This Data Processing Agreement (“DPA”) forms part of the Terms of Service between SBOMVault, Inc. (“SBOMVault,” “we,” “us”) and the customer (“Customer,” “you”) and governs the processing of personal data that SBOMVault performs on your behalf in providing the SBOMVault.ai service (the “Service”). Where you are subject to the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), or comparable data protection laws, this DPA reflects the parties’ agreement with respect to such processing.

1. Roles of the Parties

For personal data you submit to the Service, you act as the controller (or business) and SBOMVault acts as the processor (or service provider) processing that personal data only on your documented instructions. Your use of the Service, this DPA, and your other written instructions constitute those instructions. SBOMVault does not sell or share personal data and does not process it for any purpose other than providing the Service.

2. Details of Processing

Subject matter: provision of the SBOMVault.ai SBOM-management and supply-chain security platform.
Duration: for the term of your subscription, plus the deletion period in Section 9.
Nature and purpose: hosting, storage, analysis, and processing of software bills of materials and related account data to deliver the Service.
Types of personal data: account holder name and email, organization details, billing contact information, and any personal data you choose to include in uploaded content.
Categories of data subjects: your authorized users, administrators, and billing contacts.

3. Processor Obligations

SBOMVault will: (a) process personal data only on your documented instructions, including with regard to international transfers, unless required by law (in which case we will inform you unless legally prohibited); (b) ensure that personnel authorized to process personal data are bound by confidentiality; (c) implement the technical and organizational security measures in Section 4; and (d) promptly inform you if, in our opinion, an instruction infringes applicable data protection law.

4. Security Measures

SBOMVault maintains appropriate technical and organizational measures designed to protect personal data, including: encryption of data in transit and at rest; isolation of uploaded SBOM file contents in dedicated object storage accessed only via short-lived tokens; tenant isolation and role-based access controls; a tamper-evident audit log; least-privilege access for personnel; and regular security testing. A summary of our security program is available on our Security page.

5. Subprocessors

You authorize SBOMVault to engage subprocessors to process personal data in connection with the Service. Our current subprocessors are listed at sbomvault.ai/subprocessors. We impose data protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain responsible for each subprocessor’s performance. We will provide notice before adding or replacing a subprocessor (per Section 5 of the subprocessor page); you may object on reasonable data protection grounds, and if we cannot reasonably accommodate the objection you may terminate the affected subscription.

6. Assistance to the Controller

Taking into account the nature of the processing, SBOMVault will provide reasonable assistance to help you: (a) respond to data subject requests to exercise rights of access, correction, deletion, restriction, portability, or objection; and (b) meet your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities. The Service provides self-service tools to access, export, and delete data; where a request cannot be fulfilled through those tools, contact privacy@sbomvault.ai.

7. Personal Data Breach Notification

SBOMVault will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and will provide information reasonably necessary for you to meet your own breach-notification obligations, together with the steps we are taking to mitigate and remediate.

8. International Transfers

SBOMVault processes personal data in the United States. Where personal data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to a country without an adequacy decision, such transfers are made under an appropriate transfer mechanism, including the European Commission’s Standard Contractual Clauses (and the UK Addendum / Swiss amendments where applicable), which are incorporated into this DPA by reference and which the parties agree to execute on request.

9. Return and Deletion of Data

Upon termination or expiry of your subscription, and on your request, SBOMVault will delete or return your personal data and delete existing copies within thirty (30) days, except to the extent retention is required by applicable law. The Service also lets you export and delete data at any time during the term.

10. Audits

SBOMVault will make available information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports or security certifications where available, and will allow for and contribute to audits conducted by you or an auditor you mandate, subject to reasonable confidentiality, scheduling, and frequency safeguards.

11. General

In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal data. Except as amended by this DPA, the Terms of Service remain in full force. This DPA is governed by the law specified in the Terms of Service.

12. Requesting a Signed Copy

This DPA applies to your use of the Service without the need for signature. If your organization requires a counter-signed copy or your own DPA/SCC paperwork reviewed, contact privacy@sbomvault.ai and we will accommodate reasonable requests.