Proud to be featured in the OWASP GenAI Security Solutions Landscape – Test & Evaluation category. View Report

VeriGenAI Security Platform Data Processing Agreement

Effective Date: January 1st, 2025

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between VeriGenAI ("Processor") and you ("Controller") for the provision of our security intelligence platform services (collectively, the "Agreement"). This DPA governs the processing of Personal Data and Security Data in accordance with applicable Data Protection Laws.

Security Focus: This DPA is specifically designed for enterprise cybersecurity platforms and addresses the unique data protection requirements for security assessment data, vulnerability findings, and threat intelligence.

2. Definitions

In this DPA, the following terms shall have the meanings set out below:

  • "Controller": The enterprise organization that determines the purposes and means of processing Personal Data and Security Data
  • "Processor": VeriGenAI, which processes Personal Data and Security Data on behalf of the Controller through our security assessment platform
  • "Personal Data": Any information relating to an identified or identifiable natural person, including security team contact information
  • "Security Data": Vulnerability findings, assessment results, compliance reports, and related security intelligence generated by our platform
  • "Data Protection Laws": All applicable laws relating to data protection and privacy, including GDPR, CCPA, and sector-specific regulations
  • "GDPR": The General Data Protection Regulation (EU) 2016/679
  • "Sub-processor": Any vetted third party engaged by VeriGenAI to process data on behalf of the Controller
  • "Security Incident": Any breach of security leading to unauthorized access, use, disclosure, or loss of data

3. Nature and Purpose of Processing

Processing Activities: VeriGenAI processes data to provide:

  • Automated GenAI security assessments using specialized attack agents
  • OWASP LLM Top 10 compliance testing and reporting
  • Vulnerability analysis and threat intelligence services
  • Executive security dashboards and compliance analytics
  • Continuous security monitoring and alerting

Duration: This DPA remains in effect for the duration of the Agreement and continues until all data is securely deleted or returned according to the data retention schedule.

4. Security-Specific Processor Obligations

VeriGenAI, as Processor, agrees to:

  • Confidential Processing: Process all Security Data and Personal Data only on documented instructions from the Controller
  • Security Team Access: Ensure only authorized security personnel have access to Customer data
  • Vulnerability Data Protection: Maintain strict confidentiality of all security findings and vulnerability information
  • Data Subject Assistance: Assist Controller in fulfilling data subject rights related to security team information
  • Security Incident Response: Provide immediate notification and detailed incident reports for any security incidents
  • Compliance Support: Assist with security audits, impact assessments, and regulatory compliance requirements
  • Data Return/Deletion: Securely delete or return all data according to enterprise security standards

5. Controller Obligations

The Controller agrees to:

  • Legal Basis: Ensure lawful basis for processing Personal Data and transferring Security Data to VeriGenAI
  • Authorized Testing: Confirm authorization to conduct security assessments on all submitted systems
  • Clear Instructions: Provide documented instructions regarding data processing and security requirements
  • Internal Compliance: Maintain compliance with all applicable Data Protection Laws
  • Security Team Training: Ensure authorized personnel understand data protection obligations
  • Incident Cooperation: Cooperate with VeriGenAI in security incident response and investigation

6. Sub-processor Management

Limited Sub-processing: VeriGenAI may engage carefully vetted Sub-processors for specific security platform functions:

  • Cloud infrastructure providers with enterprise security certifications
  • Security monitoring and SIEM service providers
  • Backup and disaster recovery services with appropriate security controls

All Sub-processors are bound by data protection obligations consistent with this DPA. VeriGenAI provides 30 days' notice before engaging new Sub-processors, and Controller may object to any Sub-processor that does not meet enterprise security requirements.

7. Enterprise Security Measures

VeriGenAI implements comprehensive security measures appropriate for a cybersecurity platform:

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Role-based access controls with principle of least privilege
  • Network Security: Zero-trust architecture with network segmentation
  • Data Isolation: Logical separation of customer security data with cryptographic isolation
  • Monitoring: Continuous security monitoring with automated threat detection
  • Vulnerability Management: Regular security assessments and penetration testing
  • Backup Security: Encrypted backups with secure deletion capabilities
  • Physical Security: Secure data centers with appropriate environmental and access controls

8. Security Incident Response

Rapid Notification: VeriGenAI shall notify Controller within 4 hours of becoming aware of any Security Incident affecting Controller's data.

Incident Details: Notifications include:

  • Nature and scope of the Security Incident
  • Categories and approximate numbers of data subjects affected
  • Types of Personal Data and Security Data involved
  • Immediate containment measures taken
  • Likely consequences and mitigation steps
  • Contact information for further details

Ongoing Communication: VeriGenAI provides regular updates during incident response and a comprehensive post-incident report within 30 days.

9. Audit Rights and Security Transparency

Enterprise Audit Rights: VeriGenAI makes available all information necessary to demonstrate compliance with this DPA, including:

  • Security certifications and compliance reports
  • Third-party security assessments and penetration test summaries
  • Data processing logs and access records (where legally permissible)
  • Security control documentation and policies

Enterprise customers may conduct on-site audits with reasonable advance notice, subject to confidentiality agreements and security requirements.

10. Data Retention and Secure Deletion

Security Data Retention:

  • Active security assessment data: Duration of subscription
  • Historical compliance reports: 7 years for audit requirements
  • Vulnerability findings: 3 years for trend analysis
  • Access logs: 1 year for security monitoring

Secure Deletion: Upon termination or data retention expiry, VeriGenAI employs cryptographic erasure and secure wiping procedures that meet DoD standards. Written confirmation of secure data destruction is provided upon request.

11. International Data Transfers

Transfer Safeguards: For international data transfers, VeriGenAI implements appropriate safeguards:

  • Standard Contractual Clauses approved by relevant data protection authorities
  • Adequacy decisions where applicable
  • Additional security measures for sensitive security data
  • Regional data residency options for enterprise customers

12. Liability and Indemnification

Security Platform Liability: Each party's liability under this DPA is subject to the limitations set out in the main Agreement. However, liability for data protection violations and security incidents is not limited where prohibited by applicable law.

VeriGenAI maintains comprehensive cyber liability insurance appropriate for an enterprise security platform. Nothing in this DPA limits either party's liability for willful misconduct or gross negligence in data protection.

13. Governing Law and Dispute Resolution

This DPA is governed by the laws of the State of Texas, without regard to conflict of law provisions. Disputes relating to data protection are resolved through:

  • Direct negotiation between designated data protection officers
  • Mediation by qualified data protection experts
  • Binding arbitration in Dallas, Texas if necessary

All dispute resolution proceedings remain confidential to protect sensitive security information.

14. Contact Information and Data Protection Officers

For data protection matters and DPA-related inquiries:

VeriGenAI Security Platform
United States of America

15. DPA Effectiveness and Updates

This DPA becomes effective upon acceptance of the Terms of Service and remains binding throughout the Agreement term. Material changes to this DPA will be communicated 30 days in advance.

Enterprise Integration: This DPA supplements enterprise Master Service Agreements and integrates with existing corporate data governance frameworks.