Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", the controller) and Strathon (the processor) for the managed cloud, and reflects the parties' obligations under GDPR Article 28. If you self-host, you are both controller and processor of your own data and this DPA is not required.

1. Roles

For agent telemetry and account data processed in the managed cloud, Customer is the controller and Strathon is the processor. Strathon processes personal data only on documented instructions from Customer, including those set out in the agreement and this DPA.

2. Subject matter & duration

Strathon processes personal data to provide the managed firewall service for the duration of the agreement, plus any limited period required for deletion or legal compliance.

3. Nature & purpose

Processing consists of receiving, storing, evaluating, and displaying the spans, traces, and policy decisions you send, solely to provide the service.

4. Categories of data & data subjects

Account contacts (your team) and any personal data contained within the agent telemetry you choose to send. Customer controls what telemetry is captured and can enable PII redaction at ingest to minimize personal data.

5. Confidentiality

Strathon ensures persons authorized to process personal data are bound by confidentiality obligations.

6. Security (Art. 32)

Strathon implements appropriate technical and organizational measures, including encryption in transit and at rest, access controls, a signed append-only audit log, and regular review. See the Security page.

7. Subprocessors

Customer authorizes Strathon to engage the subprocessors listed on the Subprocessors page. Strathon imposes data-protection obligations on each subprocessor and remains liable for their performance. We will give notice of changes and an opportunity to object.

8. Data subject requests

Strathon will assist Customer, taking into account the nature of processing, to respond to data-subject requests, including via the product's export and deletion features.

9. Breach notification

Strathon will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer data, with information reasonably available to assist Customer's own obligations.

10. International transfers

Where transfers outside the EEA/UK occur, the parties rely on the Standard Contractual Clauses (Module Two, controller-to-processor) and the UK Addendum, incorporated by reference. EU data residency is available on request.

11. Deletion & return

On termination, Strathon will, at Customer's choice, delete or return personal data, except where retention is required by law.

12. Audits

Strathon will make available information necessary to demonstrate compliance with Article 28 and allow for reasonable audits, subject to confidentiality and security constraints.

To execute a countersigned copy of this DPA for your records, contact us on Discord. This page is provided for transparency and is not legal advice.