Data Processing Agreement
Version 4.0
Effective: 1 January 2025
GDPR Article 28 Compliant
Public Template
This Data Processing Agreement ("DPA") forms part of the Master Service Agreement between Shield Corporation ("Processor") and the Customer ("Controller"). It governs the processing of personal data by Shield Corporation on behalf of the Customer in accordance with GDPR Article 28.
Parties
🏢Data Controller
[Customer Name] — the entity that determines the purposes and means of processing personal data.
🛡️Data Processor
Shield Corporation · 100 Shield Plaza, San Francisco, CA 94105 · dpo@shieldcorp.com
Article 1 — Definitions
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation on Personal Data. All other terms carry GDPR meanings.
Article 2 — Scope & Purpose
Shield Corporation processes Personal Data only on documented instructions from the Controller, solely for the purpose of providing the Shield platform as defined in the applicable Master Service Agreement.
Article 3 — Processor Obligations
- Process Personal Data only on documented Controller instructions
- Ensure authorised persons are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (Article 5)
- Respect conditions for engaging sub-processors (Article 4)
- Assist with Data Subject rights, security obligations, breach notifications, and DPIAs
- Delete or return all Personal Data upon contract termination
- Provide all information necessary to demonstrate compliance and support audits
Article 4 — Sub-Processors
The Controller grants general authorisation to engage sub-processors listed at shieldcorp.com/subprocessors. Shield Corporation provides 30-day advance notice before adding any new sub-processor. The Controller may object within this period.
Article 5 — Security Measures
- AES-256 encryption at rest; TLS 1.3 for data in transit
- Mandatory MFA for all personnel with data access
- Role-based access control with quarterly access reviews
- Annual CREST-accredited penetration testing
- Continuous vulnerability scanning; 48-hour critical patch SLA
- SOC 2 Type II certified; ISO 27001 aligned
Article 6 — International Transfers
Transfers outside the EEA/UK/Switzerland are governed by EU SCCs, UK IDTAs, or adequacy decisions. Transfer Impact Assessments are conducted for all high-risk flows.
Article 7 — Breach Notification
Shield Corporation notifies the Controller within 72 hours of becoming aware of a Personal Data Breach, including nature of breach, categories affected, estimated records, likely consequences, and measures taken.
Article 8 — Audit Rights
The Controller may audit compliance on minimum 30-day notice, maximum once per calendar year. Current SOC 2 and ISO 27001 reports may be provided in lieu of on-site audits.
Annex I — Description of Processing
| Element | Details |
|---|
| Categories of Data Subjects | Customer employees, contractors, and end users of the Shield platform |
| Categories of Personal Data | Account credentials, usage logs, IP addresses, communication content uploaded by Controller |
| Sensitive Data | None by default. Controller is responsible for ensuring no special category data is uploaded without prior written agreement |
| Frequency | Continuous, for the duration of the service agreement |
| Retention Period | Contract duration + 30 days, then deletion confirmation provided |
Data Controller
Name: ___________________
Title: ___________________
Date: ___________________
Shield Corporation (Processor)
Name: Chief Privacy Officer
Title: Shield Corporation
Date: ___________________
Sub-Processor List
Version 3.2
Effective: 1 January 2025
Next Review: 1 January 2026
Public
GDPR Article 28(4) Disclosure. All sub-processors are contractually bound to provide the same level of data protection as Shield Corporation's DPA. Customers are notified at least 30 calendar days in advance of any new sub-processor.
| Sub-Processor | Purpose | Data Processed | Regions | Safeguards |
|---|
| Amazon Web Services | Infrastructure | All customer data (encrypted) | USEUAPAC | SCCs, ISO 27001, SOC 2 |
| Datadog | Observability | System logs, metrics (no PII) | USEU | SCCs, SOC 2 Type II |
| Okta | Identity | Employee usernames, email, MFA tokens | USEU | SCCs, ISO 27001, SOC 2 |
| Salesforce | CRM | Contact name, email (no production data) | US | SCCs, ISO 27001 |
| PagerDuty | Alerting | Employee on-call contact details | US | SCCs, SOC 2 Type II |
| SendGrid (Twilio) | Email | Recipient email, content | USEU | SCCs, SOC 2 Type II |
| Stripe | Payments | Billing name, card metadata (tokenised) | USEU | PCI DSS L1, SCCs |
| HashiCorp Vault | Secrets | Encrypted secrets (no plaintext PII) | US | SCCs, SOC 2 Type II |
| Drata | Compliance | System configs, audit evidence | US | SCCs, SOC 2 Type II |
| Proofpoint | Email Security | Email metadata, threat intel | USEU | SCCs, ISO 27001 |
Subscribe to change notifications at shieldcorp.com/subprocessors/subscribe. Contact privacy@shieldcorp.com to object to a new sub-processor within the 30-day notice period.
Privacy Policy
Version 5.1
Effective: 1 March 2025
Public
Shield Corporation ("Shield", "we", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with our enterprise security platform and services.
1. Who We Are
Shield Corporation is a data controller for personal data collected via our website and marketing activities. For data processed on behalf of our enterprise customers, we act as a data processor under a signed DPA. Registered address: 100 Shield Plaza, San Francisco, CA 94105, USA.
2. Data We Collect
- Account data: Name, work email, job title, company name, and password hash
- Usage data: Log data, IP addresses, browser type, pages visited, and feature interactions
- Communication data: Emails, support tickets, and chat messages sent to us
- Billing data: Company name, billing address, and tokenised payment method (no full card numbers stored)
- Customer-uploaded data: Processed as a data processor under your instructions
3. Lawful Bases (GDPR)
- Contract — to deliver contracted services
- Legitimate Interests — security monitoring, fraud prevention, and product improvement
- Legal Obligation — to comply with applicable law
- Consent — for optional marketing communications (withdrawable at any time)
4. How We Use Your Data
- Providing, operating, and improving the Shield platform
- Security monitoring, threat detection, and incident response
- Billing, invoicing, and account management
- Customer support and responding to enquiries
- Compliance with legal and regulatory obligations
5. Data Sharing
We do not sell personal data. We share data only with sub-processors required to deliver our services, regulators where legally required, and professional advisers under confidentiality obligations. Full sub-processor list available in the Sub-Processors tab.
6. International Transfers
Personal data transferred outside the EEA/UK/Switzerland is governed by Standard Contractual Clauses (SCCs), UK IDTAs, or adequacy decisions. Transfer Impact Assessments are conducted for high-risk transfers.
7. Data Retention
Account data: contract duration + 12 months. Usage logs: 12 months. Customer-uploaded data: deleted within 30 days of contract termination.
8. Your Rights
📥Access
Request a copy of your personal data we hold.
✏️Rectification
Correct inaccurate or incomplete personal data.
🗑️Erasure
Request deletion where no legal basis remains.
📦Portability
Receive your data in a structured, machine-readable format.
🚫Objection
Object to processing based on legitimate interests.
⏸️Restriction
Request restriction of processing in certain circumstances.
To exercise rights, contact privacy@shieldcorp.com. We respond within 30 days. You may also lodge a complaint with your local supervisory authority.
9. Security
We implement AES-256 encryption at rest, TLS 1.3 in transit, mandatory MFA, least-privilege access controls, and annual third-party penetration testing.
10. Changes to This Policy
We notify registered users at least 14 days before material changes via email and in-app notification. The current version is always at shieldcorp.com/privacy. DPO: dpo@shieldcorp.com
Vulnerability Disclosure Policy
Version 2.4
Effective: 1 June 2025
Public
Safe Harbour Statement: Shield Corporation will not pursue civil or criminal legal action against security researchers who discover and report vulnerabilities in good faith, in accordance with this policy.
1. In-Scope Assets
- Web application: app.shieldcorp.com
- Public API: api.shieldcorp.com
- Marketing website: shieldcorp.com
- Shield mobile applications (iOS and Android)
- All Shield Corporation-owned subdomains and infrastructure
Out of Scope: Third-party services, social engineering, physical attacks, DoS/DDoS testing, attacks against employees, automated scanning without prior authorisation, and vulnerabilities in out-of-date software.
2. Response SLAs
| Severity | CVSS | Acknowledgement | Status Update | Target Fix |
|---|
| Critical | 9.0–10.0 | 4 hours | 24 hours | 48 hours |
| High | 7.0–8.9 | 24 hours | 3 business days | 7 days |
| Medium | 4.0–6.9 | 48 hours | 5 business days | 30 days |
| Low / Info | 0.1–3.9 | 5 business days | 10 business days | 90 days |
3. How to Report
Prepare your report
Document the vulnerability: description, steps to reproduce, potential impact, and supporting evidence (screenshots, logs, PoC).
Submit via secure channel
Email
security@shieldcorp.com with subject "VDP Report: [brief description]". Use our PGP key (fingerprint: A1B2 C3D4 E5F6 7890) for sensitive disclosures.
Receive acknowledgement
Our Security team will acknowledge within the applicable SLA and provide a tracking reference (format: VDP-YYYY-NNNN).
Coordinated disclosure
Allow us the remediation window before public disclosure. We will coordinate timing and credit you in our security advisories if desired.
4. Researcher Guidelines
- Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability
- Do not test accounts you do not own or have explicit permission to test
- Do not disrupt availability or degrade system performance during testing
- Keep vulnerability details confidential until a fix is deployed
- Act in good faith throughout the reporting and remediation process
5. Recognition & Bounties
Valid researchers are recognised in our Hall of Fame and may receive monetary bounties: $500–$10,000 based on severity and impact. Contact security@shieldcorp.com for details.
6. Contact
📧Security Email
security@shieldcorp.com
🔑PGP Fingerprint
A1B2 C3D4 E5F6 7890 ABCD EF12 3456 7890 BCDE F123