Data Processing Agreement
Last updated: 14 June 2026 · Effective: 14 June 2026
1. Definitions
1.1 Capitalised Terms
Capitalised terms used but not defined in this Data Processing Agreement (the "DPA") have the meanings given to them in the Master Services Agreement, Customer Agreement, or other written agreement between the parties governing the Customer's access to and use of the Platform (the "MSA"). In the event of any conflict between this DPA and the MSA with respect to the subject matter of this DPA, this DPA prevails as set out in Section 13.
For the purposes of this DPA, the following definitions apply:
"Applicable Data Protection Law" means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this DPA, including, as and where applicable: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the United Kingdom General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 and its implementing regulations (Cal. Civ. Code § 1798.100 et seq.) ("CCPA"); (e) the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") and the Quebec Act respecting the protection of personal information in the private sector as amended by Law 25 ("Quebec Law 25"); and (f) the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("Australian Privacy Act"); in each case as amended, superseded, or replaced from time to time.
"Business" has the meaning given in the CCPA. For Personal Data subject to the CCPA, the Customer is the Business.
"Business Purpose" has the meaning given in the CCPA and, for the purposes of this DPA, means the provision of the Platform and the services described in the MSA, this DPA, and Annex I.
"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For Personal Data subject to the GDPR, UK GDPR, or FADP, the Customer is the Controller (or, where the Customer itself acts as a processor on behalf of a third-party controller, the Customer is a processor and Athena Agentic is a sub-processor, in which case Module Three of the SCCs applies as set out in Section 8).
"Customer Data" means any data, content, or information submitted to, processed by, or stored within the Platform by or on behalf of the Customer, including security telemetry, alert data, incident data, asset data, vulnerability data, and other operational security data, as further described in the Privacy Policy and Annex I, to the extent it constitutes Personal Data.
"Customer Content" means files, documents, reports, configurations, playbooks, and other content created, uploaded, or stored by the Customer within the Platform, to the extent it constitutes Personal Data.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates, and includes a "consumer" as defined under the CCPA.
"Personal Data" means any information relating to an identified or identifiable natural person that is contained in Customer Data or Customer Content and is Processed by Athena Agentic on behalf of the Customer under this DPA, and includes "personal information" as defined under the CCPA, PIPEDA, Quebec Law 25, and the Australian Privacy Act. Personal Data does not include Platform Data, Telemetry Data, Usage Data, Derived Data, Aggregated Data, or Anonymised Data (each as defined in the Privacy Policy), which Athena Agentic Processes as a Controller for its own account and not on the Customer's behalf.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed under this DPA. A Personal Data Breach does not include an unsuccessful attempt or activity that does not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems.
"Processing" (and "Process", "Processes", and "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Processor" means a natural or legal person which Processes Personal Data on behalf of the Controller. For Personal Data subject to the GDPR, UK GDPR, or FADP, Athena Agentic is the Processor.
"Restricted Transfer" means a transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country or recipient that is not the subject of an adequacy decision recognised under Applicable Data Protection Law, where such transfer would be prohibited by Applicable Data Protection Law in the absence of an appropriate transfer mechanism.
"SCCs" or "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, replaced, or superseded from time to time.
"Sell", "Share", "Service Provider", and "Sensitive Personal Information" have the meanings given in the CCPA. For Personal Data subject to the CCPA, Athena Agentic is a Service Provider.
"Sub-processor" means any third party (including an Athena Agentic affiliate) engaged by Athena Agentic to Process Personal Data on behalf of the Customer in connection with the provision of the Platform.
"Sub-processor List" means the then-current list of Sub-processors made available to the Customer in accordance with Section 7 and referenced in Annex III.
"Supervisory Authority" means an independent public authority established under Applicable Data Protection Law, including the competent supervisory authority identified in Annex I, Section C.
"Technical and Organisational Measures" or "TOMs" means the technical and organisational security measures described in Annex II.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 and in force from 21 March 2022, as amended, replaced, or superseded from time to time.
1.2 Interpretation
The terms "categories of personal data", "data concerning health", "international organisation", "special categories of personal data", and "supervisory authority" have the meanings given in the GDPR. References to a statute or statutory provision include that statute or provision as amended, extended, consolidated, re-enacted, or replaced from time to time.
2. Roles and Scope of the DPA
2.1 Relationship of the Parties
(a) This DPA reflects the parties' agreement with respect to the Processing of Personal Data by Athena Agentic on behalf of the Customer in connection with the Platform.
(b) For Personal Data Processed under the Platform, the parties acknowledge and agree that, as between them:
- the Customer is the Controller / Business; and
- Athena Agentic is the Processor / Service Provider,
except where the Customer is itself a Processor acting on behalf of a third-party Controller, in which case the Customer is a Processor, Athena Agentic is a Sub-processor, and Module Three of the SCCs applies as set out in Section 8.
(c) Each party is responsible for complying with its own obligations under Applicable Data Protection Law in respect of the Processing of Personal Data under this DPA.
2.2 Incorporation into the MSA
This DPA forms part of, and is subject to, the MSA. Except as expressly modified by this DPA, the terms of the MSA remain in full force and effect. This DPA applies to the extent Athena Agentic Processes Personal Data on behalf of the Customer that is subject to Applicable Data Protection Law.
2.3 Customer Instructions and Compliance
(a) The Customer is responsible for ensuring that it has established, and will maintain throughout the term of this DPA, a valid legal basis and all necessary consents, notices, and authorisations required under Applicable Data Protection Law for the Processing of Personal Data by Athena Agentic and its Sub-processors as contemplated by the MSA and this DPA.
(b) The Customer's instructions to Athena Agentic for the Processing of Personal Data must comply with Applicable Data Protection Law. The Customer is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
2.4 Ownership
Consistent with the Privacy Policy and the MSA, the Customer retains all right, title, and interest in and to Customer Data and Customer Content. Athena Agentic does not acquire any right, title, or interest in Personal Data other than the limited rights necessary to perform its obligations under the MSA and this DPA.
3. Details of the Processing
3.1 Subject-Matter and Scope
The subject-matter, nature, and purpose of the Processing, the types of Personal Data, the categories of Data Subjects, and the duration of the Processing are described in Annex I to this DPA. The duration of the Processing corresponds to the term of the MSA, plus any period thereafter during which Athena Agentic retains Personal Data in accordance with Section 11.
3.2 Nature and Purpose
Athena Agentic Processes Personal Data solely:
(a) for the purpose of providing, operating, supporting, securing, and maintaining the Platform and the services described in the MSA;
(b) in accordance with the Customer's documented instructions, including those set out in the MSA, this DPA, and Annex I, and any further written instructions agreed by the parties; and
(c) as required by applicable law to which Athena Agentic is subject, in which case Athena Agentic will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.3 No Independent Use
Athena Agentic does not Process Customer Data for its own commercial purposes, does not Sell or Share Personal Data, and does not use Personal Data to train artificial intelligence or machine-learning models, except as expressly permitted by the MSA, this DPA, or with the Customer's prior written consent.
4. Obligations of Athena Agentic as Processor
4.1 Processing on Documented Instructions
(a) Athena Agentic Processes Personal Data only on documented instructions from the Customer, including with regard to Restricted Transfers, unless required to do otherwise by applicable law as described in Section 3.2(c). The MSA, this DPA (including the Annexes), and the Customer's use and configuration of the Platform constitute the Customer's complete and final documented instructions to Athena Agentic.
(b) Notification of unlawful instructions. Athena Agentic will promptly inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Law. Athena Agentic is not obliged to perform a legal assessment of the Customer's instructions and is not liable where an instruction infringing Applicable Data Protection Law is not detected. Where an instruction is reasonably likely to cause Athena Agentic to be in breach of Applicable Data Protection Law, Athena Agentic may suspend performance of that instruction (without liability) until the Customer confirms, amends, or withdraws it.
4.2 Confidentiality
Athena Agentic ensures that persons authorised to Process Personal Data:
(a) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(b) Process Personal Data only as necessary to perform their duties under the MSA and this DPA; and
(c) receive appropriate training on their data-protection and security responsibilities.
4.3 Security of Processing
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks of varying likelihood and severity to the rights and freedoms of Data Subjects, Athena Agentic implements and maintains the Technical and Organisational Measures set out in Annex II to ensure a level of security appropriate to the risk. Athena Agentic may update or modify the TOMs from time to time, provided that such updates do not materially reduce the overall level of security provided under this DPA.
4.4 Limitation of Access
Athena Agentic restricts access to Personal Data to personnel and Sub-processors who require access to perform Athena Agentic's obligations under the MSA and this DPA, on a least-privilege, need-to-know basis, enforced through role-based access control (RBAC) and the other measures described in Annex II.
5. Assistance to the Customer
5.1 Data Subject Rights
(a) Taking into account the nature of the Processing, Athena Agentic assists the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, data portability, objection, and rights relating to automated decision-making.
(b) If Athena Agentic receives a request from a Data Subject in respect of Personal Data Processed on behalf of the Customer, Athena Agentic will, to the extent legally permitted, promptly notify the Customer and will not respond to the request directly other than to acknowledge receipt and direct the Data Subject to the Customer, unless otherwise instructed by the Customer or required by applicable law. The Customer is responsible for responding to and fulfilling such requests.
(c) Where the Platform provides self-service functionality enabling the Customer to retrieve, correct, delete, restrict, or export Personal Data, the Customer will use that functionality to fulfil Data Subject requests where reasonably practicable.
5.2 Data Protection Impact Assessments and Prior Consultation
Taking into account the nature of the Processing and the information available to Athena Agentic, Athena Agentic provides reasonable assistance to the Customer with:
(a) data protection impact assessments under Article 35 GDPR (and equivalent provisions of Applicable Data Protection Law); and
(b) prior consultations with a Supervisory Authority under Article 36 GDPR (and equivalent provisions),
in each case solely in relation to the Processing of Personal Data by Athena Agentic under this DPA and the TOMs.
5.3 Security, Breach, and Notification Assistance
Athena Agentic assists the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 GDPR (and equivalent provisions of Applicable Data Protection Law) relating to security of Processing, notification of Personal Data Breaches to Supervisory Authorities and Data Subjects, data protection impact assessments, and prior consultation, taking into account the nature of the Processing and the information available to Athena Agentic.
5.4 Costs of Assistance
The assistance described in this Section 5 is provided at no additional charge to the extent the costs are nominal or are required to be borne by Athena Agentic under Applicable Data Protection Law. Where assistance requires material time, resources, or the development of functionality beyond the standard capabilities of the Platform, the parties will agree in good faith on reasonable reimbursement of Athena Agentic's costs before such assistance is provided.
6. Personal Data Breach Notification
6.1 Notification to the Customer
Athena Agentic notifies the Customer without undue delay, and in any event within [72] hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer. Notification will be made to the contact or notification mechanism designated by the Customer in the MSA or Annex I.
6.2 Contents of the Notice
To the extent known and reasonably available to Athena Agentic at the time of notification, the notice will:
(a) describe the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
(b) describe the likely consequences of the Personal Data Breach;
(c) describe the measures taken or proposed to be taken by Athena Agentic to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
(d) provide the name and contact details of Athena Agentic's data-protection contact or other point of contact from whom more information may be obtained.
Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay as it becomes available.
6.3 Cooperation and Remediation
Athena Agentic takes reasonable steps to investigate, contain, and remediate the Personal Data Breach and cooperates with the Customer, and provides such information as the Customer reasonably requires, to enable the Customer to meet its obligations to notify Supervisory Authorities and affected Data Subjects under Applicable Data Protection Law. The Customer is responsible for notifying Supervisory Authorities and Data Subjects of Personal Data Breaches affecting Personal Data for which it is the Controller, where required by Applicable Data Protection Law.
6.4 No Admission
Athena Agentic's notification of, or response to, a Personal Data Breach under this Section 6 is not an acknowledgement by Athena Agentic of any fault or liability with respect to the Personal Data Breach.
7. Sub-processors
7.1 General Authorisation
The Customer provides Athena Agentic with a general written authorisation to engage Sub-processors to Process Personal Data in connection with the provision of the Platform, subject to the conditions in this Section 7. The Sub-processors engaged as at the effective date are set out in, or referenced by, Annex III (the Sub-processor List).
7.2 Flow-Down Terms
Where Athena Agentic engages a Sub-processor, Athena Agentic:
(a) imposes on the Sub-processor, by way of a written contract, data-protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing meets the requirements of Applicable Data Protection Law; and
(b) where the Sub-processor fails to fulfil its data-protection obligations, remains fully liable to the Customer for the performance of that Sub-processor's obligations to the same extent Athena Agentic would be liable if performing the services directly, subject to the limitations of liability in Section 12.
7.3 Notice of Changes and Right to Object
(a) Athena Agentic provides the Customer with at least [30] days' prior notice of the addition or replacement of any Sub-processor before that Sub-processor begins Processing Personal Data, by updating the Sub-processor List and notifying the Customer through the mechanism designated in the MSA or Annex I (which may include email to a designated address or a subscription-based notification service).
(b) The Customer may object, on reasonable data-protection grounds, to the addition or replacement of a Sub-processor by notifying Athena Agentic in writing within the notice period. The parties will work together in good faith to resolve the objection. If the parties are unable to resolve the objection within a reasonable period, the Customer may, as its sole and exclusive remedy, terminate the affected portion of the MSA and this DPA in accordance with the termination provisions of the MSA, without liability to either party (other than for amounts accrued before termination).
7.4 Emergency Replacement
Where required to replace a Sub-processor on an expedited basis due to circumstances beyond Athena Agentic's reasonable control (including to maintain the security or availability of the Platform), Athena Agentic may engage a new Sub-processor and provide notice to the Customer as soon as reasonably practicable thereafter, and the objection right in Section 7.3(b) applies following such notice.
8. International Transfers
8.1 General
The Customer authorises Athena Agentic to transfer Personal Data to, and Process Personal Data in, the United States and other countries in which Athena Agentic or its Sub-processors maintain operations, subject to this Section 8 and Applicable Data Protection Law. Where Athena Agentic makes a Restricted Transfer, it does so in reliance on an appropriate transfer mechanism as set out below.
8.2 EU Standard Contractual Clauses (Modules Two and Three)
(a) For any Restricted Transfer of Personal Data subject to the GDPR from the Customer (as data exporter) to Athena Agentic (as data importer), the parties incorporate by reference the SCCs, which are deemed entered into and form an integral part of this DPA, completed as follows:
- where the Customer is a Controller, Module Two (Controller to Processor) applies;
- where the Customer is a Processor acting on behalf of a third-party Controller, Module Three (Processor to Processor) applies;
- in Clause 7 (Docking Clause), the optional docking clause applies;
- in Clause 9 (Use of sub-processors), Option 2 (general written authorisation) applies, and the time period for prior notice of Sub-processor changes is the period specified in Section 7.3(a) of this DPA;
- in Clause 11 (Redress), the optional independent dispute-resolution language does not apply;
- in Clause 17 (Governing law), the SCCs are governed by the law of the EU member state identified in Annex I, Section C (and, failing such identification, the law of the Republic of Ireland);
- in Clause 18 (Choice of forum and jurisdiction), disputes are resolved before the courts of the member state identified in Annex I, Section C (and, failing such identification, the courts of Ireland);
- Annex I to the SCCs is populated by Annex I to this DPA; Annex II to the SCCs is populated by Annex II to this DPA; and the list of Sub-processors for the purposes of the SCCs is the Sub-processor List referenced in Annex III.
(b) The provisions of this DPA are deemed to constitute the additional safeguards and clarifications permitted under the SCCs and do not contradict, directly or indirectly, the SCCs. In the event of any conflict between this DPA and the SCCs in respect of a Restricted Transfer subject to the GDPR, the SCCs prevail.
8.3 UK Transfers (UK Addendum)
For any Restricted Transfer of Personal Data subject to the UK GDPR, the parties incorporate by reference the UK Addendum, which is deemed completed as follows:
(a) Table 1 (Parties) is populated by Annex I, Section A of this DPA;
(b) Table 2 (Selected SCCs, Modules and Clauses) refers to the SCCs as incorporated and completed in Section 8.2;
(c) Table 3 (Appendix Information) is populated by Annexes I, II, and III of this DPA; and
(d) in Table 4, neither party may end the UK Addendum as set out in Section 19 of the UK Addendum, except as permitted by that Section.
Any conflict between the UK Addendum and this DPA in respect of a Restricted Transfer subject to the UK GDPR is resolved in favour of the UK Addendum.
8.4 Swiss Transfers
For any Restricted Transfer of Personal Data subject to the FADP, the SCCs as incorporated in Section 8.2 apply with the following amendments:
(a) the term "member state" must not be interpreted in a way that excludes Data Subjects in Switzerland from exercising their rights at their place of habitual residence in accordance with Clause 18(c) of the SCCs;
(b) references to the "GDPR" are understood to be references to the FADP insofar as the transfer is governed by the FADP;
(c) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) insofar as the transfer is governed exclusively by the FADP; and
(d) the SCCs also protect the Personal Data of legal entities until the entry into force of revisions to the FADP that remove such protection.
8.5 Alternative Transfer Mechanisms
If, at any time, a transfer mechanism set out in this Section 8 is invalidated, superseded, or held to be insufficient by a competent authority or court, or a new or alternative transfer mechanism becomes available (including a relevant adequacy decision), Athena Agentic may, on notice to the Customer, adopt such alternative or replacement mechanism, and the parties will take such steps and execute such documents as are reasonably necessary to give effect to it.
8.6 Supplementary Measures and Transfer Impact Assessment
The parties acknowledge that the Technical and Organisational Measures in Annex II, together with the contractual commitments in this DPA, are intended to provide supplementary measures supporting Restricted Transfers. Athena Agentic conducts and documents transfer impact assessments (and, for UK transfers, transfer risk assessments) as required by Applicable Data Protection Law, and, upon the Customer's reasonable written request, provides information reasonably necessary to assist the Customer in conducting its own transfer impact assessment.
8.7 Government Access Requests
If Athena Agentic receives a legally binding request from a public authority for disclosure of Personal Data, Athena Agentic will, to the extent legally permitted, notify the Customer, challenge the request where it considers there are reasonable grounds to do so, and disclose only the minimum amount of Personal Data necessary to respond, consistent with Clauses 15 and 16 of the SCCs where applicable.
9. CCPA / CPRA Service-Provider Terms
9.1 Roles
With respect to Personal Data subject to the CCPA, the Customer is the Business and Athena Agentic is a Service Provider. Athena Agentic receives Personal Data from, or on behalf of, the Customer solely to perform the Business Purpose under the MSA and this DPA.
9.2 Service-Provider Restrictions
Athena Agentic will not:
(a) Sell or Share Personal Data;
(b) retain, use, or disclose Personal Data for any purpose other than for the specific Business Purpose of performing the services specified in the MSA and this DPA, or as otherwise permitted by the CCPA, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the services;
(c) retain, use, or disclose Personal Data outside the direct business relationship between Athena Agentic and the Customer; or
(d) combine Personal Data received from, or on behalf of, the Customer with personal information that Athena Agentic receives from, or on behalf of, another person, or collects from its own interaction with a Data Subject, except as permitted by the CCPA for a Service Provider.
9.3 Sensitive Personal Information
Athena Agentic does not use, retain, or disclose Sensitive Personal Information for purposes other than those permitted for a Service Provider under the CCPA and the Business Purpose.
9.4 Compliance and Certification
Athena Agentic certifies that it understands the restrictions set out in this Section 9 and will comply with them. Athena Agentic will comply with applicable obligations under the CCPA and will provide the same level of privacy protection to Personal Data as is required of a Service Provider under the CCPA. The Customer may take reasonable and appropriate steps under Section 10 to help ensure that Athena Agentic uses Personal Data in a manner consistent with the Customer's obligations under the CCPA, and, upon notice, may take reasonable and appropriate steps to stop and remediate any unauthorised use of Personal Data. Athena Agentic will notify the Customer if it determines it can no longer meet its obligations under the CCPA.
9.5 Onward Disclosure to Sub-processors
Where Athena Agentic engages a Sub-processor to Process Personal Data subject to the CCPA, Athena Agentic enters into a written contract with the Sub-processor that imposes the same obligations on the Sub-processor as a Service Provider or Contractor as those imposed on Athena Agentic under this Section 9.
10. Records, Audits, and Inspections
10.1 Records of Processing
Athena Agentic maintains records of its Processing of Personal Data on behalf of the Customer as required by Article 30(2) GDPR (and equivalent provisions of Applicable Data Protection Law).
10.2 Demonstration of Compliance
Athena Agentic makes available to the Customer information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 GDPR (and equivalent provisions of Applicable Data Protection Law). The primary method of demonstrating compliance is the provision of:
(a) Athena Agentic's then-current third-party audit reports and certifications (such as SOC 2 Type II reports or equivalent), where available; and
(b) summaries of Athena Agentic's information-security policies, the TOMs, and responses to reasonable security questionnaires,
in each case subject to appropriate confidentiality protections.
10.3 Audits
(a) To the extent the information made available under Section 10.2 is insufficient to demonstrate compliance, Athena Agentic allows for and contributes to audits, including inspections, conducted by the Customer or an independent third-party auditor mandated by the Customer (and reasonably acceptable to Athena Agentic, and not a competitor of Athena Agentic), subject to the conditions in this Section 10.3.
(b) Any audit is subject to the following limits: (i) the Customer provides at least [30] days' prior written notice, unless a shorter period is required by a Supervisory Authority or following a Personal Data Breach; (ii) audits are conducted no more than once in any twelve (12) month period, except where required by a Supervisory Authority or following a Personal Data Breach affecting the Customer's Personal Data; (iii) audits are conducted during Athena Agentic's normal business hours, in a manner that minimises disruption to Athena Agentic's operations, and in accordance with Athena Agentic's reasonable security, confidentiality, and access policies; (iv) the scope of any audit is limited to systems, facilities, records, and information relevant to the Processing of the Customer's Personal Data, and excludes information relating to other customers, Athena Agentic's pricing or proprietary information, and any information the disclosure of which would compromise the security of Athena Agentic's systems or breach Athena Agentic's obligations to third parties; and (v) the Customer bears its own costs and the reasonable costs incurred by Athena Agentic in connection with the audit.
(c) Where the SCCs apply, the audit and inspection rights set out in the SCCs (including Clause 8.9) apply in addition to this Section 10, and this Section 10 is intended to specify and supplement, and not to limit, those rights.
11. Return and Deletion of Personal Data
11.1 Deletion or Return on Termination
Upon termination or expiry of the MSA, or otherwise upon the Customer's written request, Athena Agentic will, at the choice of the Customer, delete or return all Personal Data Processed on behalf of the Customer, and delete existing copies, unless retention is required by applicable law.
11.2 Timing and Method
(a) The Customer may export or retrieve Personal Data using the functionality of the Platform during the term of the MSA and during any post-termination retrieval period specified in the MSA.
(b) Following the expiry of any post-termination retrieval period (and in any event within [30] days after termination or expiry of the MSA, unless a different period is specified in the MSA), Athena Agentic will delete Personal Data remaining within the Platform in accordance with its standard deletion processes, including deletion from backups in the ordinary course in accordance with its backup-retention cycle.
11.3 Legal-Retention Exception
Athena Agentic may retain Personal Data to the extent, and for so long as, required by applicable law, provided that Athena Agentic ensures the continued confidentiality of such Personal Data and Processes it only as necessary for the purpose(s) for which it is retained.
11.4 Certification
Upon the Customer's written request, Athena Agentic will provide written certification that it has deleted (or returned and deleted) Personal Data in accordance with this Section 11, subject to the legal-retention exception in Section 11.3.
12. Liability
12.1 Limitations of Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the MSA, and any reference in the MSA to a party's liability means the aggregate liability of that party under the MSA and this DPA together. The existence of more than one claim does not enlarge the limit.
12.2 SCCs Carve-Out
Nothing in this DPA or the MSA limits or excludes any liability of a party to a Data Subject, or to a Supervisory Authority, that cannot be limited or excluded under Applicable Data Protection Law, including liability under the SCCs as between the parties and to Data Subjects as third-party beneficiaries.
12.3 Allocation Among Affiliates
Any claims brought under this DPA by the Customer or any Customer affiliate are brought solely against the Athena Agentic entity that is a party to the MSA, except where Applicable Data Protection Law or the SCCs require otherwise.
13. Duration, Termination, and Order of Precedence
13.1 Duration
This DPA takes effect on the effective date stated above (or, if later, the date on which it is incorporated into the MSA) and continues in force for so long as Athena Agentic Processes Personal Data on behalf of the Customer, notwithstanding the expiry or termination of the MSA, until all Personal Data has been deleted or returned in accordance with Section 11.
13.2 Termination
This DPA terminates automatically upon termination or expiry of the MSA, subject to the survival of those provisions which by their nature should survive (including Sections 1, 9, 11, 12, 13, 14, and 15 and the international-transfer mechanisms in Section 8 to the extent Personal Data continues to be Processed or retained).
13.3 Order of Precedence
In the event of any conflict or inconsistency among the documents governing the Processing of Personal Data, the following order of precedence applies (highest first):
(a) the SCCs (including, as applicable, the UK Addendum and Swiss amendments), in respect of Restricted Transfers governed by them;
(b) this DPA;
(c) the MSA; and
(d) the Privacy Policy and other Athena Agentic policies.
This DPA prevails over the MSA solely with respect to the subject matter of this DPA (the Processing of Personal Data and data protection). In all other respects, the MSA prevails.
14. General
14.1 Governing Law
This DPA is governed by, and construed in accordance with, the governing law specified in the MSA (the State of New York, United States, exclusive of its conflict-of-laws rules), except that, where the SCCs require the application of the law of an EU/EEA member state (or, for UK transfers, the laws of England and Wales, and for Swiss transfers, Swiss law), that law governs the SCCs and the matters they cover, as set out in Section 8 and Annex I, Section C. The parties acknowledge that the choice of New York law does not deprive Data Subjects of the protection afforded to them by the mandatory provisions of Applicable Data Protection Law.
14.2 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full force and effect, and the parties will negotiate in good faith a valid and enforceable replacement provision that most closely reflects the original intent.
14.3 Amendments
Athena Agentic may amend this DPA from time to time where reasonably necessary to comply with Applicable Data Protection Law, a decision of a competent authority, or a change to an approved transfer mechanism, on reasonable notice to the Customer. Any other amendment must be in writing and agreed by both parties.
14.4 Entire Agreement; No Third-Party Beneficiaries
This DPA, together with the MSA and (where applicable) the SCCs, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes any prior data-processing terms. Except for the rights of Data Subjects under the SCCs and rights that cannot be excluded under Applicable Data Protection Law, this DPA does not confer any rights on any third party.
14.5 Counterparts and Electronic Signature
This DPA may be executed in counterparts, including by electronic signature, each of which is deemed an original and all of which together constitute one instrument.
15. Contact
For all matters relating to this DPA, the Processing of Personal Data, Sub-processor lists, transfer-safeguard copies, or Data Subject requests:
Privacy: Privacy@athenaagentic.com (subject line: "Data Processing Agreement") Legal: Legal@athenaagentic.com
A. List of Parties
Data Exporter
| Field | Details |
|---|---|
| Name | [Customer legal name] |
| Address | [Customer registered address] |
| Contact person's name, position, and contact details | [Customer data-protection / privacy contact: name, title, email, telephone] |
| Activities relevant to the data transferred | Receipt and use of the Athena Agentic Platform (Aegis / Vigil / Citadel) for security operations, as described in the MSA. |
| Role | [Controller / Processor] (Module Two where Controller; Module Three where Processor) |
| Signature and date | [Signature] [Name] [Title] [Date] |
Data Importer
| Field | Details |
|---|---|
| Name | Athena Agentic, Inc. |
| Address | [Athena Agentic registered address] |
| Contact person's name, position, and contact details | Privacy Team, Privacy@athenaagentic.com; Legal Team, Legal@athenaagentic.com |
| Activities relevant to the data transferred | Provision, operation, support, and security of the Athena Agentic Platform on behalf of the Customer, as described in the MSA and this DPA. |
| Role | Processor (Module Two) / Sub-processor (Module Three) |
| Signature and date | [Signature] [Name] [Title] [Date] |
B. Description of the Transfer / Processing
| Item | Description |
|---|---|
| Categories of Data Subjects | The Customer's personnel, contractors, and authorised users of the Platform; the Customer's customers, employees, and end users whose data appears in security telemetry; account holders and identity records; and other individuals whose Personal Data is contained in Customer Data or Customer Content as determined and configured by the Customer. [Customer to confirm / supplement] |
| Categories of Personal Data | As determined and configured by the Customer, which may include: user and account identifiers (names, usernames, work email addresses, roles); authentication and access-log data; IP addresses and device identifiers; network flow and traffic data; endpoint telemetry; security event and alert data; incident and case data; asset and inventory data; vulnerability and risk data; and correspondence/support data. [Customer to confirm / supplement] |
| Special categories of Personal Data | None required or requested by the Platform. The Platform is not designed or intended to Process special categories of Personal Data. To the extent any special-category data is contained within Customer Data (for example, incidentally within security telemetry or log content), it is Processed only as part of the Customer-supplied data and is subject to the safeguards in Annex II. [Customer to confirm, additional safeguards, if any] |
| Frequency of the transfer | Continuous, on an ongoing basis, for the duration of the MSA. |
| Nature of the Processing | Collection, recording, organisation, structuring, storage, retrieval, consultation, use, analysis (for security detection, correlation, and response), disclosure to authorised users and Sub-processors, restriction, erasure, and destruction, as necessary to provide the Platform. |
| Purpose(s) of the transfer and Processing | To provide, operate, support, secure, and maintain the Athena Agentic Platform (Aegis / Vigil / Citadel) for the Customer's security-operations purposes, in accordance with the MSA, this DPA, and the Customer's documented instructions. |
| Duration of Processing / period of retention | For the term of the MSA, plus any post-termination retrieval and deletion period specified in Section 11, plus any period required by applicable law. |
| Sub-processor Processing (Module Three / subject-matter, nature, and duration) | Where Sub-processors are engaged, the subject-matter and nature of their Processing is limited to cloud hosting, data storage, infrastructure, and related operational services necessary to provide the Platform, for the duration of the relevant Sub-processor engagement and no longer than the term of the MSA. See Annex III. |
C. Competent Supervisory Authority
| Item | Details |
|---|---|
| Supervisory authority for the SCCs (Module Two / Module Three) | [To confirm, the supervisory authority of the EU/EEA member state in which the data exporter is established; or, where the exporter is not established in the EU/EEA but falls within the territorial scope of the GDPR under Article 3(2) and has appointed a representative under Article 27, the supervisory authority of the member state in which the representative is established.] |
| Member-state law governing the SCCs (Clauses 17 and 18) | [To confirm, EU/EEA member-state law; default: law of the Republic of Ireland if not otherwise specified.] |
| UK transfers | Information Commissioner's Office (ICO), United Kingdom. |
| Swiss transfers | Swiss Federal Data Protection and Information Commissioner (FDPIC). |
Athena Agentic implements and maintains the following technical and organisational measures, which may be updated from time to time provided the overall level of security is not materially reduced. These measures constitute Annex II to the SCCs (Technical and organisational measures including technical and organisational measures to ensure the security of the data).
| # | Measure | Description |
|---|---|---|
| 1 | Encryption in transit | Personal Data is encrypted in transit using TLS 1.2 or higher across public networks and between Platform components. |
| 2 | Encryption at rest | Personal Data is encrypted at rest using industry-standard algorithms (e.g., AES-256) at the storage and/or database layer. |
| 3 | Access control and RBAC | Access to Personal Data is restricted on a least-privilege, need-to-know basis and enforced through role-based access control (RBAC), enterprise single sign-on (SSO), and multi-factor authentication (MFA) for administrative and privileged access. |
| 4 | Tenant isolation | Customer Data is logically segregated using schema-per-tenant isolation, preventing one customer's data from being accessed by another customer. |
| 5 | Pseudonymisation and minimisation | Where technically feasible and consistent with the provision of the services, Personal Data is minimised and pseudonymised, and data transferred internationally is limited to what is necessary. |
| 6 | Resilience and availability | The Platform is designed for resilience and availability, including redundancy, backups, and recovery procedures intended to restore availability and access to Personal Data in a timely manner following an incident. |
| 7 | Backup and recovery | Regular backups are performed and protected with encryption and access controls; restoration procedures are maintained and tested. |
| 8 | Testing and vulnerability management | Athena Agentic maintains a vulnerability-management and security-testing program, including periodic vulnerability scanning, patch management, and security testing (such as penetration testing), and a process for regularly testing, assessing, and evaluating the effectiveness of the TOMs. |
| 9 | Logging and monitoring | Security-relevant events and access to Personal Data are logged and monitored; audit logs are retained in accordance with applicable security standards and legal obligations. |
| 10 | Incident response | Athena Agentic maintains a documented incident-response process covering detection, triage, containment, investigation, remediation, and notification of Personal Data Breaches in accordance with Section 6. |
| 11 | Secure development | Secure software-development practices, change management, code review, and segregation of development, testing, and production environments. |
| 12 | Physical and data-centre security | Physical security of the underlying infrastructure is provided by Athena Agentic's hosting Sub-processors operating data centres with industry-recognised physical-security and environmental controls and certifications (see Annex III). |
| 13 | Personnel measures | Personnel with access to Personal Data are subject to confidentiality obligations, receive security and data-protection training, and access is provisioned and de-provisioned through a managed joiner-mover-leaver process; background screening is performed where lawful and appropriate. |
| 14 | Vendor / Sub-processor management | Sub-processors are assessed for security and data-protection adequacy and are bound by contractual obligations no less protective than those in this DPA (Section 7). |
| 15 | Data deletion | Documented processes are maintained for the return and secure deletion of Personal Data upon termination or expiry, in accordance with Section 11. |
| 16 | Governance and certifications | Athena Agentic maintains information-security policies and governance, and (where available) third-party attestations such as SOC 2 Type II or equivalent, made available to the Customer in accordance with Section 10. [To confirm current certifications.] |
The current list of Sub-processors authorised under the general written authorisation in Section 7 is the Sub-processor List, made available to the Customer and maintained in accordance with Section 7. The Sub-processors engaged as at the effective date of this DPA include:
| Sub-processor | Service Provided | Processing Location(s) | Transfer Mechanism (for Restricted Transfers) |
|---|---|---|---|
| Vercel, Inc. | Application hosting, edge delivery, and serverless compute for the Platform and Website | [United States / as applicable] | SCCs / UK Addendum / Swiss amendments as applicable (Section 8) |
| Neon, Inc. | Managed PostgreSQL database hosting and storage for the Platform | [United States / as applicable] | SCCs / UK Addendum / Swiss amendments as applicable (Section 8) |
| [Additional Sub-processors] | [Service] | [Location] | [Mechanism] |
For the current Sub-processor List, or to subscribe to notifications of changes, contact Privacy@athenaagentic.com.
*End of Data Processing Agreement.*
Source of truth: /docs/legal/DataProcessingAgreement.md · All legal documents