PocketSOC Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the PocketSOC Terms of Service and applies where PocketSOC processes Personal Data on behalf of a Customer subject to applicable data protection laws.

1. Roles of the Parties

Customer acts as the Data Controller. PocketSOC acts as the Data Processor. PocketSOC processes Personal Data only on documented instructions from Customer, including as set forth in the Terms and this DPA.

2. Description of Processing

a. Subject Matter

Processing of alert data and related identifiers for the purpose of delivering security alert notifications.

b. Duration

For the term of the applicable subscription and any retention period specified herein.

c. Nature and Purpose

Automated ingestion and transient processing of alert data transmitted by customer-authorized third-party security platforms, including via email, for the sole purpose of generating push notifications.

d. Categories of Data Subjects

Employees, contractors, or other end users of Customer whose data may be included in alert payloads, as determined by Customer configuration.

e. Categories of Personal Data

Depending on Customer configuration and third-party platform behavior, Personal Data may include:

• Device identifiers
• Hashed organization identifiers
• User email addresses
• Encrypted vendor API credentials
• Group membership and assignment data
• On-call schedule configurations
• Endpoint hostnames
• Usernames
• IP addresses
• Alert titles, descriptions, and metadata
• Audit log records
• Billing identifiers
• Other identifiers included in security alerts by third-party platforms

PocketSOC does not determine the content or structure of alert data.

3. Customer Responsibilities

Customer represents and warrants that:

• It has a valid legal basis for processing and transmitting Personal Data to PocketSOC
• It has provided any required notices to data subjects
• It controls which alerts and data elements are transmitted

4. PocketSOC Obligations

PocketSOC shall:

• Process Personal Data solely for notification delivery
• Not retain alert content beyond transient processing for notification delivery; retain encrypted vendor credentials, user account data, device registrations, and audit logs only as necessary to operate the Service and as described in the Privacy Policy
• Ensure personnel are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures

5. Subprocessing

Customer authorizes PocketSOC to engage subprocessors. PocketSOC shall impose data protection obligations on subprocessors consistent with this DPA.

6. Data Subject Rights

PocketSOC shall reasonably assist Customer in responding to data subject requests, taking into account the nature of processing and information available.

7. Personal Data Breach

PocketSOC shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

8. International Transfers

Where Personal Data is transferred outside the EEA or UK, PocketSOC shall ensure appropriate safeguards are in place.

9. Deletion or Return of Data

Upon termination of the Service, PocketSOC shall delete or return Personal Data, except where retention is required by law.

10. Audits

PocketSOC shall make available reasonable information necessary to demonstrate compliance, subject to confidentiality and security constraints.