Draft — pre-launch review required

Data Processing Agreement

Working draft. The final DPA will be signed (or accepted electronically) before any production customer data is processed.

1. Roles

You ("Customer", "Controller") are the data controller. Equa ApS ("EQUA", "Processor"), Bredgade 30, 1260 Copenhagen K, Denmark, is the data processor with respect to personal data contained in the alerts you send to CyberRunner and the operational metadata derived from them.

2. Purpose and scope

We process alert data solely to:

• Perform the triage service you've contracted for (the 12-agent investigation pipeline).
• Produce verdicts, risk scores, narratives, evidence packages, and audit trails for your use.
• Operate, secure, and meter the service (rate-limiting, billing, abuse prevention).
• Comply with our legal obligations.

We do not use your alert data to train models that benefit other customers, build cross-customer threat intelligence we sell back to anyone else, or for any purpose unrelated to providing you the service.

3. Categories of data and data subjects

Data subjects: typically employees and contractors of your organisation whose actions are surfaced in security alerts; occasionally external parties whose IPs, accounts, or artifacts appear in alerts.

Categories of data: identifiers (usernames, email addresses, host names, IP addresses, device identifiers), authentication events, network metadata, file hashes, URLs, and any other content embedded in the alerts you choose to submit. CyberRunner does not require — and is not designed to receive — special categories of personal data under GDPR Art. 9; please don't send any.

4. Duration

This DPA is effective for the duration of your CyberRunner subscription, plus any post-termination period required to export or delete your data.

5. Sub-processors

Current list:

• Stripe Payments Europe Ltd. (Dublin, Ireland) — payment processing.
• Microsoft Ireland Operations Ltd. (Azure West Europe) — compute and storage for instances provisioned in Azure.
• Hetzner Online GmbH (Germany) — compute and storage for instances provisioned in Hetzner.
• The LLM provider you select (e.g. Anthropic for Claude, OpenAI for GPT, or a local Qwen instance running on your own infrastructure).
• Resend or equivalent (EU) — transactional email delivery (welcome / setup-link emails).

The current list is also available on request. We notify you at least 30 days before any change. You may object to a new sub-processor; if we can't accommodate the objection, you may terminate without penalty.

6. Security measures

EQUA implements appropriate technical and organisational measures, including:

• Encryption — TLS 1.3 in transit; AES-256 at rest via provider-managed keys; integration secrets double-enveloped with our own Fernet key.
• Tenant isolation — one container per customer; no shared databases; no shared filesystems; no shared compute.
• Access control — role-based authorisation; MFA enforced for all operator and customer admin accounts; per-key hashed API tokens.
• Audit logging — operator and user actions, LLM calls, and tool calls logged per instance; logs retained per Danish/EU obligations.
• Vulnerability management — dependency scanning in CI; secret scanning in CI; periodic penetration testing; responsible disclosure programme at security@equa.dk.
• Personnel — confidentiality undertakings for all staff with access to customer data; background checks for security-cleared roles.

See /security for the full picture and our certifications roadmap.

7. Breach notification

We notify you without undue delay (and in any case within 72 hours) of becoming aware of a personal-data breach affecting your data. The notification will include the nature of the breach, categories of data and approximate number of records affected, likely consequences, and the measures we've taken or propose to take.

8. Data subject requests

We assist you in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection). Technical means for all of these are exposed via the customer console. Where assistance from us is needed (e.g. erasure of data inside an in-flight investigation), we respond within reasonable timeframes — by default, within 14 calendar days of receiving a written request.

9. International transfers

Data stays in the EU by default. If a transfer outside the EEA is required (e.g. you've chosen a non-EU LLM backend), the transfer is covered by Standard Contractual Clauses (Module 3, processor-to-processor) and disclosed to you in writing in advance.

10. Audits

You may audit our compliance with this DPA once per year, on at least 30 days' written notice, by submitting a security questionnaire and reviewing our latest SOC 2 readiness pack (when available) or equivalent evidence. On-site audits are by appointment and on cost-recovery terms.

11. Return / deletion

On termination of the underlying subscription you may export your data for 30 days. After that we delete it within 30 days, except where mandatory law requires longer retention (e.g. accounting records for tax purposes). On request, we provide written confirmation of deletion.

12. Liability and governing law

Liability under this DPA is subject to the same limits as the underlying subscription terms (see /legal/terms). Governed by Danish law; exclusive venue Copenhagen City Court.