EN
EN FR DE

Data Processing Policy

This Data Processing Policy (“DPP“) shall be applicable between the Parties and shall be considered as automatically incorporated to the Agreement. All capitalized terms used in this DPP have the same meanings given to them in the Agreement, unless defined below. Terms defined below are applicable to the DPP only.

Definitions

“Adequate Country” means a country or territory that is recognized under applicable Data Protection Laws as providing adequate protection for personal data.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is directly or indirectly Controlled by Customer, (b) is subject to Data Protection Laws and (c) is permitted to use the Services pursuant to the Agreement, but has not signed the Agreement.

“CCPA” means the California Consumer Privacy Act of 2018, including all amendments thereto.

“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union (including GDPR), the European Economic Area, their member states, Switzerland, the United Kingdom and/or federal, state or local government authorities of the United States of America, applicable to the processing of Personal Data under the Agreement.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Personal Data” means any data that is processed by CybelAngel as part of the Services that is also “personal data” as defined under GDPR, UK GDPR, and/or defined as “personal information” under CCPA.

“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to, Personal Data in CybelAngel’s possession or under its control, where such breach originated is documented as having originated only from CybelAngel’s own systems and is unrelated to any breach which may have been detected in connection with the Services or CybelAngel’s day-to-day business activities.

“Standard Contractual Clauses” or (“SCCs”) means the latest standard contractual clauses approved by the European Commission for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

“processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” have the meanings ascribed to them in the GDPR.

“UK GDPR”: The UK General Data Protection Regulation post-Brexit.

1. STATUS OF THE PARTIES

The Parties acknowledge and agree that Customer is the data controller and CybelAngel is the data processor with respect to Personal Data. Each Party agrees to comply with, and shall ensure that each of its Affiliates complies with, Data Protection Laws applicable in relation to Personal Data. As between the Parties, Customer is solely responsible for obtaining, and has obtained or will obtain, all necessary consents, licenses and approvals for the processing of Personal Data in connection with use of the Services.

2. DESCRIPTION OF PROCESSING

2.1. CybelAngel shall only process Personal Data in order to provide the Services or for business purposes related to the Services as defined in the Agreement (e.g. creating credentials for new Authorized Users). If the Data Protection Laws require CybelAngel to process Personal Data other than as permitted by the Agreement, CybelAngel will notify Customer prior to processing, unless prohibited from doing so by applicable law.

2.2. The type of Personal Data processed pursuant to the Agreement and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects shall be as follow:

2.2.1. Categories of Data Subjects

  • Employees of the Customer and its affiliates
  • Clients, suppliers, or other business partners of the Customer
  • Individuals whose personal identifiers are found in monitored sources (e.g., email addresses or names detected in breaches)

2.2.2. Categories of Personal Data Processed

Typical categories of personal data processed as part of the Services include:

ContextExample DataSource
Credential & Breach DetectionEmail addresses, usernames, hashed passwords, IPsBreach databases, dark web sources
Domain & Account ProtectionProfessional email addresses, domain ownership dataWHOIS, web crawls
Executive & Brand MonitoringPublicly available executive names, social handlesSocial media and open sources
Customer Support & Service DeliveryContact information (name, email, phone), usage metadataCustomer platform interactions

All data processing aligns with GDPR’s principles of data minimization and purpose limitation, restricted to what is necessary for cyber threat detection and customer protection purposes as defined in the Agreement.

2.2.3. Nature of the processing

Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission to controller, dissemination or otherwise making available to controller, alignment or combination, restriction, erasure or destruction.

Specifically, processing operations include:

  • Collection, organization, and analysis of digital assets and threat intelligence indicators
  • Matching of exposed data to the Customer’s monitored entities
  • Alert generation and notification to the Customer
  • Support interactions (incident analysis, takedown assistance, reporting)

2.2.4. Purpose(s) of the data processing

The purpose of processing is to ensure the IT of controller and its affiliates, by working to prevent and detect data leaks on the Internet.

2.2.5. Duration of the data processing

The data processing shall be performed during the term of the Agreement.

2.2.6. Data retention period

Personal Data will be retained by the data processor for a maximum duration of six (6) months following the termination of all contracts for services provided to controller by processor. Operational detection data is typically rotated or anonymized after its investigative purpose is complete.

3. PROCESSOR’S RIGHTS AND OBLIGATIONS

3.1. The processor shall process Personal Data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of Personal Data. These instructions shall always be documented.

For the purpose of the hereinabove paragraph, the Agreement, this DPP, and Customer’s use of the Services, are Customer’s written instructions to CybelAngel in relation to the processing of Personal Data.

3.1.1. For clarity, the Customer’s documented instructions to CybelAngel consist of:

(a) Contractual Instructions: The scope, nature, purpose, and duration of processing as defined in this DPP Section 2.2 and the Agreement;

(b) Operational Instructions: The Search Criteria (keywords, data identifiers, and search parameters) provided by Customer through the Services, which specify what Personal Data CybelAngel should search for and process;

(c) Ongoing Instructions: Any additional written or electronic instructions provided by Customer during the term of the Agreement regarding the processing of Personal Data. Customer acknowledges that by signing this Agreement, providing Search Criteria, and using the Services, Customer is providing documented instructions to CybelAngel within the meaning of Article 28(3)(a) GDPR.

3.1.2. AI Processing and Subprocessor Authorization:

Customer acknowledges that CybelAngel’s Services incorporate AI-enabled capabilities (including automated content summarization, enrichment, task automations, analysis, and translations) as integral components of the Services. By signing this Agreement and consenting to the subprocessor list in ANNEX II, Customer provides documented instructions authorizing CybelAngel’s use of third-party AI service providers to process Personal Data in accordance with the safeguards specified herein. Customer acknowledges that:

(a) AI and Machine Learning Processing – The Services utilize AI providers listed in ANNEX II for content analysis, summarization, enrichment, task automation, and translation capabilities, limited to the scope necessary to deliver the Services;

(b) Platform Analytics – The Services utilize analytics providers (as identified in ANNEX II) to optimize detection algorithms, reduce false positives, and improve platform performance specific to Customer’s environment and usage patterns;

(c) No Training Use – CybelAngel’s agreements with AI subprocessors prohibit use of Customer Personal Data for model training or improvement of third-party services unrelated to delivering the Services to Customer.

Objection Right: If Customer objects to the use of any subprocessor (including AI providers) for data protection reasons, Customer may exercise its objection rights as set forth in Section 6.1.

3.2. Taking into account the nature of processing and the information available to CybelAngel, CybelAngel will assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to (i) data protection impact assessments (as such term is defined in the GDPR), (ii) notifications to the supervisory authority under Data Protection Laws and (iii) prior consultations with supervisory authorities.

3.3. CybelAngel will use commercially reasonable efforts to assist Customer in responding to data subject requests made by data subjects seeking to exercise their rights under Data Protection Law and whose Personal Data is in CybelAngel’s possession or under its control. CybelAngel will notify Customer of data subject requests relevant to Customer after they are received by CybelAngel no later than five (5) business days, unless otherwise required by applicable law.

4. TECHNICAL AND ORGANIZATIONAL MEASURES

Taking into consideration (i) standard industry practice, (ii) the costs of implementation and (iii) the nature, scope, context and purposes of processing, CybelAngel shall implement appropriate technical and organizational measures as set forth in Annex 1, to ensure a level of security appropriate to the risks that are presented by processing Personal Data, including in relation to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in CybelAngel’s possession or under its control.

5. PERSONAL DATA BREACHES

CybelAngel shall notify Customer of any Personal Data Breach no later than seventy-two (72) hours after becoming aware of it. CybelAngel shall provide Customer with commercially reasonable cooperation, assistance and information in connection with such Personal Data Breach, including, to the extent known by CybelAngel, (i) the nature of the Personal Data Breach, (ii) the categories and approximate number of data subjects concerned, (iii) the categories and approximate number of Personal Data records affected, and (iv) the measures already taken or planned to be taken by CybelAngel to address the Personal Data Breach, including, where appropriate, measures to mitigate possible adverse effects. Unless required to disclose information about a Personal Data Breach by applicable law, CybelAngel shall not disclose any information about a Personal Data Breach and treat all such information as Confidential Information.

6. SUB-PROCESSING

6.1 Customer consents to CybelAngel’s use of the sub-processors included in the Subprocessor’s List (Attached as Annex II) to provide the Services, and to CybelAngel’s disclosure and provision of Personal Data to such sub-processors. The sub-processor list as of the date of execution of the Agreement is hereby authorized by Customer. Customer’s main points of contact shall be notified in writing by CybelAngel in advance of any new sub-processors being appointed by changes to the sub-processor list. In any event, the updated sub-processor list shall be deemed authorized by Customer unless it provides a written reasonable objection to [email protected] for reasons related to the GDPR within thirty (30) business days following the notification of the change in the sub-processor list. In this event, if the parties do not find a solution in good faith to the issue in question, then Customer may, as a sole remedy, terminate the applicable Agreement with respect only to those Services which cannot be provided by CybelAngel without the use of the objected-to sub-processor by providing written notice to CybelAngel provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to CybelAngel. Customer will have no further claims against CybelAngel due to (i) past use of approved sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) in the situation described in this paragraph.

6.2 CybelAngel will ensure its sub-processors are bound by contractual obligations providing a level of protection for Personal Data that is substantially similar to that required under this DPP. CybelAngel shall remain responsible for its sub-processors’ performance of obligations, but does not commit to enabling or facilitating audits of its sub-processors by Customer or any third party.

7. AUDITS

Under applicable Data Protection LawsCustomer may conduct one (1) audit per year on its own behalf and at its own expense only subject to Customer providing CybelAngel with fifteen (15) business days’ prior written notice of any audit. The maximum duration for any audit is five (5) business days (as defined in France) and may only be conducted only during CybelAngel’s business hours. CybelAngel reserves the right to approve of the choice of a third-party auditor appointed by Customer in case Customer does not conduct the audit by itself and may reject such auditor in its reasonable discretion. The scope, method, and timing of any audit shall be mutually agreed upon in advance and shall not unreasonably interfere with CybelAngel’s business operations, tools or infrastructure, and all audits shall be limited in scope to CybelAngel’s systems and infrastructure responsible for processing Customer’s data hereunder. Customer agrees to use third-party certifications and audit reports (e.g., SOC 2, ISO) made available by CybelAngel in lieu of requesting an audit where possible.

8. DATA TRANSFERS

This Section 8 applies to any processing by CybelAngel or its sub-processors of any Personal Data subject to the GDPR.

8.1 CybelAngel will not disclose or transfer Personal Data to a third party (i) without the prior written permission of Customer, (ii) as permitted by the Agreement, (iii) where such disclosure or transfer is required by any applicable law, regulation, or public authority or (iv) pursuant to Section 6.1.

8.2 Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA. If CybelAngel transfers any Personal Data to a sub-processor (including any CybelAngel Affiliate that acts as a sub-processor) where such sub-processor will process Personal Data outside the EEA (other than exclusively in an Adequate Country), then CybelAngel will ensure that a mechanism to achieve adequacy in respect of that processing is in place, such as (i) the execution of Standard Contractual Clauses (based on Module 2 Transfer Controller to Processor) between CybelAngel and a sub-processor; (ii) EU-U.S. Data Privacy Framework certification (where applicable for U.S.-based subprocessors); (iii) UK Extension to the EU-U.S. Data Privacy Framework (where applicable for UK personal data transfers); or (iv) any other approved safeguard for data transfers as recognized under the Data Protection Laws.

9. AUTHORIZED AFFILIATES

9.1 By executing the Agreement, Customer hereby agrees to the DPP on behalf of itself and in the name and on behalf of its Authorized Affiliates. Each Authorized Affiliate agrees to be bound by the obligations of Customer under this DPP and, to the extent applicable, the Agreement.

9.2 The Customer that is the contracting party to the Agreement will remain responsible for coordinating all communication related to Personal Data, with CybelAngel and will be entitled to make and will receive any communication in relation to Personal Data on behalf of its Authorized Affiliates.

9.3 Where an Authorized Affiliate becomes a party to the Agreement with CybelAngel it will, to the extent required under applicable Data Protection Laws and pursuant to the provisions hereto, be entitled to exercise the rights and seek remedies as subject to the following:

9.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy against CybelAngel directly by itself, pursuant to the provisions hereto, the parties agree that (i) solely the Customer that is the contracting party to the Agreement will exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement will exercise any such rights under the provisions hereto, not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together.

9.3.2 The Customer that is the contracting party to the Agreement will, when carrying out any audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on CybelAngel and its sub-processors by combining, to the extent possible, all audit requests of itself and all of its Authorized Affiliates in one single audit.

10. LIMITATION OF LIABILITY

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to the provisions hereto whether in contract, tort or under any other theory of liability, is subject to Section 10 (Limitation of Liability) of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement. For the avoidance of doubt, CybelAngel’s and its Affiliates’ total liability for all claims from Customer and all Authorized Affiliates will not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPP.

11. ORDER OF PRECEDENCE

This DPP is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms hereto and the terms of the Agreement, the terms of this DPP will prevail insofar as the subject matter concerns the processing of Personal Data.

12. MISCELLANEOUS

All communications and notices pursuant to the provisions hereto shall be sent by the controller to the processor’s data protection officer at:

Name: CybelAngel SAS
Address: 51 rue Le Peletier, 75009 Paris, France
Contact person’s name, position and contact details:

Heather Kuch
Data Protection Officer
[email protected]

ANNEX I

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

A. Physical Access Control

Unauthorised persons are to be denied access to data processing equipment, with which Personal Data is processed or used.

The processor shall take the following physical access control measures, insofar as Personal Data is processed in the premises/buildings of the processor. Access to such Personal Data outside of these premises/buildings is not permitted:

  1. Restriction of access rights to office buildings, data centres and server rooms to the minimum necessary.
  2. Effective control of access rights through an adequate locking system (for example, security key with documented key management, electronic locking systems with documented management of authorization).
  3. Comprehensive and fully documented processes must be in place for attainment, change and withdrawal of access authorization.
  4. Regular and documented review of access authorizations granted to date.
  5. Reasonable measures for the prevention and detection of unauthorized access and access attempts (e.g. regular review of burglary protection of the doors, gates and windows, alarm systems, video surveillance, security guards, security patrol).
  6. Written regulations for employees and visitors for dealing with technical access security measures.

B. Logical Access Control to Systems

Use by unauthorized persons of Personal Data processing systems must be prevented.

The processor shall take the following measures to control access to systems and networks in which Personal Data is processed or via which admission to access Personal Data is possible:

  1. Restriction of admission rights to IT systems and non-public networks to the minimum necessary.
  2. Effective control of Authentication, Authorization and Accounting through personalized and unique user identifications and secure authentication process.
  3. When using passwords for authentication, rules shall be adopted to ensure the quality of passwords in terms of length, complexity and change frequency. Technical testing methods shall be implemented in order to ensure password quality.
  4. When using asymmetric key methods (e.g. certificates, private-public-key-methods) for authentication, it shall be ensured that secret (private) keys are always protected with a password (passphrase). The requirements in accordance with above paragraph 3 are to be observed.
  5. Full reviews of all accounts must be regularly undertaken and access removed if not required on a regular basis.
  6. Regular and documented review of the logical access authorizations granted to date.
  7. Appropriate measures to secure the network infrastructure must be undertaken (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.).
  8. Written regulations for employees when dealing with the above security measures and safe use of passwords.
  9. Ensuring the immediate installation of critical/ or important security-updates/patches:
    • in controller’s operating systems,
    • in server operating systems, which are accessible via public networks (e.g. web server);
    • in application programs (including browser, plugins, PDF reader, etc.); and
    • in security infrastructure (virus scanners, firewalls, IDS systems, content filters, routers, etc.) within 48 hours after publication by the manufacturer as well as in server operating systems of internal server within 1 week after publication by the manufacturer.

C. Access Control to Personal Data

Only persons authorized to use a Personal Data processing system can access the Personal Data, subject to their access authorization, and that Personal Data cannot be read, copied, changed or removed without authorization during processing, use and after storage.

Where the processor is responsible for the access authorization to access Personal Data, the processor shall take the following measures for access control:

  1. Restriction of access authorization to Personal Data to the minimum required.
  2. Effective control of access authorization through an adequate rights and role concept.
  3. A comprehensive and fully documented process for authorizing access, changing, copying and withdrawal of Personal Data must be in place.
  4. Regular and documented reviews of the assigned access authorizations to date.
  5. Reasonable measures for the protection of terminal equipment, servers and other infrastructure elements against unauthorized access (e.g. multi-level virus protection concept, content filtering, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption) must be undertaken.
  6. Personal Data media encryption – aligned to the current state of the art technology – algorithms to be enforced for the protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and Personal Data media (external hard drives, USB sticks, memory cards, etc.).
  7. Logging of accesses, to Personal Data by all users including administrators.
  8. Technical security measures for export and import interfaces (hardware and application related).

Where the processor is not responsible for the access authorization to access Personal Data the processor shall have the following obligations to cooperate with access control:

  1. A comprehensive and fully documented process for application, change and withdrawal of access authorizations in their area of responsibility.
  2. Regular and documented review of the assigned access authorizations to date as far as is possible.
  3. Immediate notification to controller if the existing access authorizations are no longer required.

D. Transmission Control

The processor shall provide the Personal Data to be processed in a transmission procedure to be defined in a contract/order. The results of the processing will also be transmitted back to controller in a defined transmission procedure. The method of transmission as well as the security measures of the transmission (transmission control) is to be set according to requirements; in particular the use of state-of-the-art encryption technology is to be provided for.

It shall be guaranteed that Personal Data is not read, copied, changed or removed without authorization during electronic transfer or during transportation or storage on Personal Data carriers, and that it can be checked and established at which locations a transfer of Personal Data by means of equipment for data transmission is provided for.

The processor shall take the following measures for transmission control, insofar as Personal Data is received, transferred or transported by the processor:

  1. Appropriate measures to secure the network infrastructure (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.) must be applied.
  2. Personal Data media encryption with – according to the current state of the art technology – algorithms to be classified as safe for protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.).
  3. Use of encrypted communication protocols (such as TLS-based protocols).
  4. Inspection mechanisms to identify remote terminals during transmissions.
  5. Checksums adjustment with received Personal Data.
  6. Written regulations for employees for the handling and security of mobile devices and data carriers.

E. Data Entry Control

It shall be ensured that it can be subsequently checked and verified whether and by whom Personal Data can be accessed, modified in or removed from data processing systems.

The processor shall take the following measures to control entry onto its systems that serve the processing of data or enable or provide access to such systems:

  1. Creation and revision-secure storage of process protocols.
  2. Securing of backup log files against tampering.
  3. Logging and analysis of failed login attempts.
  4. Ensuring that no group accounts (also administrators or root) can be used.

F. Data Processing Control

It is necessary to ensure that any Personal Data that is processed can only be processed in accordance with the instructions of controller.

The processor shall implement Data Processing implement processes and documentation for:

  1. the selection of (sub)processors under Data Protection Legislation and technical aspects;
  2. ensuring prescribed statutory preliminary inspection of (sub)processors in accordance with the Data Protection Legislation;
  3. ensuring the timely instruction of operational data protection officers upon introduction of new or changes to existing procedures for processing Personal Data;
  4. obligations of all persons responsible for processing of Personal Data to maintain data secrecy pursuant to the Data Protection Legislation;
  5. regular verification of the correctness of the application of data processing programs by which Personal Data is processed;
  6. ensuring the familiarization of the persons entrusted with data processing subject with the relevant Data Protection Legislation;
  7. maintenance of the qualification of the operational data protection officer (if appointed);
  8. ensuring the notification of controller without undue delay in the event of an unlawful acquisition of knowledge of Personal Data; and
  9. ensuring the immediate correction, blocking and deletion of Personal Data upon instruction by controller.

G. Availability Control

It shall be ensured that Personal Data is protected against accidental destruction or loss.

The processor shall implement the following measures to control availability:

  1. Operation and regular maintenance of fire alarm systems in server rooms, data centres and critical infrastructure spaces.
  2. Creating daily backups and ensure a robust and resilient disaster recovery capability is implemented
  3. Ensuring backup storage in a separate fire compartment.
  4. Regular review and testing of backup integrity.
  5. Processes and documentation for the recovery of systems and Personal Data.

H. Appropriation Control

It shall be ensured that Personal Data collected for different purposes can be processed separately.

The processor shall take the following measures for the separation of Personal Data, provided that they lie in their area of responsibility:

  1. Logical and/or physical separation of test, development and production systems.
  2. Controller separation within the processing systems and at interfaces.
  3. Ensuring continued identifiability of the Personal Data.

I. Retention and Deletion of Personal Data

Personal Data shall be retained only for as long as required and deleted when the processing fulfilment is complete.

The processor shall take the following measures to ensure the deletion of Personal Data, provided that they lie within their area of responsibility:

  1. Ensure continued erasability of data upon request of controller.
  2. Processes, tools and documentation for secure deletion in such a way that recovery of the data is not possible using current state of the art technology.
  3. Guidelines for employees on how and when which data should be deleted.

G. Certifications

CybelAngel is the holder of a SOC 2 TYPE I certification. Proof of such certificate can be provided to controller upon request.

ANNEX II

List of CYBELANGEL’s subprocessors to which part of our client’s personal data may be transferred

CYBELANGEL SUBPROCESSORS

SubprocessorLocationNature of SubprocessingCategories of Identifiable DataSafeguards
AMPLITUDE
Amplitude, Inc.
631 Howard Street, Floor 5
San Francisco, CA 94105, USA
[email protected]		United StatesAggregation and analysis of anonymized or pseudonymized telemetry and usage metrics to produce statistical reports and dashboards for improving detection and service qualityProfessional identifiable information (email address, firstname, surname, Platform user role, language, IP address) and usage habits of the Service• EU-U.S. Data Privacy Framework
• Standard Contractual Clauses
• SOC 2 Type II
• ISO 27001
APPCUES
Appcues, Inc.
177 Huntington Ave Ste 1703
Boston, MA 02115, USA
[email protected]		United StatesIn-App custom notificationsProfessional identifiable information (email address, firstname, surname, Platform user role, language)• EU-U.S. Data Privacy Framework
• Standard Contractual Clauses
• SOC 2 Type II
DATADOG
Datadog, Inc.
620 8th Avenue, Floor 45
New York, NY 10018, USA
[email protected]		EuropeApplication logIP addresses provided as keywords, Professional identifiable information (email address)• GDPR
• SOC 2 Type II
FIVETRAN
Fivetran, Inc.
1221 Broadway St Floor 20
Oakland, CA 94612, USA
[email protected]		EuropeData synchronizationProfessional identifiable information (email address, firstname, surname, company, position, language, phone, PII present in signature) and any other information shared during the interaction with the Support team• GDPR
• ISO 27001
• SOC 2 Type I & II
• Almost instantaneous deletion
FRESHDESK
Freshworks Inc.
2950 S. Delaware Street
San Mateo, CA 94403, USA
[email protected]		EuropeTechnical Support applicationProfessional identifiable information (email address, PII present in signature) and any other information shared during the interaction with the Support team• GDPR
• SOC 2 Type II
• ISO 27001
GOOGLE
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland
[email protected]		Ireland, Netherlands, Finland, BelgiumHosting provider, email exchange service, machine learning processing (including content analysis, summarization, enrichment, and translations)Any kind of professional or personal identifiable information provided or detected while using the Service• GDPR
• ISO 27001
• SOC 2 Type II
HUBSPOT
HubSpot, Inc.
25 First Street, 2nd Floor
Cambridge, MA 02141, USA		United StatesMarketing automation, feature activation, consent formsProfessional identifiable information (email address, firstname, surname, company, position, language, phone)• EU-U.S. Data Privacy Framework
• Standard Contractual Clauses
• SOC 2 Type II
MATCHMYEMAIL
RAE Internet, Inc.
30 Cricket Lane
Dobbs Ferry, NY 10522, USA		GermanyEmail synchronization with SalesforceProfessional identifiable information (email address, firstname, surname, company)• GDPR
• SOC 2 Type II
NEO4J
Neo4j, Inc.
111 East 5th Avenue
San Mateo, CA 99401, USA
[email protected]		BelgiumAssets mapIP addresses provided as keywords, email addresses detected while using the Service• EU-U.S. Data Privacy Framework
• GDPR
• SOC 2 Type II
OKTA (formerly Auth0)
Okta, Inc.
100 First Street, Floor 6
San Francisco, CA 94105, USA
[email protected]		Germany, United StatesAuthentication Professional identifiable information (email, address, firstname, surname, phone number) EU-U.S. Data Privacy Framework
• UK Extension
• Swiss-U.S. DPF
• GDPR
• Standard Contractual Clauses
• SOC 2 Type II
OPENAI
OpenAI
1455 3rd Street
San Francisco, CA 94158, USA
[email protected]		United StatesTask automations; content summarization, enrichmentAny kind of professional or personal identifiable information provided or detected while using the Service• GDPR
• CCPA
• Standard Contractual Clauses
• SOC 2 Type I & III
• ISO 27001
• ISO 27018
SALESFORCE
Salesforce.com EMEA Limited
Village 9, Floor 26
110 Bishopsgate
London, UK EC2N 4AY
[email protected]		France, GermanyCommercial relationship, marketing automationProfessional identifiable information (email address, firstname, surname, company, position, language, phone)• GDPR
• ISO 27001
• SOC 2 Type II
SEGMENT
Twilio Inc.
375 Beale Street, Suite 300
San Francisco, CA 94105, USA
[email protected]		United StatesAggregation and analysis of anonymized or pseudonymized telemetry and usage metrics to produce statistical reports and dashboards for improving detection and service qualityProfessional identifiable information (email address, firstname, surname, Platform user role, language, IP address) and usage habits of the platform• EU-U.S. Data Privacy Framework
• Standard Contractual Clauses
• SOC 2 Type II
• ISO 27001
SENDGRID
Twilio Inc.
375 Beale Street, Suite 300
San Francisco, CA 94105, USA
[email protected]		United StatesApplication emailsProfessional identifiable information (email address)• EU-U.S. Data Privacy Framework
• Standard Contractual Clauses
• SOC 2 Type II
• ISO 27001
• ISO 27017
• ISO 27018
SENTINELONE
SentinelOne
444 Castro Street, Suite 400
Mountain View, CA 94041, USA
[email protected]		United StatesAnti-virus analysisMetadata from servers downloaded by analysts, list of keywords and professional identifiable information (email address, firstname, surname, Platform user role, language, company, position, phone) present on shared documents• EU-U.S. Data Privacy Framework
• SOC 2 Type II
• ISO 27001
TWILIO
Twilio Inc.
375 Beale Street, Suite 300
San Francisco, CA 94105, USA
[email protected]		United StatesApplication 2FA text messageProfessional or personal identifiable information (phone number)• EU-U.S. Data Privacy Framework
• Standard Contractual Clauses
• SOC 2 Type II
• ISO 27001
• ISO 27017
• ISO 27018
WORKATO
Workato, Inc.
215 Castro St
Mountain View, CA 94041, USA
[email protected]		EuropeThird party connectorProfessional identifiable information (email address) and any kind of personal or personal identifiable information detected while using the Service• Standard Contractual Clauses
• GDPR
• SOC 2 Type II
ZAPIER
Zapier Inc.
548 Market St #62411
San Francisco, CA 94104, USA
[email protected]		United StatesTask automations, notification workflows and tool integrationsProfessional identifiable information (email address, firstname, surname, company, Platform user role)• EU-U.S. Data Privacy Framework
• Standard Contractual Clauses
• SOC 2 Type II

“Platform user role” refers to user access levels within the CybelAngel platform (e.g., Administrator, Standard User), not organizational job titles.