PortSwigger Data Processing Agreement

Annex 1: Defined terms

All capitalized terms not defined herein shall have the meaning set forth in the Principal Agreement, otherwise:

CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any implementing regulations thereof.

EU Data Protection Laws means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and laws implementing or supplementing the GDPR as amended, replaced or superseded from time to time.

EU SCCs means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR approved by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021; as amended or replaced from time to time by a competent authority.

Licensee Personal Data means personal data processed by Licensor on behalf of the Licensee for the purposes of supplying the services pursuant to the Principal Agreement and as further described in Annex 2.

Data Protection Laws means the UK Data Protection Laws, the EU Data Protection Laws, the CCPA and any other applicable data protection laws of any other region, country, province, or state in relation to Licensee Personal Data in respect of which the Licensor is a data processor (or equivalent) under any other Data Protection Laws.

Data Transfer Safeguard means a mechanism approved and/or permitted under Data Protection Laws for data transfers ensuring that Licensee Personal Data receives adequate protection, including the EU SCCs and the UK Addendum.

Restricted Transfer means a transfer of personal data (or an onward transfer), where such transfer would be prohibited by Data Protection Laws (or by the terms of any data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of appropriate Data Transfer Safeguard(s).

UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.

UK Data Protection Laws means the Data Protection Act 2018, the "UK GDPR" as defined in section 3(10) of the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the UK.

The terms controller, processor, data subject, personal data, sell, share, and processing and substantively equivalent terms shall have the meanings given in the Data Protection Laws.

Annex 2: Data processing activities

Subject Matter and Duration

Licensee Personal Data may be processed to allow Licensor to provide the services under the Principal Agreement (depending on how the Licensee chooses to deploy the service). The processing shall take place for the duration of the Principal Agreement, unless otherwise directed by Licensee.

Nature and Purpose

Data processing required for provision of the services under the Principal Agreement.

Categories of Data Subjects

The data subjects could include Licensee's customers, employees and suppliers.

Types of Personal Data

Licensee Personal Data processed during the testing process performed by the software, as operated by Licensee.

The Licensor does not intentionally collect or process any special categories of data. However, the Licensee could submit special categories of personal data through its use of the software.

Frequency of the transfer (as applicable)

On a continuous basis as required by the Principal Agreement.

authorized Sub-Processors

Entity

  • Amazon Web Services

Details of Processing

  • Hosting Provider

Location of Processing

  • Ireland

Data Transfer Safeguards (where applicable)

  • EU / UK Adequacy

Annex 3: Security measures

Here is a description of the technical and organizational measures the Licensor implements to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

PortSwigger uses vulnerability assessment, patch management, threat protection technologies, and continuous monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses, and other malicious code.

Measures for the protection of data during transmission

Data is encrypted in transit.

Measures for the protection of data during storage

Data is encrypted within the product(s) by AWS.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Business resiliency/continuity and disaster recovery procedures are in place, as appropriate, and are designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

PortSwigger uses multiple types of automated vulnerability scans and assessments which are run at various frequencies.

Measures for user identification and authorization

PortSwigger uses logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates).

Measures for ensuring events logging

PortSwigger has system audit and event logging and related monitoring procedures in place to record user access and system activity. Automated analytics are used to generate alerts for suspicious or potentially malicious activity.

Measures for ensuring system configuration, including default configuration

PortSwigger uses configuration management tools to deploy and enforce baseline configurations on our systems.

Measures for certification/assurance of processes and products

PortSwigger regularly reviews its processes on an annual or as-needed basis. Additionally, PortSwigger is certified by Cyber Essentials Plus and undergoes an audit annually to ensure the effectiveness of controls relevant to security. PortSwigger uses AWS for data hosting who have numerous security certifications including ISO27001 and SOC2.

Measures for ensuring data minimization

PortSwigger has data protection policies which build in data minimization and cover the ways in which personal data may be used, transferred, stored, and deleted.

Measures for ensuring limited data retention

Data retention policies are in place which comply with applicable laws and are reviewed regularly by information security and applicable stakeholders.

Measures for allowing data portability and ensuring erasure

Data subject request processes are in place to handle erasure and data portability requests. Customers may contact hello@portswigger.net to make requests.

Measures for ensuring any data processor implements appropriate technical and organizational controls

PortSwigger regularly reviews and assess all data processors with Vendor Risk Assessment on an annual or as-needed basis.

Annex 4: CCPA

  • Licensor is processing Personal Data subject to the CCPA for, or on behalf of, Licensee, or Licensee has made available Licensee Personal Data to Licensor, for the business or commercial purpose(s) identified in the Principal Agreement.
  • Licensor shall not sell, share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Licensee Personal Data that Licensor receives from, or on behalf of, Licensee to any third party for monetary or other valuable consideration.
  • Licensor shall not retain, use, or disclose Licensee Personal Data that Licensor receives from, or on behalf of, Licensee: (i) for any purpose (including, but not limited to, any commercial purpose) other than business purposes specified in the Agreement, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between Licensee and Licensor.
  • Licensor may combine Licensee Personal Data that it receives from, or on behalf of, Licensee with Personal Data that Licensor receives from, or on behalf of, another person, or collects from its own interaction with an individual, unless the combining of that Personal Data (1) would not be consistent with an individual's expectations, or (2) is prohibited by the CCPA. For avoidance of doubt, any restrictions on Licensor's ability to combine Personal Data does not apply to Personal Data obtained by Licensor prior to its engagement with Licensee. For purposes of this DPA, "combine" means to aggregate Personal Data about an individual into a single profile.
  • If Licensee discloses deidentified Personal Data to Licensor, or Licensor deidentifies Personal Data previously disclosed by Licensee, Licensor shall take reasonable measures to ensure the deidentified Personal Data cannot be associated with a consumer or household and shall not attempt to reidentify the deidentified Personal Data.
  • Licensor shall promptly notify Licensee if Licensor determines that it can no longer meet its obligations under this DPA or the CCPA. Licensee shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by Licensor.
  • Licensor certifies it understands the obligations and restrictions above and will comply with them.