Arcseer
Legal

Data Processing Agreement

Arcseer Limited — Standard DPA

This Data Processing Agreement ("DPA") forms part of the agreement between Arcseer Limited ("Processor") and the Customer ("Controller").

1. Scope

This DPA applies where Arcseer processes personal data on behalf of the Customer in connection with cybersecurity services.

2. Roles

  • Customer = Data Controller
  • Arcseer = Data Processor

3. Processing Details

Nature

Cybersecurity services including penetration testing and monitoring.

Purpose

Identification and analysis of security vulnerabilities.

Data Types

  • system data
  • logs
  • personal data present in customer environments

Data Subjects

Customer employees, users, or other individuals whose data resides in tested systems.

4. Processor Obligations

Arcseer shall:

  • process data only on documented instructions
  • ensure confidentiality of personnel
  • implement appropriate technical and organisational measures
  • assist with data subject rights
  • support regulatory compliance obligations

5. Security Measures

Arcseer implements:

  • encryption (in transit and at rest)
  • access controls and least privilege
  • monitoring and logging
  • secure development practices
  • vulnerability management

6. Security Assessment Data Handling

Arcseer acknowledges that:

  • sensitive data may be encountered during testing
  • such data will only be processed as necessary to deliver services
  • data will not be retained unnecessarily
  • access will be restricted to authorised personnel

7. Subprocessors

Arcseer may engage subprocessors including cloud providers. Arcseer shall:

  • ensure subprocessors meet equivalent security standards
  • remain responsible for their actions
  • provide subprocessor details upon request

8. International Transfers

Where data is transferred outside the UK or EEA, Standard Contractual Clauses or equivalent safeguards will be used.

9. Data Retention

  • Data retained during active engagement
  • Retained for up to 3 months post-engagement
  • Secure deletion thereafter

10. Data Breach Notification

Arcseer shall:

  • notify Customer without undue delay upon becoming aware of a breach
  • provide relevant details
  • cooperate in remediation

11. Audit Rights

Customer may:

  • request reasonable information regarding security controls
  • conduct audits where necessary (subject to reasonable notice)

12. AI Data Usage

Arcseer shall not use Customer data for AI training unless:

  • explicitly agreed in writing
  • data is anonymised prior to use

13. Termination

Upon termination:

  • data will be securely deleted in accordance with retention policy
  • deletion can be requested earlier by Customer