This DPA has two parts:
- The Key Terms outlined below.
- The Common Paper DPA Standard Terms Version 1.0 posted at commonpaper.com/standards/data-processing-agreement/1.0 ("DPA Standard Terms"), which is incorporated by reference.
If there is any inconsistency between the Key Terms and the DPA Standard Terms, the Key Terms will control. Capitalized and highlighted terms have the meanings given here. If omitted, the default meaning will be “none” or “not applicable,” and the correlating clause, sentence, or section will not apply to this Agreement.
Agreement Information
- Agreement Reference: Reference to sales contract to be set upon agreement issuance.
- Provider Security Contact: kunaal@subimage.io
- Security Policy: As defined in the Agreement.
Approved Subprocessors
| Name | Country | Processing Task |
|---|
| Amazon Web Services (AWS) | United States of America | VPC peering and cron job processing for Neo4j data ingestion. |
| Neo4j | United States of America | Storage of nodes and relationships in the security graph. |
Service Provider Relationship
Under the California Consumer Privacy Act (CCPA), SubImage is a service provider receiving Personal Data from the Customer solely to provide the agreed-upon Service. SubImage:
- Will not sell or share any Customer-provided Personal Data.
- Will not retain, use, or disclose Customer-provided Personal Data except as required to deliver the Service or comply with Applicable Data Protection Laws.
- Certifies understanding and compliance with CCPA restrictions.
If SubImage can no longer meet its obligations under CCPA, the Customer will be notified promptly.
Annex I(A): List of Parties
Data Exporter
- Name: The Customer signing this DPA.
- Role: Controller.
Data Importer
- Name: SubImage Inc.
- Contact Person: Kunaal Sikka, President.
- Address: 2261 Market St #22829, San Francisco, CA 94114, USA.
- Role: Processor.
Annex I(B): Description of Transfer and Processing Activities
Service
SubImage provides a managed version of the open-source Cartography project, offering mapping and visualization of cloud and application resources. It highlights relationships, dependencies, and security risks with seamless integrations and zero operational overhead.
Processing Activities
SubImage will perform the following processing activities on behalf of the Customer:
- Receiving Data: Collection, access, retrieval, recording, and entry.
- Holding Data: Storage, organization, and structuring.
- Using Data: Analysis, consultation, testing, automated decision-making, and profiling.
- Updating Data: Corrections, adaptation, alignment, and combination.
- Protecting Data: Restricting, encrypting, and security testing.
- Sharing Data: Disclosure, dissemination, or granting access.
- Returning Data: Delivery back to the data exporter or data subject.
- Erasing Data: Destruction and deletion.
Duration of Processing
SubImage will process Personal Data as long as required to:
- Perform processing activities as instructed.
- Comply with Applicable Data Protection Laws.
Categories of Data and Subjects
| Categories of Data Subjects | Categories of Personal Data |
|---|
| Customer's employees | Contact information (email, phone, address), user activity data, location data, account details. |
| Customer's infrastructure metadata | Security configuration, cloud infrastructure data, and related metadata. |
- Special Category Data: No special category data (as defined in GDPR Article 9) will be processed.
- Frequency of Transfer: Continuous.
Data Processing Agreement (Version 1.0). Free to use under CC BY 4.0.
View as PDF
