Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by and between the Customer (the “Controller”) and Herd Security, Inc., a B2B SaaS company (the “Processor”), effective as of the date of mutual execution (the “Effective Date”).

This DPA forms part of the underlying agreement between the parties concerning the use of Herd Security’s services (the “Agreement”).

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by Herd Security on behalf of the Customer.
  
  

• "Processing" means any operation performed on Personal Data, whether by automated means or not.
  
  

• "Subprocessor" means any third party engaged by Herd Security to process Personal Data on behalf of the Customer.

2. Roles of the Parties

• Customer is the Data Controller.
  
  

• Herd Security acts as the Data Processor.
  
  

• Herd Security processes Personal Data solely on behalf of the Customer and in accordance with Customer’s instructions.
  
  

3. Purpose of Processing

Herd Security processes Personal Data for the following purposes:

• Identifying AI-enabled social engineering threats
  
  

• Monitoring employee behavior within workplace communication platforms
  
  

• Generating and delivering personalized security training via integrations (Slack, Microsoft Teams, Discord)
  
  

4. Categories of Personal Data

Herd Security may process the following categories of data:

• Names

• Email addresses

• Metadata of workplace messages (timestamps, frequency, platform ID—not full message content)

• Behavioral indicators (e.g., response patterns, user actions)

• Platform usage activity
  
  Special categories of data (sensitive data) are not required or intentionally collected.

5. Subprocessors

The following Subprocessors are engaged by Herd Security:

• Amazon Web Services (AWS) – Hosting and infrastructure
  
  

• OpenAI – AI analysis and language generation
  
  

• Segment (by Twilio) – Product analytics
  
  

• Slack, Microsoft Teams, Discord – Integrated communication platforms
  
  Herd Security shall notify Customer in advance of any intended changes concerning the addition or replacement of Subprocessors and allow the Customer to object on reasonable grounds.

6. Data Location

All Personal Data is stored and processed in data centers located in the United States.

7. Security Measures

Herd Security implements the following technical and organizational security measures:

• Encryption of data in transit and at rest
  

• Strong access controls and least privilege policies

  
  

• Annual Policy Review
  
  

8. Rights of the Data Subject and Customer

Herd Security will, where applicable and without undue delay:

• Assist Customer in fulfilling requests from data subjects (access, correction, deletion, restriction)
  
  

• Support Customer’s compliance with data protection obligations under GDPR and CCPA
  
  

• Enable audits or provide evidence of compliance upon request
  
  

9. Data Retention and Return

• Herd Security retains Personal Data only for the duration necessary to provide services or as required by law.
  
  

• Upon termination of the Agreement or at the request of the Customer, Herd Security shall delete or return all Personal Data within 30 days, unless retention is legally required.
  
  
  

10. Breach Notification

Herd Security will notify the Customer within 48 hours of becoming aware of a Personal Data Breach, providing:

• Nature of the breach
  
  

• Likely consequences
  
  

• Mitigation measures taken
  
  

• Contact point for follow-up
  
  
  

11. Use of AI

• Customer data is not used to train any foundational or third-party AI models.
  

• AI is strictly used for inference purposes, i.e., detecting social engineering risk and tailoring training.
  
  

• All prompts and outputs remain within the scope of the Customer’s environment and data boundaries.
  
  
  

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set forth in the Agreement. The Processor shall indemnify the Controller for direct damages arising from breaches of this DPA caused by the Processor’s negligence or willful misconduct.

13. Miscellaneous

• This DPA is governed by the laws and jurisdiction specified in the main Agreement.
  
  

• In case of conflict between the DPA and the Agreement, this DPA shall prevail in matters of data protection.
  
  

• The DPA remains in effect as long as the Processor processes Personal Data on behalf of the Controller.