Data Processing Agreement
Last updated: January 2026
1. Definitions
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Acureta ("Processor"). "Personal Data" means any information relating to an identified or identifiable natural person processed through our services. This DPA complies with GDPR Article 28 and other applicable data protection laws.
2. Processing Scope
Acureta processes Personal Data solely to provide security operations, threat intelligence, digital forensics, and compliance services as specified in our Terms of Service. Processing duration extends for the term of your subscription plus 90 days. Data types include: contact information, case files, investigation data, and system logs.
3. Processor Obligations
We process Personal Data only on documented instructions from you, ensure confidentiality of personnel accessing data, implement appropriate technical and organizational security measures, assist with data subject rights requests, and assist with security incidents and data protection impact assessments where reasonably required.
4. Data Subject Rights
We assist you in fulfilling data subject rights requests including access, rectification, erasure, data portability, and restriction of processing. Requests are handled within 30 days. Contact help@acureta.org to initiate a request or for assistance in responding to requests from your data subjects.
5. Security Measures
Our technical and organizational measures include: AES-256 encryption at rest and in transit (TLS 1.3), role-based access controls, multi-factor authentication, SOC 2 Type II compliance processes, regular security assessments, automated backup systems, and incident response procedures. We conduct annual third-party security audits.
6. Sub-Processors
We engage the following sub-processors: Supabase (database, US/EU), Stripe (payments, global), OpenAI (AI processing, US), Anthropic (AI processing, US), Vercel (hosting, global), and Sentry (monitoring, US). We maintain a current list at acureta.com/legal/sub-processors and provide 30 days notice of changes.
7. Data Breaches
In the event of a personal data breach, we notify you without undue delay and within 72 hours of becoming aware. Notification includes the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed. We cooperate fully in breach investigation and remediation.
8. International Transfers
We transfer Personal Data to the United States and other jurisdictions where our sub-processors operate. Transfers are protected by Standard Contractual Clauses approved by the European Commission. Upon request, we provide copies of relevant transfer mechanisms. EU data may be processed in EU-based infrastructure where specified.
9. Audit Rights
You may audit our compliance with this DPA once annually upon 30 days written notice. We provide SOC 2 Type II reports, security questionnaires, and compliance certifications. Additional on-site audits require mutual agreement and may incur reasonable fees. Audit findings must be kept confidential
10. Term and Termination
This DPA remains in effect for the duration of the Terms of Service. Upon termination, we delete or return all Personal Data within 90 days unless legally required to retain it. You may request earlier deletion or a copy of your data before deletion. After the retention period, all data is permanently and securely destroyed.
11. Contact
For DPA-related inquiries or to exercise data protection rights, contact our Data Protection Officer at help@acureta.org.