Data Processing Addendum
Last updated: March 2026
Document ID: TK-DPA-001 | Version: 1.0 | Effective Date: March 2026
This Data Processing Addendum (“DPA”) supplements the Terms and Conditions of Service and forms part of the agreement between ThreatKrew Pty Ltd (“Processor”) and the customer (“Controller”).
1. Roles and Scope
The Controller determines the purposes and means of processing Personal Data. The Processor (ThreatKrew) processes Personal Data solely on the Controller’s documented instructions.
This DPA applies to all Personal Data processed under the GDPR (EU) Article 28 and the Australian Privacy Act 1988 (Cth).
2. Processing Details
Categories of data: Architecture documents, account information, assessment metadata.
Processing purpose: Threat model generation via multi-stage AI analysis pipeline.
Data location: AWS ap-southeast-2 (Sydney) for primary storage. US-based Amazon Bedrock endpoints for AI inference processing.
3. Processor Obligations
ThreatKrew will process Personal Data only on documented Controller instructions, ensure confidentiality obligations for all personnel, implement appropriate technical and organisational security measures, not engage sub-processors without prior Controller notification, assist the Controller with Data Subject requests, and delete all Personal Data within 30 days of termination or instruction.
4. Sub-processors
| Sub-processor | Location | Purpose | Compliance |
|---|---|---|---|
| AWS | ap-southeast-2 (Sydney) | Infrastructure, compute, storage | SOC 2 Type II, ISO 27001 |
| Anthropic / Amazon Bedrock | US | AI inference processing | SOC 2, zero-day data retention |
| Stripe, Inc. | United States | Payment processing | PCI DSS Level 1 |
ThreatKrew will provide 30 days’ notice of any sub-processor changes. The Controller has a 14-day objection window from notification.
5. International Transfers
For transfers of Personal Data from the EU/EEA to third countries, this DPA incorporates the EU Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), as adopted by the European Commission.
Supplementary measures (Schrems II): TLS 1.2+ for all data in transit, AES-256 encryption for data at rest, role-based access control (RBAC) with multi-factor authentication, and contractual protections with all sub-processors.
6. Security Measures
ThreatKrew implements: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control with MFA enforcement, comprehensive logging (12-month retention), network isolation and segmentation, multi-AZ failover for business continuity, incident response procedures (72-hour notification), and zero-day AI data retention by Anthropic.
7. Security Incident Notification
ThreatKrew will notify the Controller of any Personal Data breach within 72 hours of becoming aware, including the nature and scope of the breach, likely consequences, remediation steps taken, and contact details for further information.
8. Data Subject Rights
ThreatKrew will assist the Controller in fulfilling obligations under GDPR Articles 15–22 and Australian Privacy Act APPs 12–13. Simple requests are processed at no charge. Complex or voluminous requests may be processed at professional services rates, agreed in advance.
9. Audit Rights
The Controller may audit ThreatKrew’s compliance with this DPA with 30 days’ written notice, no more than once per 12-month period (except post-breach). ThreatKrew will provide SOC 2 Type II reports and ISO 27001 certification, when obtained, as evidence of compliance. Until formal certification is achieved, ThreatKrew can provide documentation of its SOC 2-aligned controls upon request. On-site audits are permitted at the Controller’s expense.
10. Data Export and Deletion
Upon termination or request, ThreatKrew will export Controller data in standard machine-readable format (CSV) within 30 days at no charge, encrypted in transit. All Personal Data is deleted within 30 days of export completion or termination, except where retention is required by law.
11. Liability
Liability under this DPA is subject to the limitations set out in the Terms and Conditions, except that no limitation applies to fines or penalties imposed under applicable data protection law for breaches attributable to the Processor.
12. Governing Law
This DPA is governed by the laws of New South Wales, Australia. For matters arising under the EU SCCs, GDPR governs.
13. Contact
Data Protection queries: privacy@threatkrew.io
Legal queries: legal@threatkrew.io