Legal
Data Processing Agreement
Last updated: 24 April 2026
Noctara Red
Effective date: 24 April 2026 | Version: 1.0
This Data Processing Agreement (DPA) is entered into between Noctara Security Ltd, a company incorporated in England and Wales (Company No. 17122134) (Processor), and the Customer identified in the applicable Order Form or subscription account (Controller).
This DPA forms part of the Terms of Service and applies wherever Noctara Security Ltd processes personal data on behalf of the Customer in connection with the Noctara Red platform. In the event of any conflict between this DPA and the Terms of Service in relation to the processing of personal data, this DPA prevails.
1. Definitions
| Term | Definition |
|---|---|
| Controller | The Customer, who determines the purposes and means of processing personal data uploaded to or generated within the Platform. |
| Data Protection Law | UK GDPR, the Data Protection Act 2018, and any successor or replacement legislation in force from time to time. |
| Data Subject | An identified or identifiable natural person to whom personal data relates. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in Data Protection Law. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
| Processor | Noctara Security Ltd, acting on the Controller's instructions in relation to personal data. |
| Restricted Transfer | A transfer of personal data from the UK or EEA to a third country that is not subject to an adequacy decision. |
| Special Category Data | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. |
| Standard Contractual Clauses | The standard data protection clauses approved for Restricted Transfers under applicable Data Protection Law. |
| Sub-processor | Any third party engaged by the Processor to carry out processing activities on behalf of the Controller. |
All other capitalised terms have the meanings given to them in the Terms of Service.
2. Scope and Duration of Processing
2.1 Subject matter
The Processor provides the Customer with access to the Noctara Red platform, an AI-assisted penetration testing workflow and reporting tool. In doing so, the Processor processes personal data that the Customer uploads or generates within the Platform in the course of security testing engagements.
2.2 Nature of processing
Storage, retrieval, analysis, AI-assisted enrichment, and report generation.
2.3 Purpose of processing
To provide the services described in the Terms of Service, including AI-assisted vulnerability reporting, finding enrichment, and document generation.
2.4 Categories of personal data
- account and identity data such as names, email addresses, and job titles;
- personal data discovered or captured during security testing engagements, including credentials, email addresses, usernames, IP addresses, and device identifiers;
- any other personal data contained within scan outputs, evidence files, or report content uploaded by the Customer.
2.5 Categories of data subjects
- Employees and contractors of the Customer (Authorised Users).
- Employees, contractors, and users of systems owned by the Customer's clients whose personal data may appear in scope during authorised testing engagements.
2.6 Special Category Data
The Processor does not intentionally collect or process Special Category Data. The Customer must not upload Special Category Data to the Platform without first notifying the Processor in writing and obtaining written agreement on appropriate safeguards.
2.7 Duration
The Processor will process personal data for the duration of the Subscription Period and for a further 30 days following termination or expiry of the Agreement, after which personal data will be securely deleted or anonymised in accordance with clause 9 of this DPA.
3. Controller Obligations
The Controller warrants and undertakes that:
- it has a valid lawful basis under Data Protection Law for each category of personal data it uploads to or generates within the Platform;
- it has provided all necessary notices to, and obtained all necessary consents from, data subjects where required;
- it holds appropriate authority from the owners of systems under test to process any personal data captured during security testing engagements;
- it will not upload Special Category Data without prior written agreement;
- it will comply with all applicable obligations under Data Protection Law in its capacity as Controller.
4. Processor Obligations
4.1 Processing on instructions only
The Processor will process personal data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law.
4.2 Confidentiality
The Processor will ensure that all personnel authorised to process personal data are subject to binding confidentiality obligations and are aware of their obligations under this DPA and Data Protection Law.
4.3 Security
The Processor will implement and maintain technical and organisational measures appropriate to the risk presented by the processing, including measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Current security measures include encryption of data in transit and at rest, access controls and authentication requirements, regular security assessments, and infrastructure hosted within UK or EEA-aligned regions where possible.
4.4 Assistance with Controller obligations
Taking into account the nature of the processing, the Processor will provide reasonable assistance to the Controller in fulfilling its obligations under Data Protection Law, including responding to rights requests, carrying out impact assessments, consulting with supervisory authorities where required, and responding to Personal Data Breaches.
4.5 Notification of unlawful instructions
If the Processor reasonably believes that any instruction from the Controller would infringe Data Protection Law, it will notify the Controller promptly and is not required to act on instructions it reasonably believes to be unlawful.
5. Sub-processing
5.1 Authorisation
The Controller provides general written authorisation for the Processor to engage Sub-processors. The current list of approved Sub-processors is maintained on our Subprocessor List.
5.2 Notice of changes
The Processor will give the Controller not less than 30 days' prior written notice of any intended addition or replacement of a Sub-processor.
5.3 Objection
If the Controller objects to a new or replacement Sub-processor on reasonable data protection grounds, it must notify the Processor in writing within 14 days of receiving notice. If no resolution is reached, the Controller may terminate the Agreement without penalty in accordance with clause 10 of the Terms of Service.
5.4 Sub-processor obligations
The Processor will impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA and remains liable to the Controller for the acts and omissions of its Sub-processors to the same extent as if it were performing the processing itself.
6. International Transfers
6.1 Transfers within the UK and EEA
The Platform is hosted on infrastructure located within the UK or European Economic Area wherever possible.
6.2 Restricted Transfers
Where a Restricted Transfer is necessary, including in connection with AI inference processing by a Sub-processor, the Processor will ensure that an appropriate transfer mechanism is in place before the transfer occurs.
6.3 Documentation
The Processor will maintain records of any Restricted Transfers and the transfer mechanisms relied upon, and will make these available to the Controller on reasonable written request.
7. Personal Data Breaches
7.1 Notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any confirmed Personal Data Breach affecting personal data processed under this DPA.
7.2 Content of notification
The Processor's initial notification will include, to the extent then known, the nature of the breach, categories and approximate numbers affected, likely consequences, mitigation measures taken or proposed, and the relevant data protection contact details.
7.3 Cooperation
The Processor will cooperate with the Controller in investigating and remediating a Personal Data Breach and will provide such assistance as the Controller reasonably requires to meet its own notification obligations.
8. Data Subject Rights
Where the Processor receives a request from a data subject exercising their rights under Data Protection Law in connection with personal data processed under this DPA, the Processor will forward the request to the Controller promptly, will not respond directly except on written instruction or where required by law, and will provide reasonable assistance to help the Controller respond within the statutory timeframe.
9. Retention, Return, and Deletion
9.1 During the Agreement
The Processor will retain personal data only for as long as necessary to provide the Services or as required by law.
9.2 On termination or expiry
Following termination or expiry of the Agreement, the Processor will make Customer Data available for export for a period of 30 days. After that period, the Processor will securely delete or anonymise all personal data processed under this DPA, unless retention is required by applicable law.
9.3 Certification
On written request made within the 30-day export window, the Processor will provide written confirmation that deletion or anonymisation has been completed.
10. Audit and Compliance
10.1 Records
The Processor will maintain records of its processing activities as required by Article 30 UK GDPR.
10.2 Audit rights
The Controller may, on not less than 30 days' prior written notice and no more than once per calendar year unless a Personal Data Breach has occurred, audit or commission an audit of the Processor's compliance with this DPA.
10.3 Third-party certifications
Where the Processor holds relevant third-party security certifications, it will make summary evidence of those certifications available to the Controller in lieu of a direct audit where appropriate.
11. Liability
The parties' liability under this DPA is subject to the limitations set out in clause 12 of the Terms of Service. Nothing in this DPA limits or excludes liability in circumstances where it cannot be excluded or limited by applicable law.
12. General
12.1 Order of precedence
In the event of any conflict between this DPA and the Terms of Service in relation to the processing of personal data, this DPA prevails.
12.2 Governing law
This DPA is governed by the laws of England and Wales.
12.3 Variation
The Processor may update this DPA from time to time to reflect changes in Data Protection Law or its processing activities. Where a change is material, the Processor will give the Controller not less than 30 days' prior written notice.
13. Contact
Noctara Security Ltd
This DPA was last updated on 24 April 2026.