Data Processing Agreement

Last updated: April 17, 2026. This Data Processing Agreement ("DPA") supplements the ThreatGrid service agreement and applies to client organizations whose data is processed by ThreatGrid in the course of managed security service delivery. Clients requiring a signed DPA for compliance purposes should contact security@threatgrid.tech.

1. Definitions

For the purposes of this Data Processing Agreement, the following definitions apply:

• "Client" or "Controller" refers to the organization engaged under a ThreatGrid service agreement that determines the purposes and means of processing personal data.
• "ThreatGrid" or "Processor" refers to ThreatGrid and its authorized affiliates, acting as a data processor on behalf of the Client.
• "Client Data" means any personal data, log data, security telemetry, or other data belonging to or generated by the Client that is made available to ThreatGrid in the course of service delivery.
• "Personal Data" has the meaning given by applicable data protection law, including identifiers, contact information, and any data relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Client Data, including collection, storage, analysis, transmission, and deletion.
• "Applicable Data Protection Law" includes all relevant data protection and privacy regulations applicable to the processing of Client Data, including but not limited to the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR) where applicable, HIPAA where Client Data includes protected health information, and applicable state privacy laws.

2. Roles and Responsibilities

The parties acknowledge that, with respect to Client Data processed by ThreatGrid in the course of service delivery, the Client acts as the data controller and ThreatGrid acts as the data processor. ThreatGrid processes Client Data only as instructed by the Client and as necessary to deliver the agreed services. ThreatGrid does not use Client Data for any purpose other than performing its contractual obligations under the applicable service agreement.

3. Scope of Processing

ThreatGrid processes Client Data for the following purposes in the course of managed security service delivery:

• Security event monitoring, detection, and alert triage
• Log aggregation, correlation, and threat analysis
• Asset inventory tracking and vulnerability identification
• Incident response investigation and containment
• Compliance gap analysis and advisory reporting
• Threat intelligence correlation against client infrastructure
• Delivery of security reports, dashboards, and analyst communications
• Platform operation and maintenance of the TLINK PRO client workspace

The specific categories of Client Data processed, the types of data subjects, and the duration of processing are defined in the applicable service agreement or onboarding documentation. ThreatGrid will not process Client Data beyond the scope required to perform these services without prior written authorization from the Client.

4. ThreatGrid's Processing Obligations

ThreatGrid agrees to:

• Process Client Data only on documented instructions from the Client, including instructions established in the service agreement and subsequent written communications
• Ensure that personnel authorized to process Client Data are bound by appropriate confidentiality obligations
• Implement and maintain appropriate technical and organizational security measures to protect Client Data against unauthorized access, disclosure, alteration, or destruction
• Not engage sub-processors to process Client Data without prior notification to the Client and, where required by applicable law, prior written consent
• Assist the Client in meeting its obligations under applicable data protection law, including responding to data subject rights requests where Client Data processed by ThreatGrid is implicated
• Promptly notify the Client in writing upon becoming aware of a confirmed personal data breach affecting Client Data, within the timeframe required by the applicable service agreement or applicable law, and not to exceed seventy-two (72) hours from confirmed discovery
• Delete or return Client Data upon termination of the service agreement, in accordance with the data retention and deletion terms agreed upon by the parties

5. Technical and Organizational Security Measures

ThreatGrid maintains security measures appropriate to the risk associated with processing Client Data, including:

• Encryption of Client Data in transit using TLS 1.2 or higher
• Encryption of Client Data at rest using industry-standard encryption
• Role-based access controls limiting Client Data access to authorized ThreatGrid personnel
• Multi-factor authentication for ThreatGrid systems that process Client Data
• Continuous internal security monitoring of ThreatGrid infrastructure
• Regular security assessments of systems handling Client Data
• Formal incident response procedures for security events affecting ThreatGrid infrastructure
• Employee security training and background screening for personnel with access to Client Data

6. Sub-Processors

ThreatGrid uses a limited set of sub-processors to support the delivery of managed security services, including infrastructure hosting, security tooling, and operational systems. ThreatGrid will maintain an up-to-date list of sub-processors and will notify Clients of any intended changes to sub-processors (additions or replacements) with reasonable advance notice. Where Clients have a right to object to sub-processor changes under applicable law, ThreatGrid will provide an opportunity to raise objections before the change takes effect. ThreatGrid contractually requires all sub-processors to maintain data protection standards no less protective than those set forth in this DPA.

7. Client Obligations

The Client is responsible for ensuring that its collection, submission, and direction of Client Data to ThreatGrid complies with applicable data protection law, including: obtaining any necessary consents or lawful bases for processing before providing data to ThreatGrid; providing accurate and complete information about the categories of data subjects and personal data included in Client Data; and ensuring that Client's instructions to ThreatGrid comply with applicable law. ThreatGrid is not responsible for Client Data submitted in violation of applicable law or without appropriate authorization.

8. Data Subject Rights

Where Client Data processed by ThreatGrid includes personal data subject to applicable data subject rights (such as the right of access, correction, deletion, or data portability), the Client remains the primary point of contact for data subject requests. ThreatGrid will assist the Client in responding to such requests to the extent technically feasible and consistent with the service scope, within the timeframe required by applicable law. ThreatGrid will forward to the Client any data subject requests received directly relating to Client Data without undue delay.

9. Regulated Data — HIPAA and Sensitive Categories

Clients in regulated industries — including healthcare organizations whose data may include protected health information (PHI) governed by HIPAA — should notify ThreatGrid prior to onboarding so that appropriate safeguards, business associate agreement terms, and handling procedures can be established. ThreatGrid supports HIPAA-covered client engagements under separately executed Business Associate Agreements (BAA). Clients subject to HIPAA who require a BAA should contact security@threatgrid.tech to initiate that process.

10. Data Retention and Deletion

ThreatGrid retains Client Data for the period necessary to perform the services and for a reasonable period thereafter consistent with operational, legal, and compliance requirements. Upon termination of a service agreement, ThreatGrid will, at the Client's written request, either return or securely delete Client Data within a reasonable timeframe as agreed by the parties, unless retention is required by applicable law or regulatory obligation. ThreatGrid will confirm in writing when deletion is complete upon request.

11. Audit Rights

Upon reasonable written notice, ThreatGrid will make available to the Client such information as is reasonably necessary to demonstrate compliance with this DPA, and will permit audits or inspections conducted by the Client or its authorized representatives, subject to reasonable confidentiality obligations and scheduling coordination. Audit costs are the Client's responsibility unless a material compliance deficiency is identified.

12. Governing Law and Signed DPAs

This published DPA provides a baseline framework for how ThreatGrid handles Client Data. Enterprise clients and clients subject to specific regulatory requirements (GDPR, HIPAA, CCPA/CPRA, PCI DSS, etc.) may require a signed Data Processing Agreement incorporating jurisdiction-specific terms. ThreatGrid is able to execute signed DPAs upon request. To initiate a signed DPA, contact security@threatgrid.tech with your organization's requirements.

13. Contact

Data processing inquiries, DPA requests, data breach notifications, or questions about this agreement should be directed to security@threatgrid.tech. For security-specific disclosures, use security@threatgrid.tech.