Data Processing Addendum
Introduction
This Privacy Policy is designed to comply with, and be interpreted consistently with, applicable privacy laws, including the EU/EEA General Data Protection Regulation (GDPR), UK GDPR, India’s Digital Personal Data Protection Act, 2023 and draft Rules, 2025 (DPDP), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Brazil’s LGPD, Singapore’s PDPA, Australia’s Privacy Act 1988, and analogous laws where we operate. Where legally permitted, SecureRoom extends core rights and protections described in this Policy to all users, regardless of location.
Effective Date: November 03, 2025
Parties:
• Customer (Controller/Fiduciary)
• SecureRoom.ai (Processor/Processor)
This Addendum supplements the SecureRoom.ai Terms and Conditions and governs the parties’ rights and obligations concerning personal data processing.
1. Definitions
All capitalized terms not defined herein have the meanings set forth in the Agreement or Privacy Policy. “Personal Data,” “Controller,” and “Processor” correspond to GDPR, UK GDPR, and DPDP Act terminology.
2. Scope and Duration
• Subject Matter: Processing of Customer Data to provide Services.
• Duration: Term of the Agreement, plus post-termination deletion window.
3. Processing Details
• Categories of Data Subjects: End users, customer employees, contractors, support contacts.
• Categories of Personal Data: Account details, usage logs, documents and metadata, billing information, support communications.
4. Instructions
Processor shall process Customer Data only on documented instructions from Customer, including international transfer instructions. Processor will notify Customer if any instruction conflicts with applicable law.
5. Security Measures
Processor implements technical and organizational measures to protect Customer Data, including (but not limited to):
• AES-256 encryption at rest, TLS 1.2+ in transit
• Multi-factor authentication and role-based access controls
• Audit logging, intrusion detection, vulnerability management
• Data backup, disaster recovery, secure deletion
• Employee training, confidentiality obligations
6. Sub-processors
• Customer consents to Processor’s use of sub-processors (e.g., AWS, analytics, email, support).
• Processor maintains a current list of sub-processors and provides it upon request.
• Processor gives Customer prior notice of material changes and a reasonable opportunity to object.
7. International Transfers
Processor may transfer Customer Data across borders under the following safeguards:
• Standard Contractual Clauses (SCCs) with applicable addenda
• EU-U.S. and Swiss-U.S. Data Privacy Framework
• Binding Corporate Rules when adopted
• Transfer impact assessments upon Customer request
8. Data Subject Rights Assistance
Processor shall assist Customer in responding to data subject requests (access, correction, deletion, portability, restriction, objection) within Customer’s timeframes.
9. Data Breach Notification
Processor will notify Customer without undue delay upon becoming aware of a personal data breach affecting Customer Data and provide relevant details and mitigation updates.
10. Retention and Deletion
• Customer Data will be returned or securely deleted within as per the provisions of applicable laws, rules, and regulations after termination, except to the extent retention is required by law.
11. Liability
Processor’s liability for data processing obligations is governed by the Agreement’s limitation of liability, except for willful misconduct or breach of confidentiality/security obligations.
12. Governing Law and Precedence
This Addendum is governed by the Agreement’s choice of law. In case of conflict, this Addendum prevails regarding data processing terms.
Annexes
• Annex 1: Detailed Processing Activities
• Annex 2: Technical and Organizational Measures (full list)
• Annex 3: Subprocessor List and Data Locations
• Annex 4: Standard Contractual Clauses and Addenda
ANNEX 1: DETAILED PROCESSING ACTIVITIES
Processing Activity | Purpose | Categories of Personal Data | Categories of Data Subjects | Legal Basis |
User account creation and management | Authentication, access control | Name, email, phone, organization, login credentials | End users, administrators | Contractual necessity |
Billing and subscription management | Invoice generation, payment processing | Billing address, payment details, transaction logs | Customers, billing contacts | Contractual necessity |
VDR document storage and retrieval | Core VDR functionality | Uploaded documents, metadata, audit logs | End users, invited reviewers | Contractual necessity |
Search indexing and metadata extraction | Enhanced search, version tracking | Document metadata, file names, timestamps | End users, administrators | Legitimate interests |
Usage analytics and performance monitoring | Service improvement, troubleshooting | IP address, device type, session data, clickstream | End users | Legitimate interests |
Support ticket handling | Customer support, issue resolution | Name, email, chat transcripts, call records | End users, support contacts | Contractual necessity |
Security monitoring and intrusion detection | Threat detection, incident response | IP address, access logs, event logs | End users | Legitimate interests |
Cookie and tracking technology | User experience, analytics | Cookie identifiers, device identifiers | Website visitors | Consent (non-essential); Legitimate interests (essential) |
Marketing and promotional communications | Updates, offers, newsletters | Email, name, preferences | Prospects, subscribers | Consent |
Automated backup and disaster recovery | Data integrity and availability | All data stored in VDR | End users, administrators | Contractual necessity |
Audit and compliance reporting | Regulatory compliance, audit support | Audit logs, access records | End users, administrators, regulators | Legal obligation; Legitimate interests |
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES
1. Access Control
• Role-based access control (RBAC)
• Principle of least privilege
• Unique user IDs and strong password policies
• Multi-factor authentication (MFA)
2. Encryption
• AES-256 encryption at rest
• TLS 1.2+ in transit
• Secure key management
3. Network Security
• Virtual private cloud (VPC) segmentation
• Firewalls and security groups
• Intrusion detection/prevention systems
4. Logging and Monitoring
• Centralized log aggregation and storage
• Real-time monitoring and alerting for anomalies
5. Vulnerability Management
• Regular vulnerability scanning and patch management
• Third-party and open-source component assessments
6. Data Backup and Recovery
• Automated, encrypted backups with geo-redundancy
• Regular recovery drills and integrity checks
7. Physical Security
• 24/7 on-site security, surveillance, and access controls
• Environmental controls and disaster resilience
8. Incident Response
• Formal incident response plan
• Defined notification timelines (e.g., 48 hours for data breaches)
• Post-incident reviews and corrective action tracking
9. Personnel Security
• Background checks for relevant staff
• Confidentiality and non-disclosure agreements
• Regular security and privacy training programs
10. Data Lifecycle Management
• Data classification, retention, and secure deletion policies
• Automated deletion or anonymization at end of retention period
• Retention schedules aligned to legal and contractual requirements
11. Change Management
• Formal change request and approval processes
• Audit logging of configuration changes
12. Third-Party Risk Management
• Due diligence and security assessments for sub-processors
• Contractual security and confidentiality obligations
• Ongoing audit and compliance reviews
Annex 3: Subprocessor List and Data Locations
Sub-processor | Service Provided | Data Categories Processed | Data Location(s) | Transfer Mechanism |
Amazon Web Services (AWS) | Cloud hosting, storage | All Customer Data, operational logs | US, EU (Frankfurt), APAC (Mumbai), Asia Pacific (Sydney) | SCCs, Data Privacy Framework |
Cloudflare | CDN, DDoS protection | Web traffic logs, IP addresses | Multiple global edge locations | SCCs |
Google Analytics | Analytics | Usage metrics, cookie data | US, EU (Belgium) | SCCs |
Annex 4: Standard Contractual Clauses and Addenda
1. SCC Module 2 (Controller→Processor)
• Incorporates the EU Commission’s Standard Contractual Clauses for transfers from the EEA to processors in third countries.
2. SCC Module 3 (Processor→Subprocessor)
• Governs onward transfers from processor to subprocessors under the EU SCC framework.
3. UK Addendum to the EU SCCs
• Applies to transfers from the UK, consistent with the UK’s International Data Transfer Agreement (IDTA).
4. EU-U.S. Data Privacy Framework
• SecureRoom participates in the EU-U.S. Data Privacy Framework for transfers to U.S. entities.
5. Swiss-U.S. Data Privacy Framework
• Applies where relevant for transfers from Switzerland.
6. Binding Corporate Rules (BCRs) (planned)
• SecureRoom intends to adopt BCRs for future internal transfers across its global group.
All transfers under these mechanisms are subject to adherence to the clauses’ obligations, including data subject rights, security measures, audit rights, and breach notifications. The full text of each clause and addendum is annexed to this Data Processing Addendums or available upon request.