Data Processing Addendum

Definitions & Roles

Key Terms

• Personal Data: Information in security logs that could identify individuals (usernames, IP addresses, emails)
• Processing: Collecting, analyzing, storing security data for threat detection
• Data Subject: Your employees, contractors, or users whose data appears in logs
• Sub-Processor: Third-party vendors we use (AWS, Azure, GCP)

Processing Details

Purpose of Processing

We process data solely to provide MDR services:

• Threat detection and analysis
• Security incident investigation
• Incident response coordination
• Security reporting

Types of Data Processed

• Security Logs: Endpoint activity, network traffic, authentication events
• Metadata: Usernames, IP addresses, timestamps, file hashes
• Incident Data: Alert details, investigation notes, response actions

Data Subjects

• Your employees and contractors
• System administrators
• End users of your systems

Data Retention

• Active Monitoring: 90 days (configurable)
• Incident Records: 1 year after closure
• Upon Termination: Deleted within 30 days

Security Measures

We implement appropriate technical and organizational measures to protect personal data:

Technical Safeguards

• Encryption: TLS 1.2+ in transit, AES-256 at rest
• Access Controls: Role-based access, MFA required
• Logging: All data access is audited
• Segmentation: Client data is isolated

Organizational Safeguards

• Background checks for all analysts
• Confidentiality agreements (NDAs)
• Regular security training
• Annual third-party audits

Breach Notification

If we become aware of a data breach, we will:

• Notify you within 72 hours
• Provide details of affected data
• Describe mitigation actions taken
• Assist with regulatory notifications

Sub-Processors

We may engage trusted third-party sub-processors to assist in service delivery:

Current Sub-Processors

• Amazon Web Services (AWS): Cloud infrastructure hosting
• Microsoft Azure: Cloud infrastructure hosting
• Google Cloud Platform (GCP): Cloud infrastructure hosting

All sub-processors:

• Are bound by GDPR-compliant data processing agreements
• Implement appropriate security measures
• Are subject to audit and review

Changes to Sub-Processors

We will notify you 30 days in advance of adding new sub-processors. You may object to new sub-processors for legitimate reasons.

Data Subject Rights

We will assist you in responding to data subject requests:

Rights We Support

• Access: Provide copies of personal data upon request
• Rectification: Correct inaccurate data
• Erasure: Delete data when no longer needed
• Portability: Export data in machine-readable format
• Restriction: Limit processing in certain circumstances

Request Process

Forward data subject requests to us at privacy@babartech.com. We will respond within 30 days with available data.

International Data Transfers

Data may be transferred outside your jurisdiction for processing.

Transfer Mechanisms

• EU-US: Standard Contractual Clauses (SCCs) approved by European Commission
• UK: UK International Data Transfer Agreement (IDTA)
• Other Regions: Appropriate safeguards per local law

Our 24/7 SOC operates from multiple regions to provide continuous coverage.

Audit Rights

Upon reasonable notice, you may:

• Request our latest SOC 2 report (under NDA)
• Request evidence of security controls
• Conduct audits (at your expense, once per year)

We undergo annual third-party security audits and maintain certifications demonstrating our security posture.

Data Return & Deletion

Upon service termination or your request:

• We will delete all personal data within 30 days
• We can provide a final data export (if technically feasible)
• We will provide a certificate of deletion upon request

Exception: Data may be retained longer if required by law or for legal proceedings.

Requesting a Signed DPA

To request a fully executed Data Processing Addendum specific to your organization: