Data Processing Agreement

Effective 26 May 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Glassbreak ("Processor") and the customer identified in the executed order form, subscription, or written counter-signature ("Controller") (each a "Party", together the "Parties"). It governs the Processor's processing of Personal Data on behalf of the Controller in connection with the Glassbreak Service (the "Service").

This DPA applies to the extent that the GDPR, the UK GDPR, the Swiss FADP, or another applicable data protection law requires a controller-processor agreement. To execute, counter-sign and return to legal@glassbreak.io; Glassbreak will counter-sign and return a fully executed copy. Where no separate signature is exchanged, this DPA is incorporated by reference into the Terms and Conditions and takes effect on first use of the Service.

1. Definitions

Capitalised terms not defined here have the meanings given in the GDPR or, where relevant, the UK GDPR, Swiss FADP, or other applicable law. In particular:

  • Customer Data — Personal Data the Controller submits to the Service, including the encrypted secret, contact, and message content the Processor cannot decrypt.
  • Sub-processor— a third party engaged by the Processor that processes Personal Data on the Processor's behalf, as listed at /legal/sub-processors.
  • SCCs— the European Commission's Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, Module 2 (controller to processor).
  • UK IDTA — the UK International Data Transfer Addendum to the SCCs.
  • Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.

2. Roles of the Parties

The Controller acts as "controller" and the Processor as "processor" within the meaning of GDPR Art. 4(7) and 4(8) in respect of the Customer Data described below. Where CCPA / CPRA applies, the Processor acts as "service provider" to the Controller as "business". The Processor will not (a) sell or share Customer Data, (b) retain, use, or disclose Customer Data outside the direct business relationship between the Parties, or (c) combine Customer Data with personal information from other sources, except as permitted by CCPA / CPRA § 1798.140(ag).

3. Subject Matter, Duration, Nature, and Purpose of Processing

  • Subject matter:the Processor's provision of the Service to the Controller pursuant to the Terms and Conditions.
  • Duration: for as long as the Controller has an active subscription, plus the retention period set out in section 11 of this DPA.
  • Nature and purpose: storage, transmission, and routing of encrypted secrets, contact information, and emergency-response messages; authentication and access control; audit logging; service operation and security monitoring.
  • Categories of data subjects:the Controller's personnel, contractors, and any other natural persons whose Personal Data the Controller chooses to enter into the Service (typically: account holders, team members, contacts, approvers).
  • Categories of Personal Data: name, email address, account credentials (hashed), MFA artefacts (TOTP secrets, WebAuthn public keys, recovery code hashes), organisation/team metadata, IP addresses and user-agent strings in audit logs, and the encrypted ciphertext of any secret, contact, or message content the Controller submits. The plaintext of the encrypted content is not processed by the Processor: the Processor does not hold the decryption keys.
  • Special categories: the Controller is responsible for the content it submits. The Service is not designed for the processing of special-category data under GDPR Art. 9 and the Processor does not knowingly process it.

4. Processor's Obligations

The Processor shall:

  • process Customer Data only on the Controller's documented instructions, as set out in this DPA and the Terms, except where required by Union, Member State, UK, Swiss, or other applicable law (in which case the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest);
  • ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
  • implement and maintain the technical and organisational security measures described in section 8 and the /technology/encryption page;
  • respect the conditions for engaging Sub-processors set out in section 6;
  • taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR;
  • assist the Controller in ensuring compliance with GDPR Art. 32 to 36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available to the Processor;
  • at the choice of the Controller, delete or return all Customer Data after the end of the provision of services relating to processing, and delete existing copies unless Union, Member State, UK, Swiss, or other applicable law requires storage of the Personal Data;
  • make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits, including inspections, in accordance with section 9 of this DPA.

5. Controller's Obligations

The Controller represents and warrants that:

  • it has a valid lawful basis for the processing of Customer Data and for entering it into the Service;
  • it has provided all required notices and obtained all required consents from data subjects, where applicable;
  • its instructions to the Processor comply with applicable data protection law;
  • it will not submit special-category data, criminal-conviction data, or children's data to the Service except as expressly contemplated by the Service's features and permitted under the Terms.

6. Sub-processors

The Controller grants general authorisation for the Processor to engage Sub-processors, provided the Processor:

  • maintains an up-to-date list of Sub-processors at /legal/sub-processors;
  • gives the Controller at least 30 days' advance notice by email before adding a new Sub-processor or materially changing the role of an existing Sub-processor;
  • imposes on each Sub-processor data-protection obligations no less protective than those set out in this DPA, by way of a written contract;
  • remains fully liable to the Controller for the performance of the Sub-processor's obligations.

The Controller may object on reasonable grounds during the notice period. If the Parties cannot resolve the objection, the Controller may, as its sole remedy, terminate the affected Service component for the remaining contract term.

7. International Transfers

Where the Processor transfers Customer Data outside the EEA, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision, the following safeguards apply:

  • EU SCCs.The Parties agree that the SCCs (Module 2) are incorporated by reference into this DPA, with the Controller as "data exporter" and the Processor as "data importer". The optional docking clause (Clause 7) is incorporated. The Parties select Option 2 of Clause 9(a) (general written authorisation of Sub-processors, with the notice period in section 6). The supervisory authority in Clause 13 is the lead supervisory authority of the Controller. The law in Clause 17 is the law of Ireland; the forum in Clause 18 is the courts of Ireland. Annex I, II, and III to the SCCs are set out in section 12 of this DPA.
  • UK IDTA. For transfers subject to UK GDPR, the UK IDTA is incorporated by reference, applied to the SCCs above. Table 1 of the IDTA is populated from the executed order form; Table 2 selects the SCCs as above; Tables 3 and 4 are populated by reference to section 12.
  • Swiss FADP addendum. For transfers originating in Switzerland, the Parties agree the Swiss-FADP-specific modifications to the SCCs (substituting the FDPIC as supervisory authority and references to GDPR with references to the FADP).

8. Security

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by GDPR Art. 32. The current measures include, without limitation:

  • Encryption.All Customer secret, contact, and message content is encrypted on the data subject's device using AES-256-GCM before transmission. Keys are derived from passphrases via scrypt (N=2⁷⁶) and from team quorum via Shamir's Secret Sharing over GF(2⁸). The Processor does not hold a decryption key.
  • Transport security. TLS 1.2+ end-to-end. HSTS enforced.
  • Authentication.Argon2id password hashing (t=4, m=128 MB, p=2), TOTP / WebAuthn / FIDO2 / recovery codes for MFA, refresh-token rotation with peppered SHA-256 hashes.
  • Isolation. Multi-cloud verticals (AWS Lambda + Neon Postgres in Frankfurt, Scaleway Functions + Scaleway Serverless SQL in Paris) with no shared database or control plane.
  • Access control. Role-based access on a least-privilege basis. Personnel access to production systems is logged and reviewed.
  • Auditing. Per-secret immutable audit log with tamper-evident records.
  • Vulnerability management. Dependabot monitoring, scheduled dependency updates, coordinated-disclosure programme at security@glassbreak.io.

Detailed technical disclosure is published at /technology/encryption and /technology/distributed. The Processor may update the specific controls from time to time provided the overall level of security is not diminished.

9. Audits

The Processor will, on reasonable written notice (at least 30 days, except where required sooner by a supervisory authority), make available to the Controller information necessary to demonstrate compliance with this DPA, including:

  • the most recent independent assessment report (if any);
  • responses to a reasonable security questionnaire (no more than once per year, except after a Personal Data Breach);
  • where the foregoing is insufficient and the Controller can demonstrate a specific compliance concern, an on-site audit at the Controller's expense, during normal business hours, subject to reasonable confidentiality undertakings and conducted in a manner that does not unreasonably disrupt the Service.

The Controller will reimburse the Processor for reasonable costs of audit cooperation beyond the first eight hours per year.

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data, providing (where available):

  • a description of the nature of the breach, the categories and approximate number of data subjects affected, and the categories and approximate number of records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and to mitigate its possible adverse effects;
  • the name and contact details of the Processor's contact point.

Where it is not possible to provide the information at the same time, it may be provided in phases without further undue delay.

11. Return or Deletion of Data

On termination or expiry of the agreement, and at the choice of the Controller (expressed in writing within 30 days of termination), the Processor will:

  • return all Customer Data to the Controller in a structured, commonly used, machine-readable format; or
  • delete all Customer Data (and ensure that Sub-processors delete it),

except to the extent that Union, Member State, UK, Swiss, or other applicable law requires storage of the Personal Data. Audit logs, billing records, and security-relevant metadata may be retained for the period required by applicable law (typically 7 years for billing records; 12 months for security telemetry). Encrypted ciphertext for which the Processor does not hold the decryption key may be deleted on the Processor's own retention schedule without affecting the rights described above.

12. SCC Annexes

The Annexes to the SCCs (incorporated by reference under section 7) are populated as follows:

  • Annex I.A (parties). Data exporter: the Controller, as identified in the executed agreement. Data importer: Glassbreak, address available on request to legal@glassbreak.io.
  • Annex I.B (description of transfer). Categories of data subjects, categories of Personal Data, frequency, nature and purpose, retention, and any transfers to further Sub-processors are as set out in sections 3 and 6 of this DPA and on the sub-processor list.
  • Annex I.C (competent supervisory authority). The lead supervisory authority of the Controller.
  • Annex II (security measures). The measures set out in section 8 of this DPA and at /technology/encryption and /technology/distributed.
  • Annex III (Sub-processors). The list at /legal/sub-processors, as updated from time to time in accordance with section 6.

13. General

In the event of any conflict between this DPA and the Terms and Conditions, this DPA prevails on data-protection matters. In the event of any conflict between this DPA and the SCCs, UK IDTA, or Swiss FADP addendum incorporated under section 7, the SCCs / IDTA / addendum prevails. The Parties agree that the limitations of liability set out in the Terms apply to claims arising under this DPA (including the SCCs), to the maximum extent permitted by applicable law, save that no limitation applies to liability that cannot be limited under applicable data protection law.

To execute this DPA, please email legal@glassbreak.iowith your organisation's name, billing entity, jurisdiction, and signing contact. A counter-signed copy will be returned. This document is provided for transparency and does not constitute legal advice.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.