Wirespeed Data Protection Addendum
Last updated: May 21, 2025
This Data Protection Addendum, including all appendices (“DPA”) forms a part of the Wirespeed Master Subscription Agreement (“Agreement”) between Wirespeed and the Customer. The Parties agree that this DPA sets forth their obligations with respect to the processing and security of Customer Data in connection with Customer’s use of the Solutions.
This DPA applies only to the processing of Customer Data in environments controlled by Wirespeed (including Wirespeed Subprocessors), which includes Customer Data sent to Wirespeed by the Solutions but does not include data that remains on Customer’s premises or in any Customer-selected third-party operating environments. This DPA will be effective on the Effective Date of the Agreement and will replace any terms previously applicable to the processing and security of Customer Data. Capitalized terms used but not defined in this DPA have the meaning given to them in the Agreement.
2.1. “Applicable Data Protection Law” means, as applicable to the processing of Customer Data (including any personal data contained therein), any national, federal, European Union, state, provincial, or other privacy, data protection, or data security law or regulation.
2.2. “Customer Data”, if not defined in the Agreement, means data ingested from Customer endpoints, or otherwise provided, by or on behalf of Customer to Wirespeed via Customer’s use of the Solutions, excluding System Data.
2.3. “Customer Personal Data” means the personal data contained within the Customer Data, including any special categories of personal data or sensitive data defined under Applicable Privacy Law.
2.4. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2.5. “Security Breach” means a breach of Wirespeed’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
2.6. “Subprocessor” means a third party authorized as another processor under this DPA to process Customer Data in order to provide the Solutions.
2.7. The terms “personal data”, “data subject”, “controller”, and “processor” as used in this DPA have the meanings given by Applicable Data Protection Law or, absent any such meaning or law, by the EU GDPR.
2.8. The terms “personal data”, “data subject”, “controller”, and “processor” include “personal information”, “consumer”, “business”, and “service provider”, respectively, as required by Applicable Data Protection Law.
Wirespeed is a processor and Customer is a controller or processor, as applicable, of Customer Data.
Each Party will comply with its obligations related to the processing of Customer Data under Applicable Data Protection Law.
To the extent the processing of Customer Data is subject to an Applicable Data Protection Law described in Appendix 3 (Jurisdiction-Specific Data Protection Laws), the corresponding terms in Appendix 3 shall also apply. In the event of a conflict between the general terms of this DPA and Appendix 3, Appendix 3 will prevail.
The subject matter and details of the processing of Customer Data are described in Appendix 1 (Details of Processing of Customer Data).
Wirespeed shall: (a) not process Customer Data other than to provide the Solutions in accordance with this Agreement (including as set forth in this DPA and as described in Appendix 1 to this DPA) and applicable law (the “Permitted Purpose”); and (b) immediately notify Customer if, in Wirespeed’s opinion, Applicable Data Protection Law prohibits Wirespeed from complying with the Permitted Purpose or Wirespeed is otherwise unable to comply with the Permitted Purpose.
Customer hereby: (a) instructs Wirespeed to process Customer Data for the Permitted Purpose; (b) warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out herein on behalf of each relevant controller of Customer Data; and (c) warrants and represents that the relevant controller of Customer Data has provided all notices and obtained all consents required by Applicable Data Protection Law to provide Customer Data to Wirespeed under the Agreement.
Wirespeed will implement and maintain the technical and organizational measures set forth in Appendix 2 (Security Measures) (the “Security Measures”). Wirespeed may update the Security Measures from time to time provided that such updates do not result in a reduction of the security of the Solutions or Wirespeed’s obligations under the Agreement.
Without prejudice to Wirespeed’s obligations under Section 5.1 (Security Measures) and elsewhere in the Agreement, Customer is responsible for its use of the Solutions, including: (a) using the Solutions to ensure a level of security appropriate to the risk to Customer Data; (b) securing the authentication credentials, systems, and devices Customer uses to access the Solutions; and (c) backing up its Customer Data as appropriate.
Customer agrees that the Solutions and Security Measures implemented and maintained by Wirespeed provide a level of security appropriate to the risk to Customer Data.
Wirespeed shall ensure that its personnel engaged in the processing of Customer Data (a) will process such data only on instructions from Customer or as described in this DPA, and (b) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. Wirespeed shall provide periodic and mandatory data privacy and security training and awareness to its employees in accordance with Applicable Data Protection Law and industry standards.
Wirespeed shall notify Customer promptly and in any event within 48 hours upon becoming aware of a Security Breach, and promptly take reasonable steps to minimize harm and secure Customer Data.
Wirespeed’s notification of a Security Breach will describe: (a) the nature of the Security Breach including the Customer resources impacted; (b) the measures Wirespeed has taken, or plans to take, to address the Security Breach and mitigate its potential risk; (c) the measures, if any, Wirespeed recommends that Customer take to address the Security Breach; and (d) the details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Wirespeed’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
Wirespeed’s notification of or response to a Security Breach under this Section will not be construed as an acknowledgement by Wirespeed of any fault or liability with respect to the Security Breach.
Customer specifically authorizes Wirespeed to engage as Subprocessors those entities listed as of the effective date of this DPA at the URL specified in Section 6.2 (Subprocessor Details). In addition, and without prejudice to Section 6.3 (Engagement of New Subprocessors), Customer generally authorizes the engagement as Subprocessors of any other third parties (each a “New Subprocessor”).
Information about Subprocessors, including their functions and locations, is available in Appendix 3 (and may be updated by Wirespeed from time to time in accordance with this DPA).
When any New Subprocessor is engaged while this DPA is in effect, Wirespeed shall provide Customer at least thirty days’ prior written notice of the engagement of any New Subprocessor, including details of the processing to be undertaken by the New Subprocessor. If, within thirty days of receipt of that notice, Customer notifies Wirespeed in writing of any objections to the proposed appointment, and further provides commercially reasonable justifications to such objections based on that New Subprocessor’s inability to adequately safeguard Customer Data, then: (a) Wirespeed shall work with Customer in good faith to address Customer’s objections regarding the New Subprocessor; and (b) where Customer’s concerns cannot be resolved within thirty days from Wirespeed’s receipt of Customer’s notice, notwithstanding anything in the Agreement, Customer may, by providing Wirespeed with a written notice with immediate effect, terminate the Purchase Order(s) with respect to only those aspects which cannot be provided by Wirespeed without the use of the New Subprocessor.
With respect to each Subprocessor, Wirespeed shall: (a) before the Subprocessor first processes Customer Data, carry out adequate due diligence to ensure that the Subprocessor is capable of performing the obligations subcontracted to it in accordance with the Agreement (including this DPA); (b) periodically reassess the Subprocessor to ensure it remains capable of performing the obligations subcontracted to it in accordance with the Agreement (including this DPA); (c) ensure that the processing of Customer Data by the Subprocessor is governed by a written contract including terms no less protective of Customer Data than those set out in this DPA, including that the applicable data protection obligations in this DPA are imposed on the Subprocessor; and (d) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
Taking into account the nature of the processing, Wirespeed shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise individuals’ rights under Applicable Data Protection Law.
Wirespeed shall: (a) promptly notify Customer if Wirespeed receives a request from an individual Applicable Data Protection Law with respect to Customer Data to the extent that Wirespeed recognizes the request as relating to Customer; and (b) ensure that Wirespeed does not respond to that request except on the documented instructions of Customer or as required by applicable law, in which case Wirespeed shall to the extent permitted by applicable law inform Customer of that legal requirement before Wirespeed responds to the request.
To the extent Wirespeed is required by Applicable Data Protection Law, Wirespeed shall (taking into account the nature of the processing and the information available to Wirespeed) provide reasonable assistance to Customer with any impact assessments or consultations with data protection regulators by providing information in accordance with Section 7.4 (Audits and Records).
Wirespeed shall make available to Customer upon request information necessary to demonstrate compliance with Applicable Data Protection Law and this DPA in accordance with the following procedures: (a) Wirespeed will provide Customer with the most recent certifications and/or summary audit report(s) which Wirespeed has procured to regularly test, assess, and evaluate the effectiveness of the Security Measures; (b) Wirespeed will reasonably cooperate with Customer by providing available additional information concerning the Security Measures to help Customer better understand the Security Measures; and (c) if further information is required by Customer to comply with its own or other controller’s audit obligations or a competent supervisory authority’s request, Customer will inform Wirespeed and the Parties shall discuss in good faith the content and delivery of the required information.
Wirespeed will only host Customer Data at rest in the regions offered by Wirespeed and selected by Customer on an Order Form or as Customer otherwise configured via the Solutions (the “Hosting Location”).
Taking into account the safeguards set forth in this DPA, Customer Data may be processed in the United States or any other country in which Wirespeed or its Subprocessors operate.
Wirespeed shall promptly and in any event within sixty days of the date of cessation of providing any Solutions involving the processing of Customer Data (the “Cessation Date”), delete all copies of Customer Data, unless applicable law requires storage.
Wirespeed shall provide written certification to Customer that it has complied with this Section within ten days of receiving Customer’s written request to receive such certification.
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Any liability associated with failure to comply with this DPA will be subject to the limitations of liability provisions stated in the Agreement.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible, or if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Wirespeed will process Customer Data, including any personal data contained therein, exclusively to provide the Solutions pursuant to the Agreement, including any retention period(s) purchased by Customer for specific Solutions.
Wirespeed will process Customer Data only for the Permitted Purpose.
The specific nature of Customer Data processed by Wirespeed depends upon the Solutions Customer purchases, but broadly relates to the following categories of data:
The Solutions are not intended to process special categories of personal data, and special categories of personal data are not required to deliver the Solutions to Customer. Notwithstanding the foregoing, when Customer controls the data sent to Wirespeed, or in specific services engagements (e.g., forensic investigations requiring analysis of the underlying data), Wirespeed may process special categories of personal data on behalf of Customer. The nature and scope of the special categories of sensitive personal data that is transferred may not be known until after the processing has taken place but may include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
Data subjects include the individuals about whom data is provided to Wirespeed via the Solutions by (or at the direction of) Customer, and may include employees, contractors, consultants, or other individuals belonging to Customer, Customer’s customers or clients, and Customer’s partners’ workforce.
Wirespeed maintains an information security program that is designed to protect the confidentiality, integrity, and availability of Customer Data (the “Wirespeed Information Security Program”). The Wirespeed Information Security Program will be implemented on an organization-wide basis and will be designed to ensure Wirespeed’s compliance with Applicable Data Protection Law. As of the Effective Date, Wirespeed will implement and maintain the Security Measures described in this Appendix 2.
Wirespeed has appointed a senior officer responsible for coordinating and monitoring the Wirespeed Information Security Program.
Wirespeed personnel with access to Customer Data are subject to confidentiality obligations.
Wirespeed has implemented a security risk management program which is based on the requirements of ISO 27005. The Program defines a systematic and consistent process to ensure that security risks to Customer Data are identified, analyzed, evaluated, and treated. Risk treatment and the risk remaining after treatment (i.e., residual risk) is communicated to risk owners, who decide on acceptable levels of risk, authorize exceptions to this threshold, and drive corrective action when unacceptable risks are discovered.
Wirespeed takes reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Customer Data, including by conducting background checks on all new employees to the extent permitted by applicable law in the jurisdiction where the employee is located.
Wirespeed informs its personnel about the Wirespeed Information Security Program and Applicable Data Protection Law upon hire and annually thereafter. Personnel are also informed of possible consequences – up to and including termination – of breaching the Wirespeed Information Security Program.
Assets utilized to process Customer Data are identified and an inventory of these assets is listed and maintained. Assets maintained in the inventory and assigned an owner. Company-provided assets are governed by Wirespeed’s Acceptable Use Policy.
All employees and external party users are required to return organizational assets in their possession upon termination of their employment, contract, or agreement.
Wirespeed’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Customer Data. Wirespeed employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. Wirespeed requires the use of unique user IDs, strong passwords, multi-factor authentication, and monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on the authorized personnel’s job responsibilities, job duty requirements necessary to perform authorized tasks, and a need to know basis. The granting or modification of access rights must also be in accordance with Wirespeed’s internal data access policies and training. Access to systems is logged to create an audit trail for accountability.
Wirespeed has no “on-premises” networks, uses no VPN, and operates in a 100% “Zero Trust” architecture. Employees must be strongly authenticated with multiple-factors before connecting to any system storing Customer Data.
Customer Data is encrypted in transit using TLS and at rest using AES ciphers.
Wirespeed does not own or operate any datacenters. Datacenter physical security is the responsibility of hosting providers listed in the sub-processors list in Appendix 4.
Wirespeed does not own or lease any physical office locations containing customer data.
Wirespeed maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
Computing assets containing customer data within the Wirespeed network are protected by network segmentation and strong authentication.
Wirespeed conducts annual, comprehensive penetration testing of all production and corporate systems by a third party service
Wirespeed logs access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Customer Data is deleted irretrievably upon request or contract termination in accordance with the DPA.
Before onboarding any supplier to process Customer Data, Wirespeed conducts an audit of the security and privacy practices of the supplier to ensure the supplier provides a level of security and privacy appropriate to their proposed access to Customer Data and the scope of the services they are engaged to provide. Once Wirespeed has assessed the risks presented by the supplier, the supplier is required to enter into appropriate security, confidentiality, and privacy terms prior to processing any Customer Data in accordance with the DPA.
Wirespeed has put in place a security incident management process for managing security incidents that may affect the confidentiality, integrity, or availability of its systems or data, including Customer Data. The process specifies courses of action, procedures for notification, escalation, mitigation, post-mortem investigations after each incident, response actions, periodic testing, and documentation.
Wirespeed has a security operations program function which monitors, triages, and responds to security alerts across the organization.
Wirespeed conducts frequent backups of all Customer Data in the Hosting Location. Where available, backups are physically located in a different availability zone from where Customer Data is hosted (but within the same Hosting Location). A monitoring process is in place to ensure successful ongoing backups.
The terms in each Module of this Appendix 3 apply only where the corresponding law applies to the processing of Customer Data.
1.1. “Adequate Country” means: (a) for data processed subject to the EU GDPR: any county within the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the EU GDPR; (b) for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act of 2018; and/or (c) for data processed subject to the Swiss FDPA: Switzerland or a country or territory that (i) is included in the list of states whose legislation ensures an adequate level of protection as published by the Swiss Federal Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPR.
2.1.2. “Alternative Transfer Mechanism” means a mechanism, other than the SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law, for example a data protection framework recognized as ensuring that participating entities provide adequate protection.
1.3. “European Data Protection Law” means, as applicable: (a) the EU GDPR; (b) the UK GDPR; or (c) the Swiss FADP.
1.4. “European Law” means, as applicable: (a) EU or EU member State law (if the EU GDPR applies to the processing of Customer Data); (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Data); or (c) the law of Switzerland (if the Swiss FADP applies to the processing of Customer Data).
1.5. “Restricted Transfer” means the transfer or processing of Customer Personal Data to or in a country that is not an Adequate Country.
1.6. “SCCs” means the SCCs (Controller-to-Processor) or the SCCs (Processor-to-Processor), as applicable.
1.8. “Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland).
1.9. “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act of 2018, and applicable secondary legislation made under the same.
Without prejudice to Wirespeed’s obligations under Section 4.3 (Customer Instructions and Obligation) of the DPA or any other rights or obligations of either party under the Agreement, Wirespeed will immediately notify Customer if, and to the extent such notice is not otherwise prohibited by European Law, in Wirespeed’s opinion: (a) European Law prohibits Wirespeed from complying with an instruction; (b) an instruction does not comply with European Data Protection Law; or (c) Wirespeed is otherwise unable to comply with an instruction. If Customer is a processor, Customer will immediately forward to the relevant controller any notice provided by Wirespeed under this Section.
If the processing of Customer Personal Data constitutes a Restricted Transfer then, subject to Section 3.2 of this Module 1 of Appendix 3, the SCCs will apply (according to whether Customer is a controller and/or a processor) with respect to such Restricted Transfer between Wirespeed and Customer.
The SCCs will not apply to a Restricted Transfer if Wirespeed has adopted an Alternative Transfer Mechanism for that Restricted Transfer.
Wirespeed will provide Customer with information relevant to a Restricted Transfer (a) as described in Section 7.5 (Audits and Records) of the DPA, and (b) in relation to Wirespeed’s adoption of an Alternative Transfer Mechanism.
If the SCCs apply as described in Section 3.1 (Restricted Transfers) of this Module 1 of Appendix 3, Wirespeed will allow Customer, or an independent auditor appointed by Customer, to conduct audits as described in those SCCs an, during an audit, make available all information required by those SCCs, both in accordance with Section 7.4 (Audits and Records) of the DPA.
Nothing in the Agreement (including this Appendix 3) is intended to modify or contradict any SCCs or prejudice the fundamental rights or freedoms of data subjects under European Data Protection Law.
To the extent there is any conflict or inconsistency between any SCCs and the remainder of the Agreement, including this Appendix, the SCCs will prevail.
1.1. “CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations.
1.2. “CPA” means the Colorado Privacy Act, Colo. Rev. Stat. §§ 13-61-101 et seq., and all implementing regulations.
1.3. “CTDPA” means the Connecticut Privacy Act and all implementing regulations.
1.4. “UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. §§ 13-61-101 et seq., and all implementing regulations.
1.5. “VCDPA” means the Virginia Consumer Data Protection Act, VA Code Ann. §§ 59.1-575 et seq., and all implementing regulations.
1.6. “U.S. Data Protection Law” means, as applicable, the CCPA, the CPA, the UCPA, the VCDPA, and all other laws and regulations relating to data protection, the processing of personal data, privacy, and/or electronic communications in force from time to time in the United States.
Without prejudice to Wirespeed’s obligations under Section 4.3 (Customer Instructions and Obligation) of the DPA, with respect to the processing of Customer Data in accordance with the CCPA, Wirespeed will not, unless otherwise permitted under U.S. Data Protection Law: (a) sell or share Customer Data; (b) retain, use, or disclose Customer Data for any purpose other than those specified in the Agreement and the DPA; (c) retain, use, or disclose Customer Data for any commercial purpose other than the business purpose specified in the Agreement and the DPA, including in the servicing of a different business; (d) retain, use, or disclose Customer Data outside the direct business relationship between Wirespeed and Customer; or (e) combine or update Customer Data with any other personal information that Wirespeed receives from or on behalf of a third party or collects from its own interactions with the consumer.
Without prejudice to Wirespeed’s obligations under Section 4.3 (Customer Instructions and Obligation) of the DPA, or any other rights or obligations of either party under the Agreement, Wirespeed will notify Customer if, in Wirespeed’s opinion, Wirespeed is unable to meet its obligations under U.S. Data Protection Law, unless such notice is prohibited by applicable law.
If Customer Data contains deidentified data, Wirespeed will (a) take reasonable measures to ensure the information cannot be associated with a consumer, (b) publicly commit to process deidentified data solely in deidentified form and not attempt to reidentify the information; and (c) contractually obligate any recipients of deidentified data to comply with the foregoing requirements and U.S. Data Protection Law.
Wirespeed grants Customer the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any and all unauthorized use of Customer Data.
Name | Activity | Registered Address | Country of Processing |
Amazon Web Services, Inc. | Hosting and storage systems provider | 410 Terry Avenue North, Seattle, WA 98109 | Dependent upon customer configuration |
Microsoft Azure | Hosting and storage systems provider | 6880 Sierra Center Pkwy Reno, Nevada 89511 | Dependent upon customer configuration |
Google, LLC | Hosting and storage systems provider, Threat Intelligence | 1600 Amphitheatre Pkwy, Mountain View, CA 94043 | Dependent upon customer configuration |
Twilio, Inc. | SMS Text and Email notification services | 375 Beale St., #300, San Francisco, CA 94105 | United States |
Slack Technologies, Inc. | Customer communications and data transfer (only if customer consents to use) | 500 Howard St., San Francisco, CA 94105 | United States |
IDB, LLC | IP Address enrichment | 5616 49th Ave SW Seattle, WA, 98136 | United States |
Superlative Enterprises Pty Ltd | Threat & Exposure Intelligence | Level 11 2 Corporate Court Bundall 4217 Queensland | Australia |
Intercom | Support and User Guides | 55 2nd Street 4th Floor San Francisco, California 94105 US | Dependent upon customer configuration |
Clickhouse, Inc. | Hosting and storage systems provider | Palo Alto, CA | United States |
Inngest, Inc. | Hosting and storage systems provider | San Francisco, CA | United States |
