This Data Processing Agreement ("DPA") is entered into between the organization identified in the applicable Order Form or Terms of Service account ("Controller," "Customer," "you") and SilentGuard ("Processor," "Provider," "we," "us") and forms part of the Master Service Agreement, Terms of Service, or other agreement between the parties governing Customer's use of the Service (the "Principal Agreement").
This DPA reflects the parties' commitment to comply with applicable Data Protection Laws governing the processing of Personal Data in connection with the Service.
Terms not defined in this DPA have the meanings given in the Principal Agreement. In addition:
All laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, CCPA/CPRA, Singapore PDPA, UAE Federal Decree-Law No. 45 of 2021, and any other applicable data protection or privacy law.
The entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, Customer is the Controller.
Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
The entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Provider is the Processor.
Customer is the Controller and Provider is the Processor with respect to Personal Data processed in connection with the Service. Where Provider determines the purposes and means of processing (e.g., account management, billing, Service improvement using aggregated anonymized data), Provider acts as an independent controller, subject to its Privacy Policy.
This DPA applies to all Personal Data processed by Provider on behalf of Customer in connection with the Service.
The details of processing are described in Annex 1 of this DPA and include the subject matter, duration, nature and purpose, types of Personal Data, and categories of Data Subjects.
Provider will process Personal Data only on behalf of and in accordance with Customer's documented instructions. If Provider believes an instruction from Customer infringes Applicable Data Protection Laws, Provider will notify Customer without undue delay.
Provider will process Personal Data solely for the purposes described in Annex 1 and will not process Personal Data for any other purpose unless required by applicable law.
Provider will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).
Provider will not sell, share, or use Personal Data for purposes other than providing the Service as specified in the Principal Agreement.
The Service's core detection and analysis functions operate locally on the end user's device:
| Data Category | Description | Purpose |
|---|---|---|
| Account metadata | User ID, organization ID, role, timestamp | Authentication, access control, audit logging |
| Detection event metadata | Policy ID triggered, data type category detected, action taken, timestamp | Dashboard reporting, analytics, policy optimization |
| Aggregate usage metrics | Detection counts, prompt counts (per team/period), feature usage flags | Service analytics, capacity planning, product improvement |
| Configuration data | Policy rules, detection settings, team assignments, notification preferences | Service delivery, policy synchronization |
Important: The content of prompts, the text of flagged data, and the substance of what was detected are NOT transmitted to Provider's servers. Provider processes only the metadata categories described above.
Provider collects and processes only the minimum Personal Data necessary to provide the Service. Provider does not collect or process:
Provider will implement and maintain appropriate technical and organizational security measures to protect Personal Data against Security Incidents, including:
Customer provides general written authorization for Provider to engage Sub-processors to process Personal Data on Customer's behalf. Provider will notify Customer at least thirty (30) days before adding or replacing a Sub-processor.
Current Sub-processors are listed in Annex 3 and available at silentguard.ai/legal/sub-processors.
Provider will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
If Provider receives a request from a Data Subject directly, Provider will promptly redirect the request to Customer and will not respond to the request directly unless authorized by Customer or required by applicable law.
Provider will notify Customer of any confirmed Security Incident without undue delay, and in any event within seventy-two (72) hours of becoming aware of the incident. The notification will include:
If Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, the parties will ensure that an appropriate transfer mechanism is in place, including Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement (IDTA), and supplementary measures as necessary.
For transfers from the EEA, Module Two (Controller to Processor) of the SCCs adopted by the European Commission applies. Complete details are provided in Annex 4.
Customer (or a qualified third-party auditor appointed by Customer and bound by confidentiality obligations) may audit Provider's compliance with this DPA once per year, upon at least thirty (30) days' prior written notice.
Provider may satisfy audit requests by providing SOC 2 Type II reports, penetration test results, or responses to standardized security questionnaires (CAIQ, SIG, VSAQ).
Provider will retain Personal Data for the duration of the Subscription Term as necessary to provide the Service and comply with the Principal Agreement.
Upon termination or expiration of the Principal Agreement, Provider will continue to make Customer Data available for export for thirty (30) days, then delete all Personal Data within thirty (30) days after the export period ends. Upon Customer's written request, Provider will provide written certification of deletion.
This DPA is governed by the laws applicable in the Dubai International Financial Centre (DIFC), except that where Applicable Data Protection Laws require the application of specific governing law (e.g., GDPR requires the law of the EU Member State where the Controller is established), such law will apply to the relevant provisions of this DPA.
Any dispute arising out of or relating to this DPA will be resolved in accordance with the dispute resolution provisions of the Principal Agreement.
Processing of Personal Data in connection with Customer's use of the SilentGuard data protection platform.
For the duration of the Principal Agreement, plus any post-termination retention periods described in Section 11.
Providing the SilentGuard Service, including:
See Section 5 for comprehensive details.
| Sub-processor | Location | Processing Activity |
|---|---|---|
| Amazon Web Services (AWS) | Asia | Cloud infrastructure hosting for dashboard, API, metadata storage, and email delivery infrastructure |
| Stripe | UAE | Payment processing |
This list will be maintained and updated at silentguard.ai/legal/sub-processors. Customer will be notified at least 30 days before any addition or change to this list.
Applicable only where transfers are subject to GDPR/UK GDPR.
For questions about this DPA:
Support: support@silentguard.ai