InfoDefenders Data Processing Agreement
Last updated: June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between InfoDefenders LLC ("Processor," "InfoDefenders") and the Customer organization ("Controller," "Customer") that has subscribed to the InfoDefenders platform. This DPA applies when InfoDefenders processes personal data on behalf of Customer in connection with the InfoDefenders Terms of Service and Privacy Policy.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by InfoDefenders on behalf of Customer through the Service.
- "Customer Data" means all data submitted by Customer or its Users to the Service, including Personal Data contained in incident reports, assessments, governance records, and Browser Extension events.
- "Service" means the InfoDefenders web application, APIs, and Browser Extension as described in the Terms of Service.
- "Sub-processor" means a third party engaged by InfoDefenders to process Personal Data on InfoDefenders's behalf.
- "Data Subject" means the individual to whom Personal Data relates.
- "Supervisory Authority" means an independent public authority established under the GDPR or equivalent UK authority.
Terms not defined here have the meanings given in the Terms of Service or applicable data protection law.
2. Roles and Scope
2.1 Roles
- Customer is the Data Controller of Customer Data, including Personal Data submitted by Customer's Users and individuals reporting incidents.
- InfoDefenders is the Data Processor, processing Personal Data only on documented instructions from Customer as necessary to provide the Service.
InfoDefenders acts as an independent Data Controller for account registration, billing, and marketing website data, as described in the Privacy Policy.
2.2 Processing Instructions
InfoDefenders will process Personal Data only:
- To provide and maintain the Service
- As documented in the Terms of Service, Privacy Policy, and Customer's use of the Service
- As required by applicable law (in which case InfoDefenders will inform Customer unless prohibited)
Customer instructs InfoDefenders to process Personal Data for the purposes described above by using the Service and executing this DPA.
2.3 Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of the InfoDefenders AI governance platform |
| Duration | Term of the Customer's subscription plus retention periods in the Privacy Policy |
| Nature and purpose | Storage, retrieval, display, export, and transmission of Customer Data; AI-assisted draft risk assessments when Customer uses the Agent feature |
| Categories of Data Subjects | Customer's employees, contractors, and other individuals whose data Customer submits |
| Categories of Personal Data | Names, email addresses, incident details, assessment responses, governance records, Browser Extension hostname and timestamp events |
3. Customer Obligations
Customer represents and warrants that:
- It has a lawful basis to collect and submit Personal Data to the Service
- It has provided required notices to Data Subjects
- Its instructions to InfoDefenders comply with applicable data protection law
- It is responsible for obtaining consent before deploying the Browser Extension where required by law
4. InfoDefenders Obligations
InfoDefenders will:
- Process Personal Data only on Customer's documented instructions
- Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 6
- Not engage Sub-processors without compliance with Section 5
- Assist Customer with Data Subject requests as described in Section 8
- Notify Customer of Personal Data breaches as described in Section 7
- Delete or return Personal Data upon termination as described in the Terms of Service
5. Sub-processors
5.1 Authorization
Customer authorizes InfoDefenders to engage Sub-processors listed at infodefenders.com/legal/subprocessors. InfoDefenders will impose data protection obligations on Sub-processors substantially similar to this DPA.
5.2 Changes
InfoDefenders will notify Customer at least 30 days before adding or replacing a Sub-processor that processes Customer Data. Customer may object on reasonable grounds relating to data protection by notifying [email protected] within 14 days. If the parties cannot resolve the objection, Customer may terminate the affected Service as its sole remedy.
6. Security Measures
InfoDefenders implements commercially reasonable measures including:
- Encryption of data in transit (TLS) and at rest
- Organizational isolation between Customer organizations
- Access controls limiting employee access to Customer Data
- Regular automated backups
- Multi-factor authentication options for admin accounts
Details are described in the Privacy Policy. InfoDefenders may update security measures provided they do not materially reduce overall protection.
7. Personal Data Breach Notification
InfoDefenders will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data, and in any event within 72 hours where feasible. The notification will include, to the extent known: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
Customer is responsible for notifying Supervisory Authorities and Data Subjects where required by law.
8. Data Subject Requests
InfoDefenders will promptly notify Customer if it receives a request from a Data Subject to exercise rights under applicable data protection law regarding Customer Data. InfoDefenders will assist Customer in responding to such requests as reasonably possible, taking into account the nature of processing and information available to InfoDefenders.
Customer may fulfill many requests directly through the Service (e.g., user profile management). For requests InfoDefenders must handle directly, contact [email protected].
9. International Transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, InfoDefenders will ensure appropriate safeguards are in place, including the Standard Contractual Clauses (SCCs) approved by the European Commission (Module Two: Controller to Processor), which are incorporated into this DPA by reference.
Customer may request a copy of applicable SCCs by contacting [email protected].
10. Audits
Upon reasonable written request, InfoDefenders will make available information necessary to demonstrate compliance with this DPA and allow for audits conducted by Customer or an independent auditor appointed by Customer, subject to:
- Reasonable advance notice (at least 30 days)
- Confidentiality obligations
- No more than once per year unless required by a Supervisory Authority or following a confirmed breach
- Audits conducted during normal business hours without unreasonable disruption
InfoDefenders may satisfy audit requests by providing current third-party audit reports or certifications where available.
11. Deletion and Return
Upon termination of the Service, InfoDefenders will delete Customer Data within the retention periods described in the Terms of Service and Privacy Policy. Customer is responsible for exporting data before termination. InfoDefenders will provide reasonable assistance with export upon request during the post-termination retention window.
12. Liability and Precedence
This DPA is subject to the limitation of liability in the Terms of Service. In the event of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA prevails. In the event of conflict between this DPA and the SCCs, the SCCs prevail.
13. Term
This DPA remains in effect for the duration of InfoDefenders's processing of Personal Data on behalf of Customer and until all Customer Data is deleted or returned in accordance with this DPA.
14. Contact
InfoDefenders, LLC
7901 4th St N. STE 300, St. Petersburg, FL 33702
To execute this DPA, Customer's authorized representative may contact [email protected]. Use of the Service after notification of this DPA constitutes acceptance unless a separate signed agreement is required by Customer's procurement process.