Data Processing Agreement

RedTeamTrust processes Personal Data solely to provide the Platform services described in the Partner Agreement, including:

• Receiving and storing endpoint assessment telemetry transmitted by the assessment agent;
• Analyzing telemetry to generate security findings, risk scores, and reports;
• Mapping findings to compliance framework controls and generating gap reports;
• Making reports available to the Controller through the partner console;
• Retaining assessment data to support historical comparison and re-assessment.

A full description of the categories of Personal Data processed, the categories of Data Subjects affected, and the processing purposes is set out in Schedule 1 to this DPA.

RedTeamTrust processes Personal Data only on documented instructions from the Controller, as set out in this DPA and the Partner Agreement. If RedTeamTrust is required by applicable law to process Personal Data for a purpose other than those described here, RedTeamTrust will inform the Controller before that processing occurs, unless prohibited by law.

The Controller represents, warrants, and agrees that:

• It has obtained all necessary consents, authorizations, and legal bases required to direct RedTeamTrust to process Personal Data on its behalf, including written authorization from each assessed organization before any assessment is conducted;
• Its instructions to RedTeamTrust comply with applicable data protection law;
• It is responsible for responding to Data Subject requests relating to Personal Data processed by RedTeamTrust on its behalf, and will coordinate with RedTeamTrust as needed to fulfill those requests;
• It will provide assessed organizations with any notices or disclosures required by applicable law regarding the processing of their employees' data by the assessment agent;
• It will notify RedTeamTrust promptly if it becomes aware that its instructions would require RedTeamTrust to violate applicable data protection law.

RedTeamTrust agrees to:

• Process Personal Data only on the documented instructions of the Controller, except where required by applicable law;
• Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;
• Implement and maintain the technical and organizational security measures described in Schedule 2;
• Not engage Sub-processors without prior written authorization from the Controller (general authorization is granted as described in Section 5);
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable law, including access, correction, deletion, and portability requests;
• Assist the Controller with security obligations, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, to the extent required and within RedTeamTrust's reasonable ability;
• Delete or return all Personal Data to the Controller upon termination of the Partner Agreement, and delete existing copies, except where retention is required by applicable law;
• Make available all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 7.

The Controller grants RedTeamTrust general written authorization to engage Sub-processors, subject to the conditions in this section. Current Sub-processors are listed in Schedule 3.

RedTeamTrust will notify the Controller of any intended changes to Sub-processors (additions or replacements) by updating Schedule 3 and providing at least fourteen (14) days' advance notice by email to the Controller's account email address. The Controller may object to a new Sub-processor by notifying RedTeamTrust in writing within fourteen (14) days. If the parties cannot resolve the objection within thirty (30) days, the Controller may terminate the Partner Agreement without penalty.

RedTeamTrust ensures that Sub-processors are bound by data protection obligations no less protective than those in this DPA, and remains liable to the Controller for Sub-processor performance.

RedTeamTrust will implement and maintain the technical and organizational security measures set out in Schedule 2. These measures are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

In the event of a Personal Data breach affecting data processed under this DPA, RedTeamTrust will:

• Notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach;
• Provide sufficient information to enable the Controller to meet its own breach notification obligations to Supervisory Authorities and Data Subjects;
• Cooperate with the Controller and take such steps as are reasonably required to investigate, mitigate, and remediate the breach.

Breach notification by RedTeamTrust does not constitute an admission of fault or liability.

RedTeamTrust will, upon reasonable written request from the Controller (no more than once per calendar year absent a specific incident), provide written information sufficient to demonstrate compliance with this DPA, including a summary of security measures and Sub-processor list.

Where the Controller requires an on-site audit or inspection, the parties will agree in advance on the scope, timing, and cost allocation. Audits must be conducted during normal business hours with reasonable advance notice (minimum thirty (30) days) and must not unreasonably disrupt RedTeamTrust's operations or compromise the confidentiality of other customers' data.

RedTeamTrust operates infrastructure in the United States. Where the Controller is subject to GDPR or UK GDPR and Personal Data is transferred from the European Economic Area or United Kingdom to the United States, the parties agree that such transfer is governed by the Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries, as adopted by the European Commission (Module 2: Controller to Processor), which are incorporated herein by reference.

RedTeamTrust will promptly notify the Controller if it believes that applicable law prevents it from fulfilling its obligations under the SCCs or this DPA.

Upon termination of the Partner Agreement, or upon the Controller's written request, RedTeamTrust will, at the Controller's election:

• Delete all Personal Data processed under this DPA and confirm deletion in writing; or
• Return all Personal Data to the Controller in a portable, machine-readable format and then delete all copies.

RedTeamTrust may retain Personal Data beyond termination where required by applicable law (e.g., written authorization records retained for legal compliance purposes), and will identify any such retained data and the legal basis for retention in its deletion confirmation.