Data Processing Agreement

1. Scope and purpose

This Data Processing Agreement ("DPA") applies whenever vCISO Services, LLC ("we", "Processor") processes personal data on behalf of a client ("you", "Controller") in connection with a vCISO engagement. It supplements the Statement of Work (SOW) and the Terms of Service. To the extent any provision conflicts, the order of precedence is: SOW, this DPA, the Terms of Service.

This DPA is intended to satisfy the requirements of GDPR Article 28 and analogous obligations under CCPA/CPRA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and other comparable statutes.

2. Definitions

• Personal Data: any information relating to an identified or identifiable natural person.
• Processing: any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
• Data Subject: the individual to whom the Personal Data relates.
• Subprocessor: a third party engaged by the Processor to process Personal Data.
• Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

3. Roles and processing instructions

You are the Controller of Personal Data you provide to us in connection with the engagement (e.g., employee or customer records shared during gap analysis, audit prep, vendor questionnaire response, or incident response). We are the Processor.

We process Personal Data only on your documented instructions, which include the SOW, this DPA, and any subsequent written direction. We will not process Personal Data for our own purposes, including marketing, profiling, or sale.

4. Categories of data and data subjects

Categories of Personal Data typically processed during a vCISO engagement include:

• Employee directory data (names, titles, work emails, role information).
• Identity and access data (SSO and IAM exports, user lists, MFA enrollment status).
• Endpoint and device inventories (hostnames, MDM-managed user fields).
• Vendor diligence records (subprocessor names, SOC 2 reports, DPAs).
• Audit evidence artifacts (logs, screenshots, configuration exports, attestations).
• Customer questionnaire content (scoped to the customer issuing the questionnaire).
• Incident response records (forensic data, communications, post-incident review).

Categories of Data Subjects: your employees, contractors, vendors, and (where in scope of an engagement) your end customers.

5. Security measures

We implement technical and organizational measures appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or stronger).
• Single sign-on with hardware-key-backed multi-factor authentication for all internal systems.
• Least-privilege access controls scoped per client engagement.
• Quarterly internal access reviews.
• Background checks on personnel handling Personal Data.
• Incident detection through endpoint and identity logging.
• Documented incident response procedures.
• Annual penetration testing by independent firms.

6. Subprocessors

We engage the following subprocessors to deliver vCISO services. Each is bound by a written contract imposing data protection obligations equivalent to this DPA.

• Resend (transactional email delivery).
• Upstash (lead and engagement metadata storage).
• Stripe (payment processing for productized engagements).
• Calendly (scheduling).
• Vercel (site hosting and edge analytics).
• Google Workspace (engagement document storage and email).

We will provide at least 30 days notice before adding or replacing a subprocessor. You may object on reasonable data protection grounds; if we cannot accommodate the objection, you may terminate the affected services without penalty.

7. International data transfers

We are based in the United States and our subprocessors operate in the United States and the European Economic Area. Any cross-border transfer of Personal Data is performed under appropriate safeguards, including the Standard Contractual Clauses (EU 2021/914) where required.

8. Data subject requests

Where a Data Subject contacts us directly with a rights request that pertains to Personal Data we process on your behalf, we will route it to you within five business days and assist you in responding. We will not respond independently except where required by law.

9. Personal data breach notification

We will notify you of any Personal Data Breach affecting Personal Data we process on your behalf without undue delay and in any event within 48 hours of becoming aware. The notification will include, to the extent known:

• The nature of the breach (categories and approximate number of Data Subjects and records).
• The likely consequences.
• Measures taken or proposed to address the breach.
• A point of contact for further information.

10. Audit rights

We will make available to you, on reasonable request, the information necessary to demonstrate compliance with this DPA, including third-party attestations covering our security program. You may conduct audits no more than once per year (and additionally following a Personal Data Breach), with at least 30 days notice, during normal business hours, and subject to reasonable confidentiality terms.

11. Return or deletion

On termination of the engagement, at your choice, we will return all Personal Data processed on your behalf or delete it. Unless you direct otherwise, deletion occurs within 90 days of engagement close, except where retention is required by law or by the Terms of Service for liability and audit purposes (in which case the retained data remains subject to this DPA).

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the SOW and the Terms of Service. Nothing in this DPA limits either party's liability for breaches of applicable data protection law.

13. Order of precedence and amendment

If a provision of this DPA conflicts with the SOW or the Terms of Service, the order of precedence stated in section 1 applies. We may update this DPA to reflect regulatory or operational changes; material changes will be announced via the site and the new effective date noted at the top.

14. Contact

Data protection inquiries: privacy@vciso.com. Security disclosures: security@vciso.com. General contact: info@vciso.com.