Data processing agreement.

1. Scope and roles

This DPA applies whenever Permus Information Technology LLC ("Processor") processes personal data on behalf of the Customer ("Controller") under the IronCastle subscription. The Controller determines the purposes and means of processing; the Processor processes only on documented instructions.

2. Subject matter and duration

• Subject: security telemetry collected from Customer environments — process events, file events, network metadata, identity audit logs, cloud audit logs.
• Categories of data subjects: Customer's employees, contractors, and any user whose activity is recorded by the security tooling.
• Categories of personal data: usernames, email addresses, IP addresses, device identifiers, login timestamps, behavioural metadata. No special categories of data unless the Customer explicitly opts in.
• Duration: for the term of the subscription, plus the offboarding period.

3. Processor obligations

• Process only on documented Customer instruction.
• Ensure personnel are bound by confidentiality.
• Implement and maintain appropriate technical and organisational measures (Annex A of the signed DPA — same controls documented on our Trust page).
• Assist Controller in responding to data-subject requests within reasonable timeframes.
• Notify Controller of personal data breaches without undue delay, and in any event within 72 hours.
• Make available all information necessary to demonstrate compliance, including third-party audit reports.
• Delete or return all personal data at end of contract (Customer's choice).

4. Subprocessors

The Controller grants the Processor general authorisation to engage subprocessors, subject to the conditions in this section. The current list is published at subprocessors.html and forms part of this DPA.

Permus will give 30 days' written notice of new subprocessors. If the Customer reasonably objects, Permus will work in good faith to find an alternative; if no alternative is possible, the Customer may terminate the affected service without penalty.

5. International transfers

Customer data does not leave the region the Customer selects at sign-up (UAE, AU, or EU). Where transfers between regions are technically necessary (e.g., for global subprocessors), they are covered by:

• EU Standard Contractual Clauses (2021/914) for transfers out of the EEA
• UK International Data Transfer Addendum
• Adequacy decisions where they exist (e.g., EU↔UK, EU↔CH)
• UAE PDPL transfer mechanisms (consent, adequacy, contractual safeguards) for transfers out of the UAE

6. Security measures (Annex A summary)

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Least-privilege access, role-based, audited
• Multi-factor authentication required for all production access
• Row-level isolation enforced at the database level
• Quarterly penetration testing
• ISO 27001 ISMS, audited annually
• ISO 42001 AI management system, audited annually
• SOC 2 Type II — in progress (2026)
• Business continuity plan, tested annually
• Background-checked personnel; annual security training

7. Audit rights

The Controller may audit Permus's compliance once per year, on 30 days' written notice, during business hours, at the Controller's expense. Permus will provide independent third-party audit reports (SOC 2, ISO 27001) to satisfy most audit requirements without an on-site visit.

8. Liability

Liability under this DPA is subject to the limitation of liability in the underlying agreement (Terms of Service or signed MSA).

9. Term and termination

This DPA is effective for as long as Permus processes personal data on behalf of the Controller, regardless of any termination of the underlying contract — until all personal data is returned or destroyed.

10. Contact

Data Protection Lead — [email protected]
Legal — [email protected]

This page is a summary. The signed DPA is the authoritative document. Email [email protected] to receive it.