search

Data Processing Agreement

hashtag
1. Introduction

  1. This Data Processing Agreement (“DPA”) forms part of the agreement between AttackForge Pty Ltd (“Processor”, “AttackForge”, “we”, “us”) and the entity or individual who has entered into a subscription or services agreement for the AttackForge platform (“Controller”, “Customer”, “you”) (collectively, the “Parties”), for the purpose of establishing the obligations of each Party with regard to the processing of Personal Data in connection with the AttackForge offensive security management and reporting platform (the “Services”).

  2. This DPA applies to all processing of Personal Data carried out by the Processor on behalf of the Controller in the course of providing the Services, including the AttackForge Core and Enterprise products delivered via Cloud Services (Microsoft Azure and MongoDB Cloud).

  3. AttackForge is an offensive security management and reporting platform that enables security teams to plan, perform, and track penetration testing projects; manage vulnerabilities and assets; generate reports; and collaborate across stakeholders. The platform is SOC 2 Type 2 certified in Security, Confidentiality, and Availability.

hashtag
2. Definitions

  1. “Applicable Data Protection Laws” means all laws and regulations relating to the processing of Personal Data that apply to the performance of the Services, including but not limited to the EU General Data Protection Regulation (GDPR), the Australian Privacy Act 1988, the California Consumer Privacy Act (CCPA), and any other applicable national, state, or regional data protection legislation.

  2. “Controller” means the entity that determines the purposes and means of the processing of Personal Data and that has entered into an agreement with AttackForge for the provision of the Services.

  3. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

  4. “Effective Date” means the date upon which AttackForge makes the Services available for use to the Controller.

  5. “Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in the course of providing the Services, including names, email addresses, IP addresses, user identifiers, and any other information classified as personal data, personal information, or personally identifiable information under Applicable Data Protection Laws.

  6. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

  7. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

  8. “Sub-processor” means any third party engaged by AttackForge to process Personal Data on behalf of the Controller in connection with the Services.

  9. “Services” means the AttackForge offensive security management and reporting platform, including all features, APIs (RESTful and Event-driven), integrations (including Flows, MCP, and third-party connectors such as JIRA, ServiceNow, and Azure DevOps), reporting tools (ReportGen), and related support services provided under the underlying agreement.

hashtag
3. Scope and Role of the Parties

  1. The Controller determines the purposes and means of processing Personal Data through the use of the Services. The Processor shall process Personal Data only on behalf of, and in accordance with documented instructions from, the Controller.

  2. AttackForge acts as a Processor when processing Personal Data submitted by or on behalf of the Controller through the platform. Where AttackForge processes data for its own legitimate business purposes (such as billing, service analytics, and platform security), AttackForge acts as an independent Controller and shall comply with all Applicable Data Protection Laws in respect of such processing.

  3. The details of the processing, including the categories of Personal Data, categories of Data Subjects, and purposes of processing are described in Schedule 1 to this DPA.

hashtag
4. Obligations of the Processor

AttackForge shall:

  1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law, in which case AttackForge shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so);

  2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

  3. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Schedule 2 to this DPA;

  4. Respect the conditions for engaging Sub-processors as set out in Clause 7 of this DPA;

  5. Taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws;

  6. Assist the Controller in ensuring compliance with its obligations in respect of security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to AttackForge;

  7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of the Personal Data;

  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for, and contribute to, audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

hashtag
5. Obligations of the Controller

The Controller shall:

  1. Ensure that it has a valid legal basis for the processing of Personal Data and that all necessary consents, authorizations, or notices have been obtained or provided as required under Applicable Data Protection Laws;

  2. Provide documented instructions to the Processor regarding the processing of Personal Data, and ensure that such instructions comply with Applicable Data Protection Laws;

  3. Be solely responsible for the accuracy, quality, and legality of Personal Data submitted to the Services and the means by which it was acquired;

  4. Ensure that any use of third-party integrations (including JIRA, ServiceNow, Azure DevOps, or custom API integrations via the AttackForge Self-Service RESTful API, Event-driven API, or Flows) that results in Personal Data being transmitted outside the platform is done in compliance with Applicable Data Protection Laws.

hashtag
6. Data Security

AttackForge implements and maintains comprehensive technical and organizational security measures appropriate to the risk, as described in Schedule 2. These measures include but are not limited to:

  1. Encryption of all data in transit using TLS v1.2+ with strong cipher suites, and encryption of all data at rest;

  2. Mandatory Multi-Factor Authentication (TOTP) on all application and administrative interfaces;

  3. Strong password policies with passwords stored hashed and salted;

  4. Role-Based Access Controls (RBAC) at both user-level and project-level to manage authorization to data;

  5. Access logging, tracking, and auditing of all account actions;

  6. Anti-automation controls to prevent brute-force login attempts;

  7. Session monitoring and management to prevent authenticated abuse;

  8. Firewall protections limiting systems to minimal access points;

  9. Regular third-party penetration testing and security assessments.

For Private Cloud deployments, data is hosted on dedicated single-tenant infrastructure in the Controller’s chosen Microsoft Azure region worldwide, with database services provided through MongoDB Cloud. Pentest reports are generated in browser memory on request and are never stored on AttackForge infrastructure.

hashtag
7. Sub-processors

  1. The Controller provides general authorization for the Processor to engage Sub-processors for the performance of the Services, subject to the requirements of this Clause 7.

  2. AttackForge shall maintain a current list of Sub-processors and shall make this list available to the Controller upon request. The current Sub-processors as at the date of this DPA are listed in Schedule 3.

  3. AttackForge shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller a reasonable opportunity (not less than 30 days) to object to such changes. If the Controller objects on reasonable grounds relating to data protection, the Parties shall discuss the matter in good faith. If no resolution can be reached, the Controller may terminate the affected Services without penalty.

  4. Where AttackForge engages a Sub-processor, it shall impose on the Sub-processor data protection obligations no less protective than those set out in this DPA by way of a written contract. AttackForge shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

hashtag
8. International Data Transfers

  1. The Controller may select the Azure region in which their Private Cloud tenant is hosted, allowing data residency in any Azure-supported region worldwide.

  2. To the extent that the performance of the Services involves the transfer of Personal Data to a country outside the jurisdiction of the Controller that does not provide an adequate level of data protection, AttackForge shall ensure that appropriate safeguards are in place, which may include:

    1. Standard Contractual Clauses approved by the European Commission or other relevant supervisory authority;

    2. Binding Corporate Rules;

    3. Any other lawful transfer mechanism recognized under Applicable Data Protection Laws.

hashtag
9. Data Subject Rights

  1. AttackForge shall, taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, data portability, restriction, and objection.

  2. If AttackForge receives a request directly from a Data Subject, AttackForge shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise required by applicable law.

  3. The platform provides the Controller with self-service capabilities including the ability to access, export, modify, and delete Personal Data through the application interface and the Self-Service RESTful API.

hashtag
10. Personal Data Breach Notification

  1. AttackForge shall notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach affecting the Controller’s data.

  2. Such notification shall include, to the extent reasonably available:

    1. A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;

    2. The name and contact details of the point of contact from whom further information may be obtained;

    3. A description of the likely consequences of the breach;

    4. A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate any possible adverse effects.

  3. AttackForge shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

hashtag
11. Audit Rights

  1. AttackForge shall make available to the Controller (subject to reasonable confidentiality obligations), information necessary to demonstrate compliance with the obligations under this DPA, including copies of relevant certifications (such as SOC 2 Type 2 reports).

hashtag
12. Data Retention and Deletion

  1. AttackForge shall process Personal Data for the duration of the underlying services agreement. Upon termination or expiration of the agreement, AttackForge shall, at the Controller’s election:

    1. Delete all Personal Data, including any copies, within 30 days of receiving the Controller’s written instruction, unless applicable law requires further retention.

  2. AttackForge shall provide written confirmation of deletion upon request.

hashtag
13. Liability

  1. Each Party’s liability under this DPA shall be subject to the exclusions and limitations of liability set out in the underlying services agreement between the Parties.

  2. Nothing in this DPA shall limit or exclude either Party’s liability for breaches of Applicable Data Protection Laws to the extent that such limitation or exclusion is not permitted by law.

hashtag
14. Term and Termination

  1. This DPA shall come into effect on the Effective Date and shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller under the Services agreement.

  2. The obligations of the Processor under this DPA shall survive termination or expiration of the underlying agreement to the extent necessary to complete the processing, return, or deletion of Personal Data as required herein.

hashtag
15. General Provisions

  1. In the event of any conflict between this DPA and the underlying services agreement, the provisions of this DPA shall prevail to the extent of any inconsistency relating to the processing of Personal Data.

  2. This DPA shall be governed by and construed in accordance with the laws of the State of Victoria, Australia, without regard to its conflict of law principles. The courts of Victoria, Australia shall have exclusive jurisdiction to settle any dispute arising under this DPA.

  3. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

hashtag
Schedule 1

hashtag
Details of Processing

Element
Description

Subject Matter

Processing of Personal Data in connection with the provision of the AttackForge offensive security management and reporting platform, including project management, vulnerability management, asset management, user collaboration, reporting, and related support services.

Duration

For the term of the underlying services agreement, plus any period required for data return or deletion as set out in Clause 12.

Nature & Purpose

Collection, storage, organization, retrieval, consultation, use, disclosure by transmission, and erasure of Personal Data for the purpose of providing the platform’s features including: project creation and management; vulnerability tracking and remediation; asset management; user authentication and access control; report generation; notifications and communications; API-based integrations; and analytics and dashboards.

Data Subject Categories

Platform users (security testers, developers, project managers, executives, clients, and other stakeholders invited by the Controller); individuals identified through vulnerability or asset data submitted to the platform.

Personal Data Categories

User account information (names, email addresses, job titles, roles); authentication data (hashed passwords); access and audit logs (IP addresses); project and vulnerability data that may incidentally contain Personal Data.

Sensitive Data

The Services are not designed to process special categories of data. However, vulnerability and penetration testing data submitted by the Controller may incidentally contain sensitive information. The Controller is responsible for ensuring appropriate safeguards for any sensitive data uploaded.

hashtag
Schedule 2

hashtag
Technical and Organizational Security Measures

AttackForge implements the following security measures in accordance with its SOC 2 Type 2 certification in Security, Confidentiality, and Availability:

Category
Measures

Network Security

TLS v1.2+ encryption for all traffic in transit; enforcement of strong cipher suites; firewall protections with minimal access points; dedicated single-tenant infrastructure (Private Cloud).

Authentication & Access

Mandatory TOTP-based Multi-Factor Authentication on all interfaces; strong password policy; password hashing and salting; Role-Based Access Controls (RBAC) at user and project levels; anti-automation controls against brute-force attacks; session monitoring and management.

Data Storage

All data encrypted at rest; virtualized servers hosted on Microsoft Azure and MongoDB Cloud (Private Cloud); database backups stored and transmitted encrypted; pentest reports generated in browser memory on demand and never stored on AttackForge infrastructure.

System Security

Operating systems managed, patched, and maintained by Azure and MongoDB; unnecessary users, services, and components disabled; continuous system monitoring.

Audit & Monitoring

Comprehensive logging and auditing of account actions; email notifications for security events (e.g., new logins from different IP addresses); audit log retrieval via Self-Service API.

Personnel

Engineers with security backgrounds; administrative access restricted to a small number of closely managed administrators following least privilege principles; confidentiality obligations for all personnel.

Third-Party Assurance

SOC 2 Type 2 certification in Security, Confidentiality, and Availability; regular third-party penetration testing; reliance on Azure and MongoDB compliance certifications including ISO 27001, SOC 1/2/3, FIPS 140-2, GDPR, HIPAA, and PCI DSS.

hashtag
Schedule 3

hashtag
Authorized Sub-processors

The following Sub-processors are authorized by the Controller as at the Effective Date. This schedule applies to Private Cloud deployments only.

Sub-processor
Purpose
Location
Data Processed

Microsoft Azure

Cloud infrastructure hosting (compute, storage, networking)

Controller-selected Azure region

All platform data

MongoDB Cloud

Database-as-a-Service (data storage and backups)

Controller-selected region

All platform data

Twilio Sendgrid

Email delivery

United States

Emails

AttackForge does not share customer data with third parties. Administrative access to customer data for support purposes is restricted to a small number of closely managed administrators following the principle of least privilege.

PreviousPrivacy PolicyNextContact

Last updated