Effective Date: January 1, 2026 | Last Updated: January 1, 2026
This Data Processing Addendum (DPA) forms part of the Service Agreement between you (Data Controller) and Babar Tech (Data Processor) for GDPR and CCPA compliance. This DPA is entered into pursuant to GDPR Article 28, which requires a binding contract between Data Controllers and Data Processors governing the processing of personal data.
Definitions & Roles
Who Does What
- You (Data Controller): You own all security logs and data. You determine what data is collected and why.
- Us (Data Processor): We process your data only to provide MDR services under your instructions.
Key Terms
- Personal Data: Information in security logs that could identify individuals (usernames, IP addresses, emails)
- Processing: Collecting, analyzing, storing security data for threat detection
- Data Subject: Your employees, contractors, or users whose data appears in logs
- Sub-Processor: Third-party vendors we use (AWS, Azure, GCP)
Processor Obligations (GDPR Article 28)
As Data Processor, Babar Tech commits to the following obligations under GDPR Article 28:
- Process personal data only on documented instructions from the Data Controller, unless required by law
- Ensure all personnel authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in this DPA
- Not engage another processor (sub-processor) without prior written authorization from the Data Controller, with 30 days advance notice for changes
- Assist the Data Controller in responding to data subject rights requests
- Assist the Data Controller in ensuring compliance with breach notification obligations (Articles 32-36)
- Delete or return all personal data upon termination of services, at the Data Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
Processing Details
Purpose of Processing
We process data solely to provide MDR services:
- Threat detection and analysis
- Security incident investigation
- Incident response coordination
- Security reporting
Types of Data Processed
- Security Logs: Endpoint activity, network traffic, authentication events
- Metadata: Usernames, IP addresses, timestamps, file hashes
- Incident Data: Alert details, investigation notes, response actions
Data Subjects
- Your employees and contractors
- System administrators
- End users of your systems
Data Retention
- Active Monitoring: 90 days (configurable)
- Incident Records: 1 year after closure
- Upon Termination: Deleted within 30 days
Security Measures
We implement appropriate technical and organizational measures to protect personal data:
Technical Safeguards
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access Controls: Role-based access, MFA required
- Logging: All data access is audited
- Segmentation: Client data is isolated
Organizational Safeguards
- Background checks for all analysts
- Confidentiality agreements (NDAs)
- Regular security training
- Annual third-party audits
Breach Notification
If we become aware of a data breach, we will:
- Notify you within 72 hours
- Provide details of affected data
- Describe mitigation actions taken
- Assist with regulatory notifications
Sub-Processors
We may engage trusted third-party sub-processors to assist in service delivery:
Current Sub-Processors
- Amazon Web Services (AWS): Cloud infrastructure hosting
- Microsoft Azure: Cloud infrastructure hosting
- Google Cloud Platform (GCP): Cloud infrastructure hosting
All sub-processors:
- Are bound by GDPR-compliant data processing agreements
- Implement appropriate security measures
- Are subject to audit and review
Changes to Sub-Processors
We will notify you 30 days in advance of adding new sub-processors. You may object to new sub-processors for legitimate reasons.
Data Subject Rights
We will assist you in responding to data subject requests:
Rights We Support
- Access: Provide copies of personal data upon request
- Rectification: Correct inaccurate data
- Erasure: Delete data when no longer needed
- Portability: Export data in machine-readable format
- Restriction: Limit processing in certain circumstances
Request Process
Forward data subject requests to us at privacy@babartech.com. We will respond within 30 days with available data.
International Data Transfers
Data may be transferred outside your jurisdiction for processing.
Transfer Mechanisms
- EU-US: Standard Contractual Clauses (SCCs) approved by European Commission
- UK: UK International Data Transfer Agreement (IDTA)
- Other Regions: Appropriate safeguards per local law
Our 24/7 SOC operates from multiple regions to provide continuous coverage.
Audit Rights
Upon reasonable notice, you may:
- Request our latest SOC 2 report (under NDA)
- Request evidence of security controls
- Conduct audits (at your expense, once per year)
We undergo annual third-party security audits and maintain certifications demonstrating our security posture.
Data Return & Deletion
Upon service termination or your request:
- We will delete all personal data within 30 days
- We can provide a final data export (if technically feasible)
- We will provide a certificate of deletion upon request
Exception: Data may be retained longer if required by law or for legal proceedings.