Home>Policy>Global Data Processing Addendum

Global Data Processing Addendum

Global Data Processing Addendum

This Global Data Processing Addendum (“Addendum”) is incorporated into and forms part of the Customer Terms of Service, Master Subscription Agreement, or other written agreement (the “Agreement”) between CYVRA Inc., a Delaware corporation with its principal office in Utah, United States of America (“CYVRA,” “Service Provider,” or “Processor”), and the contracting customer entity (“Customer” or “Controller”).

This Addendum governs CYVRA’s Processing of Personal Data on behalf of Customer in connection with the provision of CYVRA’s security awareness training services, including phishing simulations, cyber games, newsletters, and related deliverables (the “Services”).

1. Definitions

For purposes of this Addendum:

“Personal Data” means any information relating to an identified or identifiable natural person that is subject to Data Protection Laws.
“Data Protection Laws” means all applicable privacy and data protection laws, including without limitation the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), Canada’s PIPEDA, Brazil’s LGPD, and any other applicable data protection law.
“Controller” (or “Business”) means the entity that determines the purposes and means of Processing Personal Data.
“Processor” (or “Service Provider”) means the entity that Processes Personal Data on behalf of the Controller.
“Subprocessor” means any third party engaged by CYVRA to Process Personal Data on behalf of Customer.
“Processing” means any operation performed on Personal Data, whether automated or not, such as collection, storage, use, disclosure, or deletion.

2. Roles of the Parties

2.1 The parties acknowledge that, with respect to Personal Data Processed in connection with the Services:

Customer acts as the Controller (or “Business” under CPRA/CCPA); and
CYVRA acts as the Processor (or “Service Provider” under CPRA/CCPA).

2.2 CYVRA shall Process Personal Data solely on documented instructions from Customer, unless otherwise required by applicable law.

3. Processing of Personal Data

CYVRA shall:

(a) Process Personal Data only as necessary to provide the Services, and not for any other purpose;

(b) comply with applicable Data Protection Laws;

(d) implement appropriate technical and organizational measures to protect Personal Data.

4. Subprocessors

4.1 Customer authorizes CYVRA to engage Subprocessors to support the Services.

4.2 CYVRA shall:

impose data protection obligations on Subprocessors consistent with this Addendum; and
remain liable for the acts and omissions of Subprocessors.
4.3 A current list of CYVRA Subprocessors is available upon request and may include:
Amazon Web Services (AWS): Hosting and storage infrastructure;
Mailgun: Email delivery of phishing simulations and newsletters;
Microsoft 365: Productivity and administrative tools;
[OTT Provider]: Hosting of training videos.

5. Data Subject Rights

CYVRA shall assist Customer, to the extent reasonably practicable, in fulfilling its obligations to respond to data subject requests under applicable Data Protection Laws, including rights of:

access, rectification, and erasure;
restriction or objection to Processing;
data portability; and
opt-out rights under CPRA.

Requests from individuals shall be directed to Customer; CYVRA will not respond directly unless legally required.

6. Security Measures

CYVRA shall implement and maintain appropriate administrative, technical, and physical security measures, including:

Encryption of Personal Data in transit (TLS 1.2/1.3) and at rest (AES-256);
Strict administrative access controls limited to authorized personnel;
Regular penetration testing and vulnerability assessments;
Secure offline backups with defined retention and destruction policies.

7. Data Breach Notification

CYVRA shall notify Customer without undue delay (and in any event within 72 hours where required by GDPR) after becoming aware of a confirmed Personal Data Breach. Such notice shall include, to the extent known, the nature of the breach, categories of data affected, and remedial actions taken.

8. International Data Transfers

Where Customer Data originates from the European Economic Area, United Kingdom, or other jurisdictions requiring safeguards, CYVRA shall rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission;
UK International Data Transfer Addendum, as applicable;
Other lawful transfer mechanisms recognized under Data Protection Laws.

9. Audit Rights

Upon reasonable written request, CYVRA shall provide Customer with information necessary to demonstrate compliance with this Addendum. Where additional audit rights are required by law, such audits shall be limited to once annually and conducted during normal business hours without disruption to CYVRA’s operations.

10. Deletion and Return of Data

Upon expiration or termination of the Agreement, CYVRA shall, at Customer’s written election, either:

delete Personal Data from its systems; or
return Personal Data to Customer,
subject to retention required by applicable law. Backup data will be securely destroyed in accordance with CYVRA’s retention policy.

11. Conflict of Terms

In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail with respect to the Processing of Personal Data.

12. Governing Law

This Addendum shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws provisions.

13. Contact Information

All inquiries regarding this Addendum shall be directed to:

CYVRA Inc.

Principal Office: 340 21st Street Apt 2013

Ogden, Utah, 84401, USA.

Email: compliance@cyvra247.com

Legal Notices: legal@cyvra247.com

Service of process shall additionally be directed to CYVRA’s registered agent on file with the Delaware Secretary of State.