Need a counter-signed DPA for your records?
Request a signed DPA →"Controller" means the ZonForge customer determining the purposes and means of processing personal data.
"Processor" means ZonForge Inc., processing personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" has the meaning given in Article 4(2) GDPR.
"Sub-processor" means a third party engaged by ZonForge to process Personal Data.
| Subject matter | Processing of Personal Data to provide security monitoring, threat detection, and risk scoring services |
|---|---|
| Duration | For the duration of the subscription agreement plus data retention period |
| Nature and purpose | Ingestion, normalization, correlation, analysis, and reporting of security event data |
| Type of Personal Data | Identity attributes (user emails, IDs), IP addresses, device identifiers, system access logs, authentication events |
| Categories of data subjects | Controller's employees, contractors, system accounts, and users in monitored environments |
ZonForge (as Processor) will:
ZonForge implements the following safeguards for all Personal Data:
The Controller authorizes ZonForge to engage the following sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Amazon Web Services | US-East-1 (Virginia) | Cloud infrastructure, storage, compute |
| Stripe Inc. | United States | Payment processing |
| Resend Inc. | United States | Transactional email |
| Sentry (Functional Software) | United States | Application error tracking (anonymized) |
| Anthropic PBC | United States | AI analysis (event data anonymized before transmission) |
ZonForge will provide 30 days' notice of any new sub-processors. The Controller may object within this period.
Personal Data from the EEA/UK is transferred to the United States under Standard Contractual Clauses (SCCs) as adopted by the European Commission in Decision 2021/914 (Module 2: Controller to Processor). The SCCs are incorporated by reference and available upon request.
ZonForge will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability) within technically feasible means. ZonForge will not independently respond to data subjects — Controller remains the point of contact.
ZonForge will notify the Controller without undue delay and within 72 hours of becoming aware of a Personal Data breach. Notification will include: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
Upon termination of the subscription, ZonForge will delete all Customer Personal Data within 30 days unless required by law to retain it. Controller may request a written confirmation of deletion.
The Controller may audit ZonForge's compliance with this DPA at most once per year with 30 days' prior written notice, at Controller's expense. ZonForge may satisfy audit obligations by providing current SOC 2 or ISO 27001 audit reports.
This DPA is governed by the laws of the jurisdiction of the Controller's principal place of business, except where EU GDPR applies, in which case EU law governs matters relating to GDPR compliance.
Data Protection Officer: dpo@zonforge.com
Legal: legal@zonforge.com