Sekyr Data Processing Terms (DPA)

Capitalized terms not defined here have the meanings given in the Sekyr Varde Terms of Service (“Terms”). “Personal Data”, “controller”, “processor”, “processing”, “data subject”, “Personal Data Breach”, and “supervisory authority” have the meanings given in Regulation (EU) 2016/679 (“GDPR”). “Customer Personal Data” means Personal Data contained in Telemetry, Customer Images, or account data processed by Sekyr on behalf of the Customer in providing the Service.

01Scope and Automatic Global Application

These Data Processing Terms (“DPT” or “DPA”) form part of the Terms and apply automatically, globally, and without signature whenever Sekyr processes Customer Personal Data in providing the Service, regardless of which data protection laws apply to that processing. Where a Customer has previously signed a bilateral data processing agreement with Sekyr (including on the Danish Datatilsynet standard-clauses form), that bilateral agreement continues to apply to that Customer and supersedes these DPT to the extent of any conflict; these DPT extend equivalent terms to all other Customers and otherwise govern.

02Roles and Instructions

With respect to Customer Personal Data, Customer acts as controller (or as a processor acting on behalf of its own customers), and Sekyr acts as processor (or sub-processor, respectively). Sekyr processes Customer Personal Data only on the Customer’s documented instructions (the Terms, the Documentation, and Customer’s configuration and use of the Service), unless required to process by EU/EEA, Member-State, or Norwegian law, in which case Sekyr will inform the Customer of that legal requirement before processing unless the law prohibits it. Sekyr will inform the Customer if, in Sekyr’s opinion, an instruction infringes the GDPR or other applicable data protection law.

03Processor Obligations (Article 28 GDPR)

Sekyr shall:

• (a) process Customer Personal Data only on documented instructions;
• (b) ensure that persons authorized to process Customer Personal Data are bound by confidentiality (whether contractual or statutory) and act on a need-to-know basis;
• (c) implement the technical and organizational measures required by Article 32 GDPR (Annex II and the Trust Center);
• (d) respect the Sub-processor conditions in Section 5;
• (e) assist the Customer, by appropriate technical and organizational measures and insofar as possible, in responding to data-subject requests (Section 8);
• (f) assist the Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to Sekyr;
• (g) at the Customer’s choice, delete or return Customer Personal Data at the end of the provision of services (Section 10); and
• (h) make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (Section 9).

04Security of Processing and Breach Notification

Sekyr implements and maintains the technical and organizational measures summarized in Annex II, as described in detail in the Trust Center at sekyr.com/trust (including the published Information & Cyber Security Policy and Incident Response Plan), which constitute the authoritative description of Sekyr’s security measures.

Sekyr will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information available under Article 33(3) GDPR and consistent with Sekyr’s published incident-disclosure commitment in the Trust Center, so that the Customer can meet its own notification obligations under Article 33 GDPR or other applicable law.

05Sub-processors

Customer provides general authorization for Sekyr to engage Sub-processors. The authoritative, current list of Sub-processors (including each Sub-processor’s purpose, the categories of data processed, and processing location) is maintained at sekyr.com/sub-processors, together with a dated change history. That published list constitutes the agreed list of Sub-processors for the purposes of these DPT and, where applicable, Annex III to the Standard Contractual Clauses.

Sekyr imposes on each Sub-processor, by written contract, data-protection obligations no less protective than these DPT, and remains liable to the Customer for its Sub-processors’ performance. Sekyr will give advance notice before a new Sub-processor begins processing Customer Personal Data, and before any material change to the scope of an existing Sub-processor’s processing. Customers may subscribe to change notifications by writing to privacy@sekyr.com and may object on reasonable data-protection grounds; if an objection cannot be resolved, the Customer’s remedy is to terminate the affected portion of the Service.

06International Data Transfers

6.1 Baseline. Sekyr (Norway) is established in the EEA. Sekyr’s production infrastructure and Sub-processors are located in the EEA or in countries benefiting from a European Commission adequacy decision, as shown for each Sub-processor in the list at sekyr.com/sub-processors. Transfers to adequacy countries (currently including Switzerland, per Commission Decision 2000/518/EC as reconfirmed under the GDPR by the Commission’s review of 15 January 2024) require no additional safeguard. Inbound transmissions of personal data from a non-EEA Customer to Sekyr as an EEA-established processor do not constitute a Chapter V “transfer” requiring a transfer tool.

6.2 Fallback: Standard Contractual Clauses (incorporated by reference). To the extent any transfer of Customer Personal Data subject to the GDPR is made to a country outside the EEA that does not benefit from an adequacy decision, the parties incorporate by reference and are deemed to have entered into the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), applying Module Two (controller-to-processor) where Customer is a controller and Module Three (processor-to-processor) where Customer is itself a processor, with the docking clause, and the Annexes completed using the information in these DPT (Annex I: processing details in Annex I below; Annex II: the measures in Annex II below; Annex III: the Sub-processor list in Section 5).

6.3 UK and Switzerland. For transfers subject to the UK GDPR, the parties incorporate the ICO’s International Data Transfer Addendum to the EU SCCs (version B1.0, in force 21 March 2022), with the tables deemed completed by the information in these DPT; Sekyr will adopt the ICO’s updated transfer tools when issued. For transfers subject to the Swiss FADP, the EU SCCs apply with the standard Swiss adaptations (references to the GDPR read as references to the FADP where applicable; the Swiss FDPIC as competent supervisory authority for FADP-only transfers; data subjects in Switzerland may enforce their rights in their place of habitual residence).

6.4 Precedence. The incorporated clauses prevail over any conflicting provision of these DPT or the Terms, to the extent of the conflict.

07US State Privacy Laws (CCPA/CPRA and equivalents)

Where the California Consumer Privacy Act, as amended by the CPRA, applies, Sekyr acts as a “service provider”: Sekyr does not sell or share Customer Personal Data; does not retain, use, or disclose it for any purpose other than performing the Service or as otherwise permitted by the CCPA; and certifies that it understands and will comply with these restrictions. Comparable processor/service-provider terms apply under other US state privacy laws to the extent applicable.

08Data-Subject Requests, DPIAs, and Prior Consultation

Taking into account the nature of processing and the information available to it, Sekyr will assist the Customer by appropriate technical and organizational measures in fulfilling the Customer’s obligations to respond to data-subject requests and in conducting data protection impact assessments and any prior consultation with a supervisory authority.

09Audit and Reliance on Third-Party Reports

Sekyr will make available to the Customer information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections. The Customer’s audit right is primarily satisfied by Sekyr’s third-party attestations, certificates, and reports (e.g., ISO/IEC 27001 materials and penetration-test summaries) made available under NDA via the Trust Center or security@sekyr.com. On-site or expanded audits are available where required by applicable data protection law or a supervisory authority, on reasonable prior notice, no more than once per twelve (12) months absent a Personal Data Breach or regulator requirement, and subject to confidentiality controls and reasonable cost allocation.

10Deletion or Return on Termination

On termination of the Service, Sekyr will, at the Customer’s choice, delete or return Customer Personal Data, and delete existing copies, within the retention windows set out in the Terms (Execution Reports not contributing to a Security Event: deleted after 30 days; Security-Event reports: retained until deleted by Customer or termination), unless storage is required by EU/EEA, Member-State, or Norwegian law. Aggregated and anonymized data may be retained as described in the Terms.

11Liability

Liability arising under these DPT and any incorporated Standard Contractual Clauses is subject to the limitations and exclusions in the Terms (Limitation of Liability), except to the extent applicable data protection law prohibits such limitation or where the SCCs’ own liability provisions mandate otherwise (in which case the SCCs prevail to the extent of the conflict). Nothing in these DPT limits a data subject’s rights under Article 82 GDPR.

A1Annex I: Details of Processing

A. List of parties

Data exporter: the Customer (controller, or processor on behalf of its own customers). Data importer: Sekyr AS, Oslo, Norway (processor). Contact: privacy@sekyr.com.

B. Description of processing

Subject matter

Provision of the Varde container-image instrumentation and runtime-reporting service.

Duration

The term of the Terms, plus the retention windows stated in the Terms.

Nature and purpose

Instrumentation of Customer container images at pull time; collection, transmission, analysis, storage, and presentation of Execution Reports to provide execution-level security visibility and alerting.

Categories of data subjects

Customer’s personnel, contractors, and end users whose data may appear in workload execution context (e.g., usernames, environment variables, stdout/stderr, network identifiers); Customer account users.

Categories of Personal Data

Container usernames and hostnames; environment variables present at execution (subject to documented filtering); stdout/stderr content; IP addresses and ports; process and execution context; account identifiers and authentication metadata. Telemetry content depends on Customer workload configuration and may incidentally include other personal data placed there by the Customer.

Special categories

Not intended to be processed; may be present only if the Customer’s workloads expose such data in execution context. Customer is responsible for avoiding this (Terms, Section 3.3).

Frequency

Continuous (event-driven, on execution of instrumented binaries).

Retention

Per the Terms: 30 days for non-Security-Event reports; Security-Event reports until deleted by Customer or termination.

C. Competent supervisory authority

Datatilsynet (Norway), or the authority determined under Clause 13 of the SCCs where the SCCs apply.

A2Annex II: Technical and Organizational Measures (TOMs)

The authoritative, current description of Sekyr’s technical and organizational measures is published and maintained in the Trust Center at sekyr.com/trust, including the Information & Cyber Security Policy (sekyr.com/security-policy) and the Incident Response Plan (sekyr.com/incident-response). Those published measures are incorporated into this Annex by reference and, where the Standard Contractual Clauses apply, constitute Annex II thereto. Sekyr may update the measures provided the overall level of security is not materially degraded.

At a minimum, Sekyr maintains measures in the following categories:

Data security

Encryption in transit and at rest; non-reversible credential hashing; encrypted, regularly tested backups; key management with separation of duties; data minimization with retention enforced per data class.

Application security

Secure development lifecycle aligned with recognized industry standards (OWASP), security gating in CI/CD, defined patch timelines, and mandatory peer code review.

Identity and access

Single sign-on support, multi-factor authentication on privileged paths, least-privilege role-based access with periodic reviews, and append-only activity logging traceable to individuals.

Infrastructure

Production hosting on certified EU data-center infrastructure (certifications and attestations of the hosting provider are listed in the Trust Center and Sub-processor list), with physical security, environmental controls, and multi-zone redundancy.

People and governance

A named Security Team accountable for the ISMS; security and privacy training on hire and annually; a risk-based ISMS conducted in line with the requirements of ISO/IEC 27001 with periodic management review; post-incident reviews and continuous improvement.

Contacts. Security disclosures: security@sekyr.com. Data protection and privacy: privacy@sekyr.com.

A3Annex III: Authorized Sub-processors

The authorized Sub-processors are those published, and updated from time to time in accordance with Section 5, at sekyr.com/sub-processors. That list, as it stands at the relevant time, constitutes this Annex.

These Data Processing Terms are published at the Sekyr Trust Center and are incorporated into the Sekyr Varde Terms of Service. They bind Sekyr and every Customer automatically upon acceptance of the Terms of Service; no separate signature is required.