Data Processing Addendum

Effective 2026-05-02 · forms part of the Terms of Service.

1. Scope & roles

This Addendum applies when Cybool processes Personal Data on behalf of Customer in connection with the Platform. Customer is the "controller" under GDPR (and the "business" under similar regimes); Cybool is the "processor".

2. Categories of data + data subjects

  • Customer's end-users: employees + contractors of Customer using the Platform. Categories: name, email, role, IP address, audit-log activity.
  • Customer's clients (if Customer is an MSSP Partner): name, email, role, activity logs.
  • Threat intelligence / security data:indicators of compromise, leaked-credential observations, vulnerability findings tied to Customer's domains/IPs/identities.
  • Vendor PII (TPRM module): vendor contact name + email, CAP owner email, questionnaire recipient email — encrypted at rest with pgcrypto.

3. Processing purposes

Cybool processes Personal Data only on Customer's documented instructions to (a) provide the Platform, (b) perform security analytics on Customer's assets, (c) generate compliance and risk reports, (d) operate AI features (summarisation, document extraction, semantic retrieval, copilot) using EU-resident inference endpoints from Anthropic and Mistral AI without training on Customer Data, and (e) maintain billing and audit records.

4. Sub-processors

  • Vercel Inc. (hosting, fra1 EU region)
  • Supabase Inc. (Postgres + Auth + Storage, EU West region)
  • Anthropic PBC (LLM inference, EU-residency selected; zero-retention enabled)
  • Mistral AI (LLM inference + embeddings, EU-hosted)
  • Sendinblue / Brevo (transactional email, EU)
  • Functional Software Inc. dba Sentry (error tracking, EU region)
  • Instatus Inc. (status page)
  • Cloudflare Inc. (DNS only)

Cybool gives 30 days' notice before adding a new sub-processor that will process Customer Personal Data; Customer may object on reasonable data-protection grounds.

5. International transfers

Customer Personal Data is stored in the EU. AI inference endpoints are EU-resident. Where transfers to third countries occur (e.g. for vendor support), they are covered by EU Standard Contractual Clauses (Module 2 / 3 as applicable) and supplementary measures.

6. Security measures

Cybool implements the technical and organisational measures summarised at /trust, which include at minimum:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256); PII columns in the TPRM module are additionally pgcrypto-encrypted with keys held outside the database.
  • Row-Level Security on every business table; cross-tenant isolation tested on every commit.
  • MFA mandatory on all employee + contractor accounts; least-privilege RBAC.
  • Append-only audit log with hash-chained entries.
  • Daily logical backups with documented restore runbook (≤ 1h target).
  • Annual external penetration test; remediation tracked through closure.

7. Personal-data breach notification

Cybool will notify Customer without undue delay (target: within 24 hours of discovery) of any Personal Data breach affecting Customer Personal Data, with the information GDPR Article 33(3) requires to the extent then known, supplemented as the investigation progresses.

8. Data-subject rights

Cybool provides reasonable assistance to Customer in fulfilling data-subject access, rectification, erasure, restriction, and portability requests, taking into account the nature of the processing. The Platform exposes audit-log export + tenant-data export endpoints to support this.

9. Audit

Customer may audit Cybool's compliance with this Addendum no more than once per year, on at least 30 days' notice, during business hours, subject to a confidentiality undertaking. Cybool may satisfy audit obligations by providing recent third-party reports (penetration test, ISO 27001 / SOC 2 once obtained).

10. Return + deletion

On termination of the Terms, Customer may export tenant data within 30 days. Thereafter Cybool deletes Customer Personal Data within 90 days, except where applicable law requires retention (e.g. tax records). Backup copies are overwritten on the next backup-rotation cycle (max 12 months).

DPA contact: dpo@cybool.com.