Data Processing Addendum

1. Parties

This Data Processing Addendum ("DPA") forms part of the agreement between Hijack Security, Inc. ("Processor") and the customer entity that has agreed to the Intercept Terms of Service ("Controller") for the use of the Intercept platform (the "Service").

2. Definitions

Capitalised terms not defined here have the meaning given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK Data Protection Act 2018, as applicable.

3. Scope and Roles

Controller is the controller and Processor is the processor of the Personal Data processed in connection with the Service. Processor processes Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country.

4. Details of Processing

• Subject matter: provision of the Intercept supply chain security platform.
• Duration: for the term of the underlying agreement and any retention period thereafter.
• Nature and purpose: scanning of Controller-connected repositories for vulnerabilities, secrets, misconfigurations, and supply chain risks; delivery of related findings and notifications.
• Categories of data: account identifiers, repository metadata, structured scan findings, redacted secret patterns, and posture telemetry.
• Categories of data subjects: Controller's authorised users and members of the Controller's tenant.

5. Processor Obligations

• Process Personal Data only on Controller's documented instructions.
• Ensure persons authorised to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see Section 8).
• Assist Controller in responding to data subject requests under GDPR Articles 15-22.
• Notify Controller without undue delay of any Personal Data breach.

6. Sub-processors

Controller authorises Processor to engage the sub-processors listed at /sub-processors. Processor will provide notice of any addition or replacement of a sub-processor and Controller may object on reasonable grounds within 30 days.

7. International Data Transfers

Personal Data is processed in the United States (AWS us-east-1). Where Personal Data of EEA, UK, or Swiss data subjects is transferred, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, as applicable.

8. Security Measures

Processor maintains the technical and organisational security measures described in the Intercept Security page, including encryption at rest and in transit, tenant isolation via row-level security, least-privilege access controls, and regular vulnerability scanning.

9. Audits

On reasonable written notice, Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and contribute to audits, including inspections, conducted by Controller or an independent auditor mandated by Controller, subject to confidentiality obligations.

10. Deletion or Return of Personal Data

On termination of the Service, Processor will, at Controller's choice, delete or return all Personal Data and delete existing copies, unless storage is required by applicable law.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement.

12. Contact

For DPA-related inquiries, contact privacy@hijacksecurity.com.