Last updated: April 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") is offered by Sandworm Security LLC to enterprise customers who require a written processor agreement under Article 28 of the EU General Data Protection Regulation (GDPR) or equivalent privacy laws. To execute this DPA, contact jacobhendrick@sandworm-security.com.
1. Parties and background
This DPA is entered into between Sandworm Security LLC ("Processor"), a Georgia limited liability company, and the customer identified in the underlying Sandworm Order Form or Subscription Agreement ("Controller").
It supplements the Sandworm Terms of Service. In the event of conflict between this DPA and the Terms with respect to the processing of personal data, this DPA prevails.
2. Definitions
Capitalized terms have the meanings given to them in GDPR Article 4. In particular:
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Sandworm on behalf of Controller.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and erasure.
- "Sub-processor" means a third-party processor engaged by Sandworm to process Personal Data.
- "Data Subject" means the natural person to whom Personal Data relates.
- "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.
3. Scope of processing
3.1 Subject matter
Sandworm processes Personal Data on behalf of Controller solely to provide the Sandworm Services as described in the Terms.
3.2 Duration
Processing continues for the duration of the Subscription, plus the limited post-termination period set out in Section 10.
3.3 Nature and purpose
The nature of processing includes ingestion, storage, indexing, querying, alerting, and reporting of security-related data. The purpose is to provide cloud security posture management, security event monitoring, endpoint detection and response, network firewall, and zero-trust network access services.
3.4 Categories of Personal Data
- Account identifiers (name, email, organization, role)
- Authentication data (password hashes, MFA secrets, session tokens)
- Usernames and user IDs from Customer's monitored systems
- IP addresses, hostnames, and device identifiers
- Process command lines, file paths, network destinations from monitored endpoints
- Authentication and audit log entries forwarded by Customer
- VPN connection metadata
- Other Personal Data that Customer chooses to send to the Services in the form of logs, configurations, or comments
3.5 Categories of Data Subjects
- Customer's employees, contractors, and authorized users
- End users of Customer's systems whose activity is captured in logs and telemetry forwarded to Sandworm
- Third parties whose identifiers appear in logs (e.g., source IPs of inbound traffic)
3.6 Controller instructions
Sandworm processes Personal Data only on documented instructions from Controller, including with regard to transfers to a third country, unless required to do so by applicable law. The Subscription Agreement, the Terms, this DPA, and any configuration Controller makes through the Sandworm portal constitute Controller's documented instructions.
4. Sub-processors
Controller authorizes Sandworm to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Compute, storage, networking, KMS, managed databases | USA (us-east-1, us-west-2) |
| Stripe, Inc. | Payment processing and billing (no security data) | USA |
| Cloudflare, Inc. | DDoS mitigation, CDN for marketing site (no Customer Data) | USA / Global |
| SendGrid (Twilio, Inc.) | Transactional email delivery (account, billing, security alerts) | USA |
Sandworm will provide Controller with at least 30 days' notice of any addition or replacement of sub-processors that process Personal Data. Controller may object to a new sub-processor on reasonable data protection grounds within 7 days of notice.
5. Security measures
Sandworm implements technical and organizational measures designed to ensure a level of security appropriate to the risk:
- Encryption — AES-256-GCM at rest, TLS 1.2+ in transit
- Key management — keys held in AWS KMS, rotated periodically, with separate keys per customer for Enterprise tier
- Tenant isolation — logical separation enforced at every layer (database, object storage, message queues, search indexes)
- Access control — least privilege, hardware MFA for admin access, just-in-time elevation, full access logging
- Network security — VPC isolation, private subnets, WAF, rate limiting, DDoS mitigation
- Vulnerability management — continuous dependency scanning, regular patching, third-party annual penetration testing
- Personnel — background checks, security training, confidentiality agreements
- Business continuity — backups, disaster recovery testing, multi-region failover capability
6. Breach notification
Sandworm will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Controller's Personal Data. The notice will include, to the extent known:
- The nature of the breach, including categories and approximate number of affected Data Subjects and records
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate adverse effects
- A point of contact for additional information
7. Data subject rights
Taking into account the nature of the processing, Sandworm will assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill Controller's obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. If Sandworm receives a request from a Data Subject directly, it will forward the request to Controller without responding (except to acknowledge receipt) unless legally required to do so.
8. Audit rights
Sandworm will make available to Controller all information necessary to demonstrate compliance with Article 28 of GDPR, and will allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. In practice, Sandworm satisfies this obligation by:
- Providing the most recent third-party penetration test summary on request
- Providing SOC 2 Type II reports once available (in progress)
- Responding to written security questionnaires within 30 days
- Allowing on-site audits, by appointment, no more than once per year
9. International transfers
Sandworm processes Personal Data primarily in the United States. Where Personal Data subject to GDPR or UK GDPR is transferred outside the EEA or the UK, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) approved in Commission Decision 2021/914.
For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office.
10. Deletion on termination
On termination of the Subscription, Sandworm will, at Controller's choice, delete or return all Personal Data to Controller. Customer Data may be exported through the portal for up to 30 days after termination, after which Sandworm will delete it from primary storage. Backups containing Personal Data will be cryptographically erased in accordance with the rolling 30-day backup window.
11. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service.
12. Execution
This DPA becomes effective when Controller signs and returns a counter-signed copy provided by Sandworm or when Controller accepts this DPA through a click-through process during onboarding. To request a counter-signed copy, email jacobhendrick@sandworm-security.com with your organization name and billing reference.