PortSwigger Data Processing Agreement

A. This Data Processing Addendum ("DPA") forms part of the terms and conditions of supply entered into between the customer ordering or downloading the software ("Licensee") and PortSwigger Ltd ("Licensor") (the "Principal Agreement"), where Licensor is acting as a data processor (or sub-processor, as applicable) including the following:
- https://portswigger.net/burp/eula/enterprise if using the Burp Suite Enterprise Edition in a licensor Hosted software-as-a-service capacity or if using the Burp Collaborator feature whilst using the public server.
- https://portswigger.net/burp/eula/pro if using the Burp Collaborator feature whilst using the public server.
For the purposes of this DPA, Licensor and Licensee shall each be a Party and together be the Parties.
B. Licensee is the data controller (or processor, as applicable) and Licensor is the data processor (or sub-processor, as applicable) in respect of any Licensee Personal Data processed under the Principal Agreement and each Party shall comply with the requirements of the Data Protection Laws in respect of its respective activities under the Principal Agreement. The Parties acknowledge that to the extent any Licensee Personal Data is processed for Licensor's internal analytics, support or troubleshooting purposes, the Licensor shall act as a data controller and such processing shall be in accordance with its privacy notice accessible here: https://portswigger.net/privacy.
C. The Licensee confirms that it has complied, and will continue to comply, with its obligations under the Data Protection Laws in obtaining and processing Licensee Personal Data, including but not limited to complying with (i) requirements to obtain the Licensee Personal Data fairly and lawfully, so as to enable Licensor to perform its obligations under the Principal Agreement; and (ii) data minimization requirements. In respect of paragraph C(iii), this includes Licensee using commercially reasonable efforts to minimize any transfer of Licensee Personal Data to Licensor (such efforts shall include, but not be limited to, removing, anonymizing and/or pseudonymizing Licensee personal data in files submitted to Licensor, in each case to the extent such removal, anonymization and/or pseudonymization is reasonably practicable under the circumstances).
D. Licensor is authorized to process Licensee Personal Data to perform its obligations under the Principal Agreement and shall:
- a) only process Licensee Personal Data on the documented instructions of Licensee and to the extent required for the purposes of performing its obligations under the License Agreement unless otherwise required to process Licensee Personal Data under applicable laws;
- b) ensure that personnel required to access the Licensee Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- c) put in place and maintain appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Licensee Personal Data;
- d) be generally authorized to engage a third party Processor ("Sub-Processor"). Any new Sub-Processors shall be communicated to Licensee by any reasonable means, including by the use of e-mail so that they can exercise their right to object (acting reasonably). Licensor shall include terms in its agreements with Sub-Processors that provide for, in substance, the same data protection obligations as those binding on Licensor under this DPA. Licensor shall remain responsible for its Sub-processor's compliance with the obligations of this DPA and to the extent the appointment of a Sub-Processor results in a Restricted Transfer shall comply with paragraph (j);
- e) to the extent that the Licensee Personal Data is not accessible to the Licensee through the software, and taking into account the nature of the processing, assist the Licensee by implementing appropriate technical and organizational measures, insofar as this is possible, for fulfilment of Licensee's obligations to respond to data subject requests as laid down in the Data Protection Laws including promptly notifying Licensee if the Licensor receives any such data subject communications;
- f) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, implement, technical and organizational measures at a minimum to the standard to ensure a level of security appropriate to the risk presented by processing Licensee Personal Data;
- g) taking into account the nature of the processing the information available to the Licensor, provide reasonable assistance to Licensee in support of Licensee's obligations to implement appropriate technical and organizational security measures; investigate, and provide notice of, security incidents and personal data breaches; and conduct risk and data protection impact assessments under Articles 32 to 36 of the UK GDPR (and equivalent provisions of the Data Protection Laws);
- h) cease Processing of the Licensee Personal Data upon termination of the Principal Agreement and at Licensee's option, either return or delete all copies of the Licensee Personal Data Processed by Licensor unless Data Protection Laws require otherwise;
- i) make available to Licensee on request the information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, and on reasonable request by the Licensee, share any independent audit reports and certifications, (which shall be kept confidential at all times) with Licensee to verify the Licensor's compliance with Data Protection Laws. Where such audit information does not satisfy the requirements of Data Protection Laws or Licensee's regulator, then Licensee may (on prior written notice no more than once every 12 months, subject to any mandatory audits performed by a regulator) conduct a reasonable audit during Licensor's business hours for the purposes of demonstrating their compliance with Data Protection Laws. Such audit shall: (i) have a scope limited to processes and systems relevant to the Licensee Personal Data; (ii) be of a reasonable duration as agreed in advance with Licensor; and (iii) commence on a mutually agreeable date. Licensee shall take all steps to minimize any disruption to Licensor's business operations and shall comply with any reasonable confidentiality and security requirements of Licensor. All audit information and access to Licensor's premises provided in accordance with this paragraph (h) shall be at Licensee's sole cost and expenses;
- j) notify the Licensee if it considers that an instruction from the Licensee is in breach of Data Protection Laws, unless such laws prevent notification for reasons of public interest; and
- k) be entitled to conduct a Restricted Transfer of Licensee Personal Data provided that an appropriate Data Transfer Safeguard is put in place, a copy of which the Licensee may reasonably request in order to satisfy their obligations as data controller (provided that the Licensee is entitled to make redactions as required in the interests of confidentiality and that, once shared, any documentation regarding the Data Transfer Safeguards will be treated as the Licensor's confidential information).
E. To the extent required by applicable Data Protection Law where the processing is subject to the CCPA, Licensor agrees to comply with Annex 4.
F. In the event of any conflict or inconsistency in the agreements between parties the order of priority shall be as follows: (1) any Data Transfer Safeguard, (2) this DPA; and (3) the Principal Agreement. Unless specifically modified and amended in this DPA, the Principal Agreement shall remain in full force and effect and govern this DPA.
G. Licensor reserves the right to charge Licensee in respect of any further requests for cooperation or assistance which go beyond the commitments made in this DPA.
H. If any variation is required to this DPA as a result of a change in Data Protection Laws, and the Licensor assesses that such variation shall not have a material adverse impact on the Licensee, Licensor may inform Licensee of that change in law in accordance with the EULA. Such variation shall take effect following reasonable notice unless any objections are received by Licensee.

Annex 1: Defined terms

All capitalized terms not defined herein shall have the meaning set forth in the Principal Agreement, otherwise:

CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any implementing regulations thereof.

EU Data Protection Laws means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and laws implementing or supplementing the GDPR as amended, replaced or superseded from time to time.

EU SCCs means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR approved by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021; as amended or replaced from time to time by a competent authority.

Licensee Personal Data means personal data processed by Licensor on behalf of the Licensee for the purposes of supplying the services pursuant to the Principal Agreement and as further described in Annex 2.

Data Protection Laws means the UK Data Protection Laws, the EU Data Protection Laws, the CCPA and any other applicable data protection laws of any other region, country, province, or state in relation to Licensee Personal Data in respect of which the Licensor is a data processor (or equivalent) under any other Data Protection Laws.

Data Transfer Safeguard means a mechanism approved and/or permitted under Data Protection Laws for data transfers ensuring that Licensee Personal Data receives adequate protection, including the EU SCCs and the UK Addendum.

Restricted Transfer means a transfer of personal data (or an onward transfer), where such transfer would be prohibited by Data Protection Laws (or by the terms of any data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of appropriate Data Transfer Safeguard(s).

UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.

UK Data Protection Laws means the Data Protection Act 2018, the "UK GDPR" as defined in section 3(10) of the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the UK.

The terms controller, processor, data subject, personal data, sell, share, and processing and substantively equivalent terms shall have the meanings given in the Data Protection Laws.

Annex 2: Data processing activities

Subject Matter and Duration

Licensee Personal Data may be processed to allow Licensor to provide the services under the Principal Agreement (depending on how the Licensee chooses to deploy the service). The processing shall take place for the duration of the Principal Agreement, unless otherwise directed by Licensee.

Nature and Purpose

Data processing required for provision of the services under the Principal Agreement.

Categories of Data Subjects

The data subjects could include Licensee's customers, employees and suppliers.

Types of Personal Data

Licensee Personal Data processed during the testing process performed by the software, as operated by Licensee.

The Licensor does not intentionally collect or process any special categories of data. However, the Licensee could submit special categories of personal data through its use of the software.

Frequency of the transfer (as applicable)

On a continuous basis as required by the Principal Agreement.

authorized Sub-Processors

Entity

Amazon Web Services

Details of Processing

Hosting Provider

Location of Processing

Ireland

Data Transfer Safeguards (where applicable)

EU / UK Adequacy

Annex 3: Security measures

Here is a description of the technical and organizational measures the Licensor implements to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

PortSwigger uses vulnerability assessment, patch management, threat protection technologies, and continuous monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses, and other malicious code.

Measures for the protection of data during transmission

Data is encrypted in transit.

Measures for the protection of data during storage

Data is encrypted within the product(s) by AWS.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Business resiliency/continuity and disaster recovery procedures are in place, as appropriate, and are designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

PortSwigger uses multiple types of automated vulnerability scans and assessments which are run at various frequencies.

Measures for user identification and authorization

PortSwigger uses logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates).

Measures for ensuring events logging

PortSwigger has system audit and event logging and related monitoring procedures in place to record user access and system activity. Automated analytics are used to generate alerts for suspicious or potentially malicious activity.

Measures for ensuring system configuration, including default configuration

PortSwigger uses configuration management tools to deploy and enforce baseline configurations on our systems.

Measures for certification/assurance of processes and products

PortSwigger regularly reviews its processes on an annual or as-needed basis. Additionally, PortSwigger is certified by Cyber Essentials Plus and undergoes an audit annually to ensure the effectiveness of controls relevant to security. PortSwigger uses AWS for data hosting who have numerous security certifications including ISO27001 and SOC2.

Measures for ensuring data minimization

PortSwigger has data protection policies which build in data minimization and cover the ways in which personal data may be used, transferred, stored, and deleted.

Measures for ensuring limited data retention

Data retention policies are in place which comply with applicable laws and are reviewed regularly by information security and applicable stakeholders.

Measures for allowing data portability and ensuring erasure

Data subject request processes are in place to handle erasure and data portability requests. Customers may contact hello@portswigger.net to make requests.

Measures for ensuring any data processor implements appropriate technical and organizational controls

PortSwigger regularly reviews and assess all data processors with Vendor Risk Assessment on an annual or as-needed basis.

Annex 4: CCPA

Licensor is processing Personal Data subject to the CCPA for, or on behalf of, Licensee, or Licensee has made available Licensee Personal Data to Licensor, for the business or commercial purpose(s) identified in the Principal Agreement.
Licensor shall not sell, share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Licensee Personal Data that Licensor receives from, or on behalf of, Licensee to any third party for monetary or other valuable consideration.
Licensor shall not retain, use, or disclose Licensee Personal Data that Licensor receives from, or on behalf of, Licensee: (i) for any purpose (including, but not limited to, any commercial purpose) other than business purposes specified in the Agreement, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between Licensee and Licensor.
Licensor may combine Licensee Personal Data that it receives from, or on behalf of, Licensee with Personal Data that Licensor receives from, or on behalf of, another person, or collects from its own interaction with an individual, unless the combining of that Personal Data (1) would not be consistent with an individual's expectations, or (2) is prohibited by the CCPA. For avoidance of doubt, any restrictions on Licensor's ability to combine Personal Data does not apply to Personal Data obtained by Licensor prior to its engagement with Licensee. For purposes of this DPA, "combine" means to aggregate Personal Data about an individual into a single profile.
If Licensee discloses deidentified Personal Data to Licensor, or Licensor deidentifies Personal Data previously disclosed by Licensee, Licensor shall take reasonable measures to ensure the deidentified Personal Data cannot be associated with a consumer or household and shall not attempt to reidentify the deidentified Personal Data.
Licensor shall promptly notify Licensee if Licensor determines that it can no longer meet its obligations under this DPA or the CCPA. Licensee shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by Licensor.
Licensor certifies it understands the obligations and restrictions above and will comply with them.