Under this DPA, BlackCrypt processes personal data in Customer Data in connection with the provision of the Service, including analysis of encrypted network traffic and generation of Results and Reports, as described in the OST. Where Customer acts as controller, BlackCrypt acts as processor. Where Customer acts as processor for an end customer, BlackCrypt acts as Customer’s sub-processor.

BlackCrypt processes personal data under this DPA only for the following purposes:

• to ingest and analyse Customer Data (e.g. PCAPs and derived telemetry) and generate Results and reports;
• to provide, maintain and secure the Service (including logging, monitoring and abuse-prevention);
• to provide support and handle incidents or issues reported by Customer; and
• to comply with legal obligations applicable to BlackCrypt and respond to lawful requests from public authorities, where required by law.

This DPA applies for as long as BlackCrypt processes personal data in Customer Data under the OST, whether as processor or sub-processor, and remains in effect until deletion or return of such personal data in accordance with Section 9 (Deletion and Return of Data).

Where Advanced Analysis or enrichment features are used, BlackCrypt may enrich relevant public-routable destination IP addresses observed in Customer Data using Geo-IP and IP reputation or threat-intelligence providers. Enrichment is IP-centric and is used to provide security context, triage signals, and Results.

Private, reserved, invalid, or non-routable IP addresses are excluded from external enrichment where applicable. BlackCrypt does not send packet payloads to threat-intelligence providers. Third-party threat-intelligence data is provided by those sources as-is and may change after the analysis snapshot.

For Customer Data processed through the Service, Customer acts as controller or processor, as applicable. Where Customer acts as controller, BlackCrypt acts as processor. Where Customer acts as processor for an end customer, BlackCrypt acts as Customer’s sub-processor. Customer is responsible for ensuring that it has authority to appoint BlackCrypt and to issue processing instructions for the relevant Customer Data.

For account, billing, payment, support, abuse-prevention, security, and platform telemetry data processed for BlackCrypt’s own purposes, BlackCrypt may act as an independent controller as described in its Privacy Policy.

The Processor will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In that case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

The OST, this DPA, Customer’s use of the Service (including configuration in the dashboard) and any written instructions given through the support channels constitute Customer’s documented instructions. Customer is responsible for ensuring that its instructions comply with applicable law, including GDPR.

Customer is responsible for ensuring a lawful basis for processing Customer Data, providing required transparency to data subjects, handling data-subject rights, and ensuring that its use of the Service complies with employment, telecommunications, cybersecurity, sector-specific, and data-protection laws applicable to Customer.

If Customer shares Results, Reports, or personal data derived from Customer Data with its own vendors, consultants, MSSPs, incident-response providers, auditors, or other downstream processors, Customer remains responsible for ensuring that appropriate GDPR-compliant contracts, instructions, confidentiality obligations, and safeguards are in place.

In the context of the Service, Customer may submit or cause to be captured personal data including:

• network-level identifiers (e.g. public IP addresses, ports, protocol metadata, TLS handshake parameters);
• timestamps and session identifiers relating to network connections;
• domain names or hostnames that may be associated with natural persons (e.g. SNI fields);
• user identifiers or device identifiers where encoded in Customer Data; and
• any additional metadata the Controller chooses to include in Customer Data or support tickets.

The Service is designed for encrypted traffic metadata. BlackCrypt does not decrypt TLS payloads or reconstruct cleartext application content, and Customer should avoid intentionally submitting decrypted payloads, cleartext application content, or unrelated sensitive data.

Depending on how Customer uses the Service and captures traffic, data subjects may include:

• employees, contractors and other staff of the Controller or its affiliates;
• users of the Controller’s networks or services (e.g. customers, visitors); and
• third parties whose communications traverse the Controller’s networks.

The Service is not intended to process special categories of personal data within the meaning of Article 9 GDPR. Customer must not intentionally capture or submit such data to the Service. If such data is nevertheless incidentally present in network metadata, both parties will treat it with appropriate safeguards.

BlackCrypt shall comply with the obligations of a processor or sub-processor under GDPR in relation to processing of personal data under this DPA, including Articles 28 and 32–36 where applicable.

BlackCrypt shall ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations, whether contractual or statutory, and are informed of the confidential nature of the data and the obligations under this DPA.

Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risks for data subjects, BlackCrypt shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• encryption of Customer Data in transit and at rest;
• access controls based on least privilege and multi-factor authentication;
• segregation of Customer environments where applicable;
• logging and monitoring of access and security-relevant events; and
• controlled deletion, backup lifecycle and business continuity measures.

BlackCrypt shall not use Customer Data, PCAPs, derived Results, Reports, or personal data contained in Customer Data to train, retrain, fine-tune, benchmark, or evaluate general-purpose detection, AI, or machine-learning models reused across customers, except under a separate explicit written opt-in agreement.

BlackCrypt may use aggregated and de-identified service analytics, such as uptime, error rates, capacity metrics, queue statistics, and non-identifying product telemetry, to operate, secure and improve the Service, provided that such analytics do not identify Customer, Customer users, data subjects, or Customer Data.

Taking into account the nature of processing and the information available to BlackCrypt, BlackCrypt shall assist Customer, in so far as reasonably possible, in:

• responding to data-subject requests under Chapter III GDPR (e.g. access, erasure, restriction);
• ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs and prior consultation); and
• meeting record-keeping and accountability obligations relating to the processing carried out under this DPA.

Customer grants BlackCrypt general written authorisation to engage sub-processors for the processing described in this DPA. Current categories of sub-processors for Customer Data may include infrastructure, hosting, storage, backup, logging, monitoring, email/support, Geo-IP, and IP reputation or threat-intelligence providers.

Geo-IP and IP reputation or threat-intelligence providers may process public-routable destination IP addresses from relevant Customer Data for enrichment purposes. Examples may include providers such as IPinfo, AlienVault OTX, and AbuseIPDB, where enabled or used by the Service.

BlackCrypt will maintain a sub-processor list or make sub-processor information available through the Service, legal documentation, or on request.

BlackCrypt shall impose on sub-processors data-protection obligations that are no less protective than those set out in this DPA, including with respect to security, confidentiality, data-subject rights and deletion. BlackCrypt remains responsible towards Customer for the acts and omissions of sub-processors in relation to processing of personal data under this DPA.

BlackCrypt shall inform Customer of intended changes concerning the addition or replacement of sub-processors (for example, via the Service, email, or a public list) and give Customer an opportunity to object on reasonable data-protection grounds. If Customer reasonably objects and the parties cannot find a mutually acceptable solution, Customer may terminate the affected Service to the extent it cannot be provided without the relevant sub-processor, without penalty, as Customer’s sole remedy.

Unless Customer instructs earlier deletion, an agreed enterprise retention setting applies, or law requires longer retention:

• Inputs: uploaded PCAPs and capture-derived raw artefacts used solely for analysis are deleted automatically after the analysis completes or irrecoverably fails, subject only to technical backup cycles;
• Results: derived analysis outputs, metadata and generated report artefacts are encrypted at rest and retained for 90 days by default while the analysis remains available in the Service, unless deleted earlier by Customer or retained longer where required by law, security investigation, dispute handling, or an agreed enterprise retention setting;
• Reports: reports can be generated while the relevant analysis exists. Once an analysis is deleted or expires, new reports can no longer be generated and stored report artefacts are removed according to Results retention;
• Operational logs: security, abuse-prevention, support and audit logs that may contain IP addresses and technical identifiers are retained for up to 180 days by default, unless longer retention is required for legal, tax, security, incident-response, or dispute reasons; and
• Backups: deletion propagates to backups within 30 days according to the backup lifecycle, unless backup isolation is legally or operationally required.

Upon termination of the Service or upon Customer’s written request, BlackCrypt shall delete (or, at Customer’s option and where technically feasible, return) personal data processed under this DPA, except where continued storage is required by Union or Member State law or is technically necessary in backups for a limited transition period according to the backup lifecycle described in Section 9.1. Where data is returned, it shall be provided in a commonly used machine-readable format.