Data Processing Agreement (DPA)

Last updated: 2026-07-12

1. Scope

This Data Processing Agreement (DPA) governs the processing of personal data by CloudForge Team GmbH on behalf of the customer, in accordance with Art. 28 GDPR.

2. Subject Matter

CloudForge Team processes personal data solely to provide the CloudForge Sentinel service as described in the Master Service Agreement (MSA) and these Terms of Service.

3. Nature and Purpose

We process personal data for: account management, service delivery, security (e.g. logging), billing, and customer support.

4. Categories of Data

We process the following categories of personal data: - Account data (email, name) - Usage data (IP, browser, timestamps) - Customer-uploaded data (asset inventory, scan results, AI system metadata) - Support communications

5. Categories of Data Subjects

Customers' employees, end users, and any individuals whose data is uploaded to the service by the customer.

6. Subprocessors

Approved subprocessors: - Hetzner Online GmbH (Germany) – hosting - Cloudflare (EU) – CDN Customers will be notified 30 days before adding new subprocessors. Customers may object to new subprocessors.

7. Technical and Organizational Measures (TOMs)

We implement the following security measures: - TLS 1.3 encryption in transit - AES-256 encryption at rest - ISO 27001 certified data centers - Annual penetration tests - SOC 2 Type II controls - Access logging and monitoring - Multi-factor authentication for staff - Regular security training

8. Data Subject Rights

We support the customer in fulfilling data subject rights (access, rectification, erasure, restriction, portability, objection) as required by GDPR.

9. Data Breach Notification

We will notify the customer of any personal data breach within 72 hours of becoming aware, as required by Art. 33 GDPR.

10. Data Deletion

Upon termination, all personal data is deleted within 30 days, unless legal retention obligations require longer storage.

11. Audit Rights

Customers may audit our TOMs once per year with 30 days notice. We may satisfy audit requests with independent third-party audit reports (ISO 27001, SOC 2).

12. Contact

DPA inquiries: privacy@cloudforge.team