Data Processing Addendum — Fortworx

This Data Processing Addendum (“DPA”) forms part of the agreement for the provision of the Fortworx service (the “Agreement”) between:

AltaCoda LLC, doing business as Fortworx, a Delaware limited liability company (“Processor”, “we”, “us”, or “our”)

and

The entity agreeing to these terms (“Controller”, “Customer”, “you”, or “your”).

This DPA applies where and only to the extent that Processor processes Personal Data on behalf of the Controller in the course of providing the Fortworx service under the Agreement. This DPA is available to customers on paid subscription plans (Business and Enterprise).

1. Definitions

“Applicable Data Protection Law” means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) EU Regulation 2016/679 (GDPR), the UK General Data Protection Regulation, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any other applicable data protection or privacy legislation.

“Authorized Sub-processor” means a third party authorized by the Processor to process Personal Data on behalf of the Controller in connection with the Service, as listed on the Subprocessors page.

“Controller” means the entity that determines the purposes and means of the processing of Personal Data.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor.

“Processing” (and “process”, “processed”, etc.) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Service” means the Fortworx platform and related services provided by Processor to Controller under the Agreement.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission Decision 2021/914 (or any successor clauses).

“Technical and Organizational Measures” means the security measures described in Annex II of this DPA.

2. Scope and Roles

2.1. This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service.

2.2. The Controller is the controller of Personal Data, and the Processor processes Personal Data solely on behalf of and under the documented instructions of the Controller, except where required by Applicable Data Protection Law to which the Processor is subject.

2.3. The details of the processing, including the categories of Personal Data, categories of Data Subjects, and the purposes of processing, are set out in Annex I.

3. Controller Obligations

3.1. The Controller shall ensure that it has obtained all necessary consents, authorizations, and legal bases required under Applicable Data Protection Law for the processing of Personal Data by the Processor.

3.2. The Controller shall ensure that its instructions to the Processor comply with Applicable Data Protection Law.

3.3. The Controller is responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

4. Processor Obligations

4.1. The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law to which the Processor is subject — in which case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

4.2. The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. The Processor shall implement and maintain the Technical and Organizational Measures described in Annex II to ensure a level of security appropriate to the risk.

4.4. The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, subject to Section 7 of this DPA.

4.5. The Processor shall assist the Controller, taking into account the nature of processing and information available to the Processor, in fulfilling the Controller’s obligations to respond to Data Subject requests under Applicable Data Protection Law.

4.6. The Processor shall assist the Controller in ensuring compliance with obligations related to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to the Processor.

4.7. At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of the Service, and shall delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data. Deletion timelines are as specified in the Agreement (10 years for Business; as agreed for Enterprise), after which Personal Data shall be securely deleted within 30 days.

4.8. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to Section 9.

5. AI and Automated Processing

5.1. The Service uses artificial intelligence and machine learning models to classify, triage, and generate responses to inbound communications. This processing may involve transmission of Personal Data contained in such communications to the Processor’s AI sub-processors as listed on the Subprocessors page.

5.2. The Processor shall ensure that all AI sub-processors are bound by data processing agreements that provide at least the same level of protection as this DPA.

5.3. Personal Data processed by AI sub-processors shall not be used to train, improve, or develop general-purpose AI models unless explicitly authorized in writing by the Controller.

5.4. The Processor shall maintain documentation of the AI models and sub-processors used in the Service, including the categories of data processed by each, and shall make this documentation available to the Controller upon request.

5.5. Where AI-assisted processing results in automated decisions that may have legal or similarly significant effects on Data Subjects, the Processor shall provide the Controller with sufficient information to enable the Controller to comply with its obligations under Article 22 of the GDPR or equivalent provisions of Applicable Data Protection Law.

6. Personal Data Breach Notification

6.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.

6.2. Such notification shall include, to the extent available:

(a) A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) The name and contact details of the Processor’s data protection contact from whom more information can be obtained;

(d) A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

6.3. Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

6.4. The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

7. Sub-processors

7.1. The Controller provides general written authorization for the Processor to engage the sub-processors listed on the Subprocessors page as of the effective date of this DPA.

7.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors by updating the Subprocessors page and notifying the Controller by email at least 30 days in advance, giving the Controller the opportunity to object to such changes.

7.3. If the Controller objects to a new sub-processor on reasonable data protection grounds within 14 days of receiving notice, the parties shall discuss the Controller’s concerns in good faith. If no resolution can be reached, the Controller may terminate the affected portion of the Service without penalty.

7.4. The Processor shall impose on each sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA.

7.5. The Processor shall remain fully liable to the Controller for the performance of each sub-processor’s obligations.

8. International Data Transfers

8.1. The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA), the United Kingdom, or Switzerland unless appropriate safeguards are in place as required by Applicable Data Protection Law.

8.2. Where such transfers are necessary for the provision of the Service, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply, and are hereby incorporated by reference into this DPA. The details required under the SCCs are set out in the Annexes to this DPA.

8.3. Where the Processor transfers Personal Data to sub-processors located outside the EEA, the Processor shall ensure that the transfer is subject to appropriate safeguards, including SCCs (Module Three: Processor to Processor) or an adequacy decision by the European Commission.

8.4. The Processor shall promptly inform the Controller if, in its opinion, an instruction from the Controller regarding international data transfers infringes Applicable Data Protection Law.

9. Audit Rights

9.1. The Processor shall make available to the Controller, upon reasonable request and no more than once per calendar year (unless a Personal Data Breach has occurred or a supervisory authority requires it), all information reasonably necessary to demonstrate compliance with this DPA.

9.2. The Controller may conduct an audit, or appoint a qualified independent third-party auditor (subject to reasonable confidentiality obligations) to conduct an audit, of the Processor’s compliance with this DPA. Such audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor’s operations.

9.3. Where the Processor has obtained relevant certifications (e.g., SOC 2 Type II, ISO 27001) or has undergone third-party audits, the Processor may satisfy audit requests by providing copies of such certifications or audit reports, provided they are no more than 12 months old and adequately address the Controller’s concerns.

9.4. The costs of any audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit.

10. Data Subject Rights

10.1. The Processor shall, taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law, including but not limited to the right of access, rectification, erasure, restriction of processing, data portability, and objection.

10.2. The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request itself unless authorized by the Controller or required by Applicable Data Protection Law.

10.3. The Processor shall provide the Controller with the ability to access, correct, and delete Personal Data through the Service’s administrative interface. Where such functionality is not available, the Processor shall fulfill such requests within 10 business days of the Controller’s written request.

11. CCPA-Specific Provisions

11.1. To the extent the CCPA applies, the Processor is a “Service Provider” as defined under the CCPA.

11.2. The Processor shall not sell or share (as defined under the CCPA) Personal Data.

11.3. The Processor shall not retain, use, or disclose Personal Data for any purpose other than for the specific business purposes of providing the Service as set forth in the Agreement, or as otherwise permitted by the CCPA.

11.4. The Processor shall not combine Personal Data received from the Controller with Personal Data received from or on behalf of another person or collected from its own interactions with Data Subjects, except as permitted by the CCPA.

11.5. The Processor certifies that it understands the restrictions set forth in this Section 11 and will comply with them.

12. Term and Termination

12.1. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to Section 12.2.

12.2. The Processor’s obligations under this DPA with respect to the processing of Personal Data shall continue for as long as the Processor retains Personal Data processed on behalf of the Controller.

12.3. Upon termination of the Agreement, the Processor shall, at the Controller’s election, return or securely delete all Personal Data within 30 days, and provide written certification of deletion upon request. This obligation does not apply to the extent the Processor is required by Applicable Data Protection Law to retain some or all of the Personal Data.

13. Liability

13.1. The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, provided that nothing in the Agreement shall limit either party’s liability for breaches of this DPA to the extent that Applicable Data Protection Law prohibits such limitation.

13.2. For the avoidance of doubt, the Processor’s total aggregate liability for all claims arising out of or relating to this DPA shall be subject to the liability cap set out in the Agreement.

14. Conflict

14.1. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

14.2. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

15. Governing Law

15.1. This DPA shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Law requires the application of the law of another jurisdiction.

Annex I — Details of Processing

Categories of Data Subjects

Employees and authorized users of the Controller
Third parties who submit communications to the Controller’s security inbox (e.g., security researchers, vendors, customers, legal representatives, members of the public)

Categories of Personal Data

Names and email addresses of individuals submitting reports or communications
IP addresses and technical metadata associated with inbound communications
Content of inbound emails and attachments, which may include vulnerability reports, security questionnaires, abuse reports, legal notices, data subject access requests, breach notifications, and other security-related communications
Content of outbound responses drafted or sent through the Service
Account information of Controller’s authorized users (name, email, role)
Audit trail data (timestamps, actions taken, approvals, assignments)

Sensitive Data

Inbound communications may incidentally contain special categories of data (e.g., health data in breach notifications, racial or ethnic data in DSAR responses). The Processor does not intentionally collect or solicit sensitive data but will process it to the extent it is contained in communications submitted through the Service.

Purpose of Processing

Receiving, classifying, triaging, and routing inbound security communications on behalf of the Controller
AI-powered analysis and summarization of inbound communications
Drafting and sending responses on behalf of the Controller, subject to Controller approval workflows
Maintaining audit trails and compliance records
Administering bug bounty programs on behalf of the Controller
Providing collaboration and workflow features to the Controller’s authorized users

Duration of Processing

Processing shall continue for the duration of the Agreement. Personal Data shall be retained in accordance with the Controller’s subscription plan (10 years for Business; as agreed for Enterprise) and shall be deleted within 30 days of the expiration of the applicable retention period or termination of the Agreement, whichever is earlier, unless otherwise required by Applicable Data Protection Law.

Annex II — Technical and Organizational Measures

The Processor implements and maintains the following security measures:

Encryption

All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted using AES-256 or equivalent

Access Control

Role-based access control (RBAC) for all internal systems
Multi-factor authentication (MFA) required for all Processor personnel accessing production systems
Principle of least privilege enforced across all systems

Infrastructure Security

Production infrastructure hosted on Hetzner Online GmbH (primary), Amazon Web Services (secondary), with data residency in Germany (EU) for primary data storage and processing; United States for AI processing (OpenAI), transactional email delivery (Postmark), and ancillary infrastructure services (AWS)
Network segmentation and firewalls protecting production environments
Regular vulnerability scanning and penetration testing
Intrusion detection and monitoring systems

Data Handling

All inbound emails scanned for spam, viruses, and malware prior to processing
Attachments and uploaded files stored with industry-standard encryption
Automated data deletion in accordance with retention policies

Personnel

All personnel with access to Personal Data are subject to binding confidentiality obligations
Security awareness training provided to all employees
Background checks conducted on employees with access to production systems

Incident Response

Documented incident response plan with defined roles and escalation procedures
48-hour breach notification commitment as specified in Section 6

Business Continuity

Regular backups of all customer data
Disaster recovery procedures with defined recovery time objectives (RTOs) and recovery point objectives (RPOs)

Certifications and Audits

SOC 2 Type II — in progress, expected completion Q3 2026
ISO 27001 — not currently certified. Hosting infrastructure provider (Hetzner Online GmbH) holds ISO/IEC 27001:2022 certification.
Annual third-party penetration testing. Reports available to customers under NDA upon request.

Annex III — Standard Contractual Clauses

Where applicable, the Standard Contractual Clauses (EU Commission Decision 2021/914) are incorporated by reference as follows:

Module Two (Controller to Processor) applies to transfers of Personal Data from the Controller in the EEA to the Processor
Module Three (Processor to Processor) applies to onward transfers from the Processor to sub-processors

The details required by the SCCs are populated from Annexes I and II of this DPA and the Subprocessors page.

The UK International Data Transfer Addendum (as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018) is incorporated by reference for transfers from the United Kingdom.

The Swiss Federal Data Protection Act (FADP) addendum applies for transfers from Switzerland, with the SCCs adapted accordingly.

Last updated on: 2026-02-11