control: Role-based access control with least-privilege defaults; multi-factor authentication required for production access; named-individual access only (no shared credentials).
- Encryption: AES-GCM encryption at rest for sensitive data; TLS 1.2 or higher in transit; isolated production credential storage with a dedicated key-management service.
- Network security: Production systems run in a private VPC; ingress restricted to documented ports; outbound traffic restricted to documented destinations; Cloudflare WAF in front of all public surfaces; periodic vulnerability scanning.
- Logging and monitoring: Signed audit logs for material database actions; centralized log aggregation with retention; alerting on anomalous access patterns; Sentry for application-error telemetry.
- Personnel: All personnel are subject to confidentiality obligations; security-awareness training is provided; background checks where permitted by local law.
- Incident response: Documented incident-response plan; Personal Data Breach notification to Customer within seventy-two (72) hours of confirmation.
- Resilience: Backup and recovery procedures tested at least annually; disaster-recovery plan documented; multi-region failover capability.
- Vendor management: Subprocessor due diligence performed at onboarding and at least annually.
- Pseudonymization and minimization: Configuration metadata is hashed for evidence-binder integrity; Personal Data not strictly needed for delivery is not collected.
7. Data Subject Rights
ElasticD3M, LLC will reasonably assist Customer in responding to data subject requests under Applicable Data Protection Law, including requests to access, correct, delete, restrict, port, or object to Processing of Personal Data. Customer is responsible for receiving and responding to data subject requests; ElasticD3M, LLC's assistance is provided on Customer's instructions and at no additional charge for reasonable volumes.
8. Personal Data Breach Notification
ElasticD3M, LLC will notify Customer at the email address on file within seventy-two (72) hours of confirming a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent then known: (a) the nature of the breach; (b) the categories and approximate number of affected data subjects and records; (c) the likely consequences; (d) the measures taken or proposed to address the breach; and (e) contact information for further questions. ElasticD3M, LLC will cooperate with Customer to fulfill Customer's notification obligations under Applicable Data Protection Law.
9. Audit Rights
Upon Customer's reasonable written request (not more than once per twelve-month period, except after a confirmed Personal Data Breach), ElasticD3M, LLC will: (a) make available to Customer the latest available audit reports or attestations relevant to the Services (e.g., SOC 2 Type II when issued, or substantially equivalent third-party audit reports); and (b) respond in good faith to reasonable written information requests necessary for Customer to verify compliance with this DPA.
Customer's on-site audit rights are limited to circumstances where: (i) Customer has a reasonable basis to believe ElasticD3M, LLC has materially breached this DPA, and (ii) the requested audit cannot be reasonably satisfied through available audit reports or written information. Any on-site audit will be conducted during business hours on at least thirty (30) days' advance written notice, by a mutually acceptable independent auditor bound by confidentiality, and at Customer's cost.
10. International Data Transfers
10.1 EU/EEA — Standard Contractual Clauses
Where Personal Data of EU/EEA data subjects is transferred from the EEA to the United States or any other country not subject to an adequacy decision under GDPR Article 45, the SCCs (Module 2: Controller to Processor) are incorporated into this DPA by reference and apply to the transfer. Where Customer is itself a Processor and ElasticD3M, LLC is its Sub-Processor, Module 3 (Processor to Processor) applies. The optional clauses are selected as set forth in the executed order form or, absent such selection, as follows: Clause 7 docking clause — included; Clause 9(a) option 2 (general written authorization with 30 days' notice); Clause 11(a) optional independent dispute resolution — not selected; Clause 17 option 1 (governing law: Republic of Ireland); Clause 18 (forum: courts of Ireland); Annexes I, II, and III as set out in this DPA.
10.2 United Kingdom — UK IDTA
For transfers from the UK, the UK IDTA is incorporated into this DPA by reference, with the SCCs as the "Approved EU SCCs" referenced therein. The UK IDTA tables are completed consistently with this DPA's annexes.
10.3 Switzerland — FADP
For transfers from Switzerland, the SCCs apply with the following modifications: (i) references to "Member State" or "EU" are read to include Switzerland; (ii) references to GDPR are read to include the Swiss FADP; (iii) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (iv) the governing law is Swiss law (or, where the SCCs require, Irish law).
10.4 Export Controls and Sanctions
Personal Data transfers under this DPA comply with U.S. export-control laws (Export Administration Regulations / International Traffic in Arms Regulations) and OFAC sanctions regulations. Processor will not transfer Personal Data to denied parties or to comprehensively-embargoed jurisdictions (currently Cuba, Iran, North Korea, Syria, Crimea, Donetsk, and Luhansk). Customer's representations under Section 15A of the Terms of Service (Trade Compliance) apply.
11. Return or Deletion at Termination
Within thirty (30) days after termination of the Services, on Customer's written request, ElasticD3M, LLC will either: (a) return Customer's Personal Data in a commonly used machine-readable format (e.g., JSON or CSV exports of Customer-facing tables); or (b) delete Customer's Personal Data from production systems and confirm deletion in writing. Customer Personal Data may persist in routine database backups that are overwritten on a documented rotation (typically within one hundred eighty (180) days).
12. Subprocessors List (Annex III)
The current list of authorized Subprocessors is published at /subprocessors and incorporated into this DPA as Annex III. Each Subprocessor is bound by data-protection obligations no less protective than those in this DPA.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, Section 13.
14. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the SCCs or UK IDTA, the SCCs or UK IDTA (as applicable) govern with respect to the transfer to which they apply.
15. Contact
DPA execution, SCC signing, audit reports, or privacy questions: [email protected].
Effective Date: May 12, 2026 · Version: 1.0 (Bonterms-derivative)