Privacy Policy
Data Processing Agreement
GDPR-compliant by design. Here's how we collect, store, and protect your personal data.
GDPR-compliant by design. Here's how we collect, store, and protect your personal data.
Last Updated on March, 10, 2026
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the agreement between SuperCISO ("Data Processor") and the customer entity that has agreed to the Terms of Service ("Data Controller"), and governs the processing of personal data carried out by SuperCISO on behalf of the Data Controller in connection with the use of the SuperCISO web application (the "Service").
This DPA is governed by Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), and in particular Article 28, which requires that processing by a processor be governed by a binding contract.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
"Processing" has the meaning given in Art. 4(2) GDPR.
"Data Controller" means the customer who determines the purposes and means of processing personal data.
"Data Processor" means SuperCISO, which processes personal data on behalf of the Data Controller.
"Sub-processor" means any third party engaged by SuperCISO to process personal data.
"Data Subject" means the individual whose personal data is being processed.
"EEA" means the European Economic Area.
3. Subject Matter and Duration
SuperCISO processes personal data on behalf of the Data Controller solely to provide the Service as described in the Terms of Service. Processing continues for the duration of the active agreement between the parties and ceases upon termination, subject to the retention obligations set out in Section 9.
4. Nature and Purpose of Processing
SuperCISO processes personal data for the following purposes:
Providing, operating, and maintaining the Service
Managing user accounts and authentication
Sending service-related communications (e.g. notifications, invoices)
Providing customer support
Complying with legal obligations
5. Categories of Personal Data Processed
SuperCISO processes the following categories of personal data on behalf of the Data Controller:
First name and last name
Email address
Professional function / job title
Telephone number (where provided by the Data Controller or data subject)
No special categories of personal data (as defined in Art. 9 GDPR) are processed under this DPA.
6. Categories of Data Subjects
The personal data processed relates to the following categories of data subjects:
Employees, contractors, or representatives of the Data Controller who are granted access to the Service
Any other individuals whose data the Data Controller uploads or enters into the Service
7. Obligations of SuperCISO (Data Processor)
SuperCISO shall:
Process personal data only on documented instructions from the Data Controller, including with regard to transfers outside the EEA, unless required to do so by EU or Member State law.
Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Implement and maintain appropriate technical and organisational security measures in accordance with Art. 32 GDPR, including encryption of data in transit and at rest, access controls, and regular security reviews.
Not engage any sub-processor without prior written authorisation from the Data Controller, except as set out in Section 8 of this DPA.
Assist the Data Controller, to the extent reasonably possible, in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR.
Assist the Data Controller in ensuring compliance with its obligations under Arts. 32–36 GDPR (security, breach notification, DPIAs).
At the choice of the Data Controller, delete or return all personal data upon termination of the Service, and delete existing copies unless EU or Member State law requires otherwise.
Make available to the Data Controller all information necessary to demonstrate compliance with the obligations in Art. 28 GDPR, and allow for and contribute to audits conducted by the Data Controller or a mandated auditor.
Notify the Data Controller without undue delay upon becoming aware of a personal data breach involving the Data Controller's data.
8. Sub-processors
The Data Controller grants Superciso general authorisation to engage the following sub-processors:
Google Cloud Platform — Cloud infrastructure and data hosting — Belgium (europe-west1)
Email delivery provider — Transactional email notifications — EEA
Payment processor — Billing and invoicing (where applicable) — EEA
SuperCISO shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object. All sub-processors are bound by data processing agreements that impose equivalent data protection obligations to those set out in this DPA.
9. Data Retention and Deletion
Upon termination of the Service or upon written request by the Data Controller, SuperCISO shall delete or return all personal data within 30 days, unless applicable EU or Belgian law requires retention for a longer period. In such cases, SuperCISO shall inform the Data Controller of the legal requirement before proceeding with retention.
10. Data Transfers
All personal data is stored and processed within the EEA, specifically in Belgium via Google Cloud Platform (europe-west1 region). SuperCISO does not transfer personal data to third countries outside the EEA. Should such a transfer ever become necessary, SuperCISO will only do so with the prior written consent of the Data Controller and subject to appropriate safeguards as required by Chapter V of the GDPR (e.g. Standard Contractual Clauses).
11. Security Measures
In accordance with Art. 32 GDPR, SuperCISO has implemented the following technical and organisational measures:
Encryption of personal data in transit (TLS/HTTPS) and at rest
Role-based access controls and least-privilege principles
Regular security assessments and vulnerability monitoring
Incident response and breach notification procedures
Secure software development practices
Physical access controls at hosting facilities (managed by Google Cloud)
12. Data Subject Rights
Where a data subject submits a request to exercise their rights directly to SuperCISO, SuperCISO shall forward the request to the Data Controller promptly and within 5 business days. SuperCISO shall assist the Data Controller in responding to such requests to the extent technically feasible.
13. Data Protection Impact Assessments
Where required under Art. 35 GDPR, SuperCISO shall provide reasonable assistance to the Data Controller in carrying out a Data Protection Impact Assessment (DPIA), including by providing relevant information about the processing activities and security measures.
14. Audit Rights
The Data Controller may, upon reasonable prior written notice (minimum 30 days), conduct or commission an audit of SuperCISO's data processing activities to verify compliance with this DPA and applicable GDPR obligations. Audits shall be carried out at the Data Controller's expense, during normal business hours, and in a manner that minimises disruption to SuperCISO's operations.
15. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the main Terms of Service agreement. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.
16. Governing Law
This DPA is governed by Belgian law. Any disputes arising in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Belgium.
17. Contact
For any questions regarding this DPA or data processing activities, please contact:
Email: privacy@superciso.io
Address: Molenstraat, Belgium
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the agreement between SuperCISO ("Data Processor") and the customer entity that has agreed to the Terms of Service ("Data Controller"), and governs the processing of personal data carried out by SuperCISO on behalf of the Data Controller in connection with the use of the SuperCISO web application (the "Service").
This DPA is governed by Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), and in particular Article 28, which requires that processing by a processor be governed by a binding contract.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
"Processing" has the meaning given in Art. 4(2) GDPR.
"Data Controller" means the customer who determines the purposes and means of processing personal data.
"Data Processor" means SuperCISO, which processes personal data on behalf of the Data Controller.
"Sub-processor" means any third party engaged by SuperCISO to process personal data.
"Data Subject" means the individual whose personal data is being processed.
"EEA" means the European Economic Area.
3. Subject Matter and Duration
SuperCISO processes personal data on behalf of the Data Controller solely to provide the Service as described in the Terms of Service. Processing continues for the duration of the active agreement between the parties and ceases upon termination, subject to the retention obligations set out in Section 9.
4. Nature and Purpose of Processing
SuperCISO processes personal data for the following purposes:
Providing, operating, and maintaining the Service
Managing user accounts and authentication
Sending service-related communications (e.g. notifications, invoices)
Providing customer support
Complying with legal obligations
5. Categories of Personal Data Processed
SuperCISO processes the following categories of personal data on behalf of the Data Controller:
First name and last name
Email address
Professional function / job title
Telephone number (where provided by the Data Controller or data subject)
No special categories of personal data (as defined in Art. 9 GDPR) are processed under this DPA.
6. Categories of Data Subjects
The personal data processed relates to the following categories of data subjects:
Employees, contractors, or representatives of the Data Controller who are granted access to the Service
Any other individuals whose data the Data Controller uploads or enters into the Service
7. Obligations of SuperCISO (Data Processor)
SuperCISO shall:
Process personal data only on documented instructions from the Data Controller, including with regard to transfers outside the EEA, unless required to do so by EU or Member State law.
Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Implement and maintain appropriate technical and organisational security measures in accordance with Art. 32 GDPR, including encryption of data in transit and at rest, access controls, and regular security reviews.
Not engage any sub-processor without prior written authorisation from the Data Controller, except as set out in Section 8 of this DPA.
Assist the Data Controller, to the extent reasonably possible, in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR.
Assist the Data Controller in ensuring compliance with its obligations under Arts. 32–36 GDPR (security, breach notification, DPIAs).
At the choice of the Data Controller, delete or return all personal data upon termination of the Service, and delete existing copies unless EU or Member State law requires otherwise.
Make available to the Data Controller all information necessary to demonstrate compliance with the obligations in Art. 28 GDPR, and allow for and contribute to audits conducted by the Data Controller or a mandated auditor.
Notify the Data Controller without undue delay upon becoming aware of a personal data breach involving the Data Controller's data.
8. Sub-processors
The Data Controller grants Superciso general authorisation to engage the following sub-processors:
Google Cloud Platform — Cloud infrastructure and data hosting — Belgium (europe-west1)
Email delivery provider — Transactional email notifications — EEA
Payment processor — Billing and invoicing (where applicable) — EEA
SuperCISO shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object. All sub-processors are bound by data processing agreements that impose equivalent data protection obligations to those set out in this DPA.
9. Data Retention and Deletion
Upon termination of the Service or upon written request by the Data Controller, SuperCISO shall delete or return all personal data within 30 days, unless applicable EU or Belgian law requires retention for a longer period. In such cases, SuperCISO shall inform the Data Controller of the legal requirement before proceeding with retention.
10. Data Transfers
All personal data is stored and processed within the EEA, specifically in Belgium via Google Cloud Platform (europe-west1 region). SuperCISO does not transfer personal data to third countries outside the EEA. Should such a transfer ever become necessary, SuperCISO will only do so with the prior written consent of the Data Controller and subject to appropriate safeguards as required by Chapter V of the GDPR (e.g. Standard Contractual Clauses).
11. Security Measures
In accordance with Art. 32 GDPR, SuperCISO has implemented the following technical and organisational measures:
Encryption of personal data in transit (TLS/HTTPS) and at rest
Role-based access controls and least-privilege principles
Regular security assessments and vulnerability monitoring
Incident response and breach notification procedures
Secure software development practices
Physical access controls at hosting facilities (managed by Google Cloud)
12. Data Subject Rights
Where a data subject submits a request to exercise their rights directly to SuperCISO, SuperCISO shall forward the request to the Data Controller promptly and within 5 business days. SuperCISO shall assist the Data Controller in responding to such requests to the extent technically feasible.
13. Data Protection Impact Assessments
Where required under Art. 35 GDPR, SuperCISO shall provide reasonable assistance to the Data Controller in carrying out a Data Protection Impact Assessment (DPIA), including by providing relevant information about the processing activities and security measures.
14. Audit Rights
The Data Controller may, upon reasonable prior written notice (minimum 30 days), conduct or commission an audit of SuperCISO's data processing activities to verify compliance with this DPA and applicable GDPR obligations. Audits shall be carried out at the Data Controller's expense, during normal business hours, and in a manner that minimises disruption to SuperCISO's operations.
15. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the main Terms of Service agreement. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.
16. Governing Law
This DPA is governed by Belgian law. Any disputes arising in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Belgium.
17. Contact
For any questions regarding this DPA or data processing activities, please contact:
Email: privacy@superciso.io
Address: Molenstraat, Belgium