Data Processing Agreement

Effective date: July 9, 2026

1. Overview

This Data Processing Agreement (“DPA”) describes how KollGuard protects personal data it processes on a customer’s behalf, and applies to any customer, in any industry, whose use of the Service involves KollGuard processing personal data. Under this DPA, the customer is the Controller (a “Business” under U.S. state law) and Kollitech Corp (d/b/a KollGuard) is the Processor (a “Service Provider”).

The DPA forms part of your agreement with KollGuard; the executed counterpart provided during contracting governs, and this page is provided for reference. Health information subject to HIPAA is addressed separately by our Business Associate Agreement.

Data-minimization by design. The Service assesses the security and compliance posture of your systems and does not require personal data to function. KollGuard processes personal data only as necessary to provide the Services, storing findings and metadata in preference to raw personal data.

2. Roles, scope, and instructions

As between the parties, the customer is the Controller and KollGuard is the Processor of the personal data KollGuard processes under the agreement (described in Annex 1 of the executed DPA). KollGuard processes personal data only on the customer’s documented instructions — as set out in the agreement, this DPA, and as the customer configures through the Service — including as to international transfers, and will inform the customer if an instruction appears to infringe data protection law.

3. KollGuard’s obligations as Processor

  • Process personal data only on documented instructions.
  • Ensure personnel authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see “Security”).
  • Engage sub-processors only under the conditions below, and remain liable for them.
  • Assist the customer, taking into account the nature of processing, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection).
  • Assist the customer with security, breach notification, data protection impact assessments, and prior consultations.
  • Notify the customer of a personal-data breach without undue delay after becoming aware.
  • Delete or return personal data at the customer’s choice at the end of the Services.
  • Make available information necessary to demonstrate compliance, and allow for audits.

4. Sub-processors

The customer authorizes KollGuard to engage the sub-processors listed at kollguard.com/sub-processors. KollGuard provides advance notice of new or replacement sub-processors and a right to object on reasonable data-protection grounds, imposes data-protection terms no less protective than this DPA on each sub-processor, and remains responsible for their performance.

5. International transfers

Where KollGuard processes personal data originating in the EEA, UK, or Switzerland in a country without an adequacy decision, the European Commission’s Standard Contractual Clauses (2021/914) apply, together with the UK International Data Transfer Addendum for UK transfers and the Swiss amendments for Swiss transfers, with KollGuard as data importer and the customer as data exporter.

6. U.S. state privacy laws (Service Provider terms)

For the CCPA/CPRA and comparable U.S. state laws, KollGuard is a Service Provider that processes personal information solely to perform the Services. KollGuard will not:

  • sell or share personal information;
  • retain, use, or disclose personal information for any purpose other than performing the Services or as permitted by law; or
  • combine personal information with data from other sources except as permitted.

7. Security

KollGuard’s technical and organizational measures include:

  • TLS 1.2+ in transit and AES-256 at rest; connection credentials stored in an encrypted secrets vault, never exposed to the browser.
  • Least-privilege, read-only scanning; role-based access, SSO/SAML, SCIM, and MFA; tenant isolation via row-level security.
  • Egress and SSRF controls; tamper-evident, hash-chained audit logging; secure SDLC with dependency and secret scanning; monitoring and documented incident response.
  • Data-minimization: findings and metadata retained in preference to raw personal data; configurable retention; return/deletion on termination.

See our security overview for details.

8. Return, deletion, and audit

On termination, KollGuard deletes or returns personal data at the customer’s choice, except where retention is required by law or contained in routine backups pending secure deletion. KollGuard makes available information necessary to demonstrate compliance and supports audits, and may satisfy audit requests with its then-current third-party certifications and reports (e.g., SOC 2).

9. Requesting a DPA

To execute a DPA for your organization, contact info@kollitech.com or your account contact. See also our sub-processors and privacy policy.