Legal · DPA

Data Processing Addendum

socbox.cloud’s GDPR Article 28 commitments when we process personal data on your behalf. This page is a public draft; the counter-signed PDF is available on request.

Roles

You are the “Controller” (you decide what personal data is processed and why). socbox.cloud is the “Processor” (we process personal data only on your documented instructions, recorded in this DPA and in our Terms of Service).

What we process

The personal data we process on your behalf is described in our Privacy Policy. In short: account identifiers (email, display name), audit-log entries, and any personal data you choose to upload into your workspace (e.g. an SBOM that names a maintainer).

Security commitments

Strong encryption in transit and at rest.
Authenticated, mutually-encrypted communication between internal services.
SOC 2 Type II — audit in progress; ISO 27001 — planned for GA.
Role-based access on every internal tool; audit logs retained 13 months.
Annual penetration test by an independent firm.

Sub-processors

We use a small number of sub-processors (for transactional email, payment processing, and hosting). The current list is in our Privacy Policy. We notify Controllers of any new sub-processor at least 30 days before engagement.

International transfers

For data transferred outside the EEA, we use the EU Standard Contractual Clauses (2021 module) as the legal basis. Data residency options are planned for paid plans (coming soon).

Counter-signed copy

Email legal@socbox.cloudwith your company name and EU representative (if applicable) and we’ll send back a counter-signed DPA PDF within 2 business days.