Back to Theodolite
Theodolite by vCSO.ai

Data Processing Agreement

How we process personal data on your behalf under GDPR, UK GDPR, and CCPA/CPRA
Effective: April 2026 · v1.0

1. Introduction & Parties

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement (the “Agreement”) between vCSO.ai, Inc. (“vCSO.ai,” “we,” “us”), operating the Theodolite platform, and the customer entity that has accepted the Agreement (“Customer,” “you”).

This DPA governs the Processing of Customer Personal Data that vCSO.ai Processes on Customer’s behalf when providing the Service. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to data protection matters.

2. Definitions

Terms used but not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.

  • “Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (2016/679) (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and any successor laws.
  • “Customer Personal Data” means any Personal Data contained within Customer Data that vCSO.ai Processes on Customer’s behalf in the course of providing the Service.
  • “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” “Supervisory Authority” have the meanings given in the GDPR.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise Processed.
  • “Standard Contractual Clauses” or “SCCs” means the clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and the UK International Data Transfer Addendum to the SCCs.
  • “Subprocessor” means any third party engaged by vCSO.ai to Process Customer Personal Data.

3. Scope & Roles

The parties acknowledge that, with respect to the Processing of Customer Personal Data under the Agreement:

  • Customer is the Controller (or, where Customer acts on behalf of another controller, the Processor);
  • vCSO.ai is the Processor (or sub-processor, as applicable);
  • each party will comply with its respective obligations under applicable Data Protection Laws.

Customer is responsible for ensuring it has a lawful basis to collect the Personal Data it submits to the Service and for providing all notices and obtaining all consents required from Data Subjects.

4. Subject Matter, Duration & Nature of Processing

ItemDescription
Subject matterProvision of the Theodolite cybersecurity decision-making platform: vulnerability quantification, sensitive data discovery, cloud security posture, and compliance assessment.
DurationThe term of the Agreement plus any period during which vCSO.ai retains Customer Personal Data in accordance with Section 13 (Return & Deletion).
Nature of ProcessingCollection, storage, analysis, classification, aggregation, correlation, and transmission of Customer Data strictly as required to operate and improve the Service.
PurposePerforming vCSO.ai’s obligations under the Agreement, including generating risk quantification, compliance scores, and remediation recommendations on Customer’s behalf.
FrequencyContinuous for the duration of the Agreement.

5. Categories of Data & Data Subjects

Categories of Data Subjects

  • Customer’s personnel (employees, contractors, administrators) who access the Service
  • Individuals whose Personal Data is present in Customer’s connected cloud storage, filesystems, or scan imports
  • Other individuals referenced in Customer Data that Customer submits to the Service

Categories of Personal Data

The Personal Data Processed depends on what Customer chooses to connect or upload. It may include:

  • Account data: name, business email, job title, company, authentication identifiers.
  • Usage data: IP address, browser and device information, session and audit logs.
  • Infrastructure metadata: cloud resource configurations, IAM principals, file paths, object metadata.
  • Discovery findings: classifications and pointers indicating the presence of PII, PHI, financial, or credential data in Customer systems. The underlying sensitive content is not persisted by the Service.
  • Vulnerability and assessment data: content of imported scan reports and assessment responses Customer submits.

Special Categories

The Service is not designed to Process special categories of Personal Data (GDPR Art. 9) or criminal conviction data (GDPR Art. 10). Customer agrees not to submit such data except in metadata form (e.g., a classification label indicating the presence of PHI in a Customer-owned file) as inherent to the Service’s discovery function.

6. Processor Obligations

vCSO.ai will:

  • Process on documented instructions. Process Customer Personal Data only on Customer’s documented instructions (including the Agreement and Customer’s configuration of the Service), unless required to do so by applicable law. If vCSO.ai believes an instruction violates Data Protection Laws, it will notify Customer.
  • Confidentiality. Ensure personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations and receive appropriate training.
  • Security. Implement the technical and organizational measures described in Section 8.
  • Assistance. Provide reasonable assistance to Customer with data subject requests, DPIAs, prior consultations, and Supervisory Authority inquiries, taking into account the nature of Processing and information available to vCSO.ai.
  • No sale / no further use. Not sell, rent, or license Customer Personal Data; not retain, use, or disclose Customer Personal Data outside the direct business relationship or for any purpose other than performing the Service.

7. Subprocessors

Customer grants vCSO.ai general authorization to engage Subprocessors to Process Customer Personal Data, subject to this Section.

Current Subprocessors

A current list of Subprocessors is maintained below. Categories include infrastructure hosting, database services, transactional email, error monitoring, and AI model inference.

SubprocessorPurposeLocation
Microsoft AzurePrimary cloud hosting, managed PostgreSQL, object storage, identityUnited States
Anthropic, PBCLLM inference for AI-generated action plans and guidance (zero data retention mode)United States
GitHub, Inc.Source code, CI/CD, issue trackingUnited States

This list is illustrative and may be updated as the Service evolves. Contact privacy@vcso.ai for the current list.

Subprocessor Obligations

  • vCSO.ai will impose data protection obligations on each Subprocessor that are no less protective than those in this DPA.
  • vCSO.ai remains liable for the acts and omissions of its Subprocessors to the same extent as for its own acts and omissions.
  • vCSO.ai will provide at least thirty (30) days’ notice of any intended addition or replacement of Subprocessors. Customer may object on reasonable data protection grounds, in which case the parties will work in good faith to resolve the objection.

8. Technical and Organizational Measures

vCSO.ai maintains a written information security program with measures appropriate to the risk, including:

  • Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest (database, object storage, backups).
  • Access control: role-based access (owner/admin/analyst/viewer), least privilege, SSO and MFA for administrative access, HttpOnly session cookies.
  • Network security: segmented production environment, managed WAF, rate limiting, CSRF protection, XXE-safe XML parsing.
  • Zero-persistence discovery: data discovery scans are performed by a Customer-side scanner using Customer-managed identities; only classification metadata and counts are transmitted to the Service backend. The underlying sensitive file content is never stored by vCSO.ai.
  • Multi-tenancy: logical separation of Customer data by organization identifier, enforced at the query layer.
  • Change management: code review, automated testing, CI/CD with audited deployments to Azure Container Apps.
  • Logging & monitoring: application and access logs, alerting on anomalous activity.
  • Backups: encrypted, point-in-time recovery for the production database.
  • Personnel: background checks where lawful, confidentiality agreements, annual security training.
  • Vendor management: security review of material Subprocessors.
  • Incident response: documented procedures with defined roles and timelines.

vCSO.ai may update these measures from time to time, provided the overall level of protection is not materially reduced.

9. Data Subject Rights

Taking into account the nature of Processing, vCSO.ai will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

If vCSO.ai receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond substantively but will promptly forward the request to Customer, unless otherwise legally required.

10. Personal Data Breach Notification

vCSO.ai will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time:

  • The nature of the breach, categories and approximate number of Data Subjects and records concerned;
  • The likely consequences of the breach;
  • Measures taken or proposed to address the breach and mitigate its adverse effects;
  • A contact point for further information.

vCSO.ai will provide reasonable cooperation to Customer in fulfilling Customer’s own breach notification obligations. vCSO.ai’s notification is not an acknowledgment of fault or liability.

11. DPIA & Prior Consultation Assistance

Where required by Data Protection Laws, vCSO.ai will provide reasonable assistance to Customer in carrying out data protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of the Processing and the information available to vCSO.ai.

12. International Data Transfers

vCSO.ai is established in the United States and primarily Processes Customer Personal Data in the United States. To the extent Customer Personal Data of Data Subjects in the EEA, United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision:

  • The EU Standard Contractual Clauses (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor, as applicable) are hereby incorporated by reference and deemed executed by the parties, with Customer as data exporter and vCSO.ai as data importer.
  • For UK transfers, the UK International Data Transfer Addendum is incorporated by reference.
  • For Swiss transfers, the SCCs apply with references to the GDPR read as references to the Swiss FADP, and the competent authority read as the Swiss FDPIC.
  • vCSO.ai will implement supplementary measures as appropriate following the Schrems II framework (e.g., encryption, access controls, transparency reporting, challenging overbroad government requests).

13. Return & Deletion of Data

Upon termination or expiration of the Agreement, at Customer’s choice, vCSO.ai will delete or return all Customer Personal Data in its possession and delete existing copies, except to the extent applicable law requires storage.

  • Customer may request return or deletion at any time by contacting privacy@vcso.ai.
  • Deletion will be completed within thirty (30) days of the termination or request, subject to technical constraints (e.g., backup rotation cycles, for which residual data will remain protected under this DPA until overwritten).
  • vCSO.ai will provide written confirmation of deletion upon request.

14. Audits & Information Rights

vCSO.ai will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Customer may satisfy its audit rights by:

  • Documentation review: reviewing vCSO.ai’s security documentation, third-party audit reports (e.g., SOC 2 Type II when available), and responses to standard security questionnaires.
  • On-site audit: where Customer reasonably believes documentation review is insufficient, Customer (or a mutually agreed independent auditor bound by confidentiality) may conduct an on-site audit of vCSO.ai’s relevant systems, not more than once per year, on at least thirty (30) days’ written notice, during business hours, in a manner that does not disrupt operations.

Customer bears its own audit costs. vCSO.ai may charge reasonable fees for support beyond standard cooperation.

15. CCPA/CPRA Service Provider Terms

To the extent Customer Personal Data includes personal information of California residents, vCSO.ai acts as a “Service Provider” as defined by the CCPA. vCSO.ai will:

  • Process personal information only for the business purposes specified in the Agreement and this DPA;
  • Not sell or share personal information as those terms are defined under the CCPA;
  • Not retain, use, or disclose personal information outside the direct business relationship with Customer;
  • Not combine personal information received from Customer with personal information received from other sources, except as permitted by CCPA regulations;
  • Notify Customer if it determines it can no longer meet its obligations under the CCPA;
  • Grant Customer the right to take reasonable and appropriate steps to remediate unauthorized use of personal information.

vCSO.ai certifies that it understands the restrictions of CCPA § 1798.140(ag) and will comply with them.

16. Liability & Conflicts

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, any reference in the Agreement’s liability cap to amounts paid or payable includes amounts paid or payable under this DPA.

In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Customer Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs control.

17. Contact

For questions about this DPA, to request the current Subprocessor list, to exercise audit rights, or to report a data protection concern, contact:

vCSO.ai, Inc.

Data Protection: privacy@vcso.ai

Website: www.vcso.ai

Please include “DPA Request” in the subject line.

This DPA is offered as a standard template. Enterprise customers requiring a countersigned DPA on their own paper should contact us at the address above.