Data Processing Addendum

In short: For data you put in the platform, you are the controller and Guardix is the processor.

For personal data your organization enters into the platform, the customer is the data controller and Guardix is the processor, acting only on the customer's documented instructions. Guardix is an independent controller for limited data needed to run its own business, such as account administration and billing.

In short: We process customer data only to deliver the service and only as you instruct.

Guardix processes personal data only to provide and support the service and as otherwise instructed in writing by the customer. The subject matter, duration, nature, and purpose of processing, and the categories of data and data subjects, are described in the agreement and the documentation.

In short: Everyone with access is bound by confidentiality and least-privilege access.

Guardix ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and access data only on a least-privilege, need-to-know basis.

In short: Encryption, access control, logging, and tested incident response.

Guardix maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access control, network protection, audit logging, regular testing, and an incident-response process. These measures are reviewed and updated over time.

In short: We use vetted subprocessors, stay responsible for them, and notify you of changes.

Guardix engages vetted subprocessors to help deliver the service and remains responsible for their compliance with this addendum. A current list of subprocessors is available on request. We will give notice of new subprocessors so customers have the opportunity to object on reasonable data-protection grounds.

In short: We help you respond to access, deletion, and correction requests.

Taking into account the nature of the processing, Guardix provides reasonable assistance to help the customer respond to data-subject requests and to meet its obligations for security, breach notification, and data-protection impact assessments.

In short: We notify you without undue delay after becoming aware of a personal-data breach.

Guardix will notify the customer without undue delay after becoming aware of a personal-data breach affecting customer data, and will provide information reasonably available to help the customer meet its own notification obligations.

In short: Cross-border transfers rely on Standard Contractual Clauses or equivalent safeguards.

Where personal data is transferred across regions, Guardix relies on appropriate safeguards required by applicable law, such as the Standard Contractual Clauses, incorporated into the agreement where relevant.

In short: On termination, we return or delete customer data on a defined schedule.

On termination of the service, Guardix will, at the customer's choice, return or delete customer personal data within a defined period, except where retention is required by law. Backups are deleted on their regular cycle.