Data Processing Agreement
This DPA supplements our Terms of Service and governs the processing of personal data by EchelonGraph on your behalf.
1. Definitions
Controller: You, the customer, who determines the purposes and means of processing personal data through the Service.
Processor: EchelonGraph, Inc., which processes personal data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
2. Categories of Data Processed
| Category | Data Types | Lawful Basis |
|---|---|---|
| Account Data | Name, email, organization, role, auth credentials (hashed) | Contract performance |
| Cloud Configuration | IAM policies, security groups, VPC configs, resource metadata | Contract performance |
| Vulnerability Data | CVE IDs, CVSS scores, affected resources, remediation states | Contract performance |
| Compliance Data | Framework scores, control results, evidence artifacts | Contract performance |
| Usage Data | API calls, page views, feature usage (anonymized) | Legitimate interest |
| Log Data | IP addresses, access timestamps, user agent, request metadata | Legitimate interest / Security |
3. Processing Obligations
EchelonGraph shall: (a) process personal data only on documented instructions from the Controller; (b) ensure that persons authorized to process personal data have committed themselves to confidentiality; (c) implement appropriate technical and organizational security measures; (d) respect the conditions for engaging sub-processors; (e) assist the Controller in responding to data subject requests; (f) assist the Controller in ensuring compliance with GDPR Articles 32-36; (g) delete or return all personal data upon termination; (h) make available to the Controller all information necessary to demonstrate compliance.
4. Sub-Processors
We use the following sub-processors. You will be notified 30 days before adding new sub-processors.
| Provider | Purpose | Location | SCCs |
|---|---|---|---|
| Google Cloud Platform | Infrastructure hosting, compute, storage | United States | ✅ |
| Stripe | Payment processing | United States | ✅ |
| SendGrid (Twilio) | Transactional email delivery | United States | ✅ |
| Cloudflare | CDN, DDoS protection, DNS | Global (edge) | ✅ |
5. Technical & Organizational Measures
Encryption at Rest
AES-256-GCM for all data stores (PostgreSQL, Neo4j, ClickHouse, Redis)
Encryption in Transit
TLS 1.3 for all inter-service communication and external APIs
Access Control
RBAC with 5 roles, 18 permissions, least-privilege principle
Authentication
RS256 JWT, TOTP MFA, SAML/OIDC/LDAP SSO, session management
Tenant Isolation
PostgreSQL RLS, Neo4j label isolation, ClickHouse partition isolation
Audit Logging
All admin actions logged with user ID, timestamp, IP, and action detail
Vulnerability Management
Automated CVE scanning of infrastructure, 24h critical patch SLA
Incident Response
24/7 on-call, 4-hour initial response for P1 incidents, documented runbooks
Backup & Recovery
Automated daily backups, 30-day retention, tested quarterly disaster recovery
6. Data Subject Rights
EchelonGraph will assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection). Requests should be directed to dpo@echelongraph.io and will be processed within 30 days.
7. International Transfers
When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) as a legal transfer mechanism. We also implement supplementary measures including encryption, access controls, and pseudonymization to ensure adequate protection.
8. Data Breach Notification
EchelonGraph will notify the Controller without undue delay (within 72 hours) after becoming aware of a personal data breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
Execute This DPA
Enterprise customers can request a countersigned DPA by emailing legal@echelongraph.io with your company name and authorized signatory details. Our standard DPA is provided at no additional cost.
Request DPA Copy