Data Processing Agreement

Last Updated: March 2026

1. Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service between you ("Customer", "Controller") and DriftAlarm ("Processor").

This DPA governs the processing of personal data by DriftAlarm in connection with the Service.

This DPA is effective for the duration of the service agreement and applies to customers who require formal data processing documentation.

2. Definitions

  • Controller: The entity that determines the purposes and means of processing (the Customer — you decide which assets to scan).
  • Processor: The entity that processes data on behalf of the Controller (DriftAlarm).
  • Data Subject: An identifiable natural person whose data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (collection, storage, analysis, deletion).
  • Sub-processor: A third party engaged by the Processor to process personal data.
  • Supervisory Authority: An independent public authority responsible for data protection oversight.

3. Scope of Processing

3a. Data DriftAlarm Processes

  • Domain names and IP addresses submitted for scanning
  • Scan results: discovered vulnerabilities, open ports, SSL certificates, DNS records, subdomain lists
  • Technology stack data: web servers, frameworks, CMS platforms detected
  • Email addresses (for account management and notifications)
  • User account data: display name, organization, subscription tier, usage counters
  • API key metadata (names, scopes, usage statistics — NOT the key itself)
  • Drift detection data: baseline snapshots, change events, alarm configurations
  • Notification configurations: email addresses, Slack webhook URLs, generic webhook URLs

3b. Data DriftAlarm Does NOT Process

  • Financial data (no payment processing — all billing through sales@driftalarm.com)
  • Health data (HIPAA not in scope)
  • Special category personal data (racial/ethnic origin, political opinions, religious beliefs, biometric data)
  • Employee data beyond what's in scan results (e.g., email addresses found in public records)

3c. Processing Purposes

  • External attack surface management and continuous monitoring
  • Vulnerability assessment and security analysis
  • Configuration drift detection and alerting
  • AI-powered remediation guidance and risk scoring
  • Report generation (weekly, monthly, executive)
  • Service operation, maintenance, and improvement

4. Roles and Responsibilities

Customer (Controller)

  • Determines which assets to scan
  • Responsible for authorization to scan targets
  • Configures notification channels and alarm rules
  • Manages user access within their organization

DriftAlarm (Processor)

  • Processes scan data on behalf of Customer
  • Implements technical and organizational security measures
  • Assists with data subject requests when applicable
  • Notifies Controller of data breaches
  • Maintains records of processing activities

5. Sub-processors

DriftAlarm uses the following sub-processors:

  • Microsoft Azure — Cloud hosting, storage, authentication. Data: All platform data. Location: East US (United States).
  • Anthropic — AI-powered security analysis. Data: Scan findings, technology data. Location: United States.
  • GreyNoise — IP reputation classification. Data: IP addresses. Location: United States.
  • ProjectDiscovery — Nuclei vulnerability template updates. Data: No customer data — template downloads only. Location: United States.
  • Microsoft Graph API — Email delivery. Data: Email addresses, notification content. Location: United States.

DriftAlarm will notify Customer before engaging new sub-processors.

Customer may object to new sub-processors within 30 days.

If Customer objects and DriftAlarm cannot provide the Service without the sub-processor, either party may terminate.

6. Data Security Measures

6a. Technical Measures

  • Encryption at rest: Azure Storage Service Encryption (AES-256)
  • Encryption in transit: HTTPS/TLS 1.2+ for all connections
  • Authentication: Azure AD External ID (CIAM) with JWT token validation
  • API key security: SHA-256 hashed storage, key prefix only retained
  • Per-user data partitioning: all scan data isolated by user ID (partition key)
  • Scan type isolation: separate result tracking per scan type
  • Network security: Azure platform network controls

6b. Organizational Measures

  • Access limited to authorized personnel
  • Incident response procedures
  • Data retention policies enforced via Azure Blob lifecycle rules
  • Regular platform security assessments

7. Data Retention

  • Scan result blobs: 90 days (30 days active → 30 days Cool tier → deletion via Azure Blob lifecycle).
  • Asset findings: Retained while asset is active. Deleted across all resources on asset removal.
  • Drift baselines and events: Retained while asset is active. Deleted with asset removal.
  • GreyNoise enrichment cache: 24 hours. Automatic TTL expiry.
  • AI remediation cache: 7 days. Automatic TTL expiry.
  • User account data: Retained while account is active. Deleted within 90 days of account closure.

On service termination: all customer data deleted within 90 days per retention policy.

Customer may request earlier deletion by contacting support@driftalarm.com.

8. Data Breach Notification

DriftAlarm will notify the Controller without undue delay and within 72 hours of becoming aware of a confirmed personal data breach.

Notification will include:

  • Nature of the breach (what happened)
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate adverse effects
  • Contact point for further information (support@driftalarm.com)

DriftAlarm will cooperate with the Controller's breach investigation.

DriftAlarm will document all data breaches, including facts, effects, and remedial actions.

9. Data Subject Rights

DriftAlarm will assist the Controller in responding to data subject requests for:

  • Access to personal data
  • Rectification of inaccurate data
  • Erasure of personal data ("right to be forgotten")
  • Restriction of processing
  • Data portability (export in machine-readable format — CSV/JSON available)
  • Objection to processing

Process: Contact support@driftalarm.com with the request.

Response time: DriftAlarm will respond to Controller requests within 30 days.

Customer is responsible for verifying the identity of data subjects before forwarding requests.

10. Audits and Compliance

DriftAlarm will make available to the Controller information necessary to demonstrate compliance with data processing obligations.

DriftAlarm will allow for and contribute to audits conducted by the Controller or an authorized auditor, with reasonable notice.

Audits shall be conducted during business hours and shall not unreasonably interfere with DriftAlarm's operations.

Controller shall bear the cost of audits.

Note: DriftAlarm does not currently maintain SOC 2 certification — this is planned for a future milestone.

11. International Data Transfers

All data is processed in Microsoft Azure East US region (United States).

For EU/EEA customers: Standard Contractual Clauses (SCCs) are available on request to provide adequate safeguards for international data transfers.

DriftAlarm will comply with applicable data transfer mechanisms as required by supervisory authorities.

Contact support@driftalarm.com for SCC documentation.

12. Term and Termination

This DPA is effective for the duration of the Service agreement between Controller and Processor.

This DPA automatically terminates when the Service agreement terminates.

Upon termination:

  • DriftAlarm will cease processing personal data within 30 days
  • All customer data will be deleted within 90 days per the retention policy
  • DriftAlarm will provide written confirmation of deletion upon request

Obligations that survive termination: confidentiality, cooperation with audits for data processed during the term.

13. Liability

DriftAlarm's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

Each party is liable for damages caused by processing that infringes applicable data protection law.

14. Contact

All inquiries: support@driftalarm.com

15. Related Policies

Terms of Service|Privacy Policy|Acceptable Use|DPA