Data Processing Addendum

Read the TensorGuard Data Processing Addendum (DPA). Learn how we securely process and protect forensic data for our DFIR and compromise assessment services.

TensorGuard Data Processing Addendum

Last Updated: March 15th, 2026

New Customer Effective Date: March 15th, 2026

Current Customer Effective Date: April 15th, 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the applicable written agreement between TensorGuard Inc. ("TensorGuard") and the applicable customer or reseller (each, a “Customer”) that governs Customer’s use of the TensorGuard services (the “Agreement”). Capitalized terms not defined in this DPA have the meanings in the Agreement. If there is a conflict between this DPA and the Agreement with respect to the Processing of Personal Information, this DPA controls.

1. Scope & Roles

1.1 Scope. This DPA applies to TensorGuard’s Processing of Personal Information on behalf of Customer in connection with providing the Cloud Services in the United States. This DPA does not apply to instances where Customer deploys TensorGuard Software exclusively on their own on-premises infrastructure, as TensorGuard does not Process or have access to Personal Information in such deployments.

1.2 Roles. For U.S. Privacy Laws (including CCPA/CPRA):

  • Where Customer provides the Services to an End User (e.g., MSSP model), the End User is the Business, Customer is the Service Provider/Processor, and TensorGuard is Customer’s Sub-processor/Sub-service provider.
  • Where TensorGuard contracts directly with a business customer, such customer is the Business, and TensorGuard is the Service Provider.

2. Definitions

Personal Information” (or “Personal Data”) has the meaning in applicable U.S. Privacy Laws and includes any information that identifies or relates to a consumer/household and is Processed by TensorGuard on Customer’s behalf.

Process/Processing” means any operation performed on Personal Information.

U.S. Privacy Laws” means all applicable U.S. federal and state privacy laws governing the Services, including the California Consumer Privacy Act as amended by the CPRA (collectively, “CCPA/CPRA”), as well as all other enacted comprehensive state data privacy laws as they become effective.

Forensic Data” means device and account data collected via the Services for DFIR and related investigations.

3. Customer Instructions

TensorGuard will Process Personal Information solely:

(a) to provide, secure, maintain, and support the Services described in the Agreement and Annex A;

(b) to comply with law; and

(c) as otherwise documented in Customer’s written instructions. TensorGuard will promptly notify Customer if, in TensorGuard’s opinion, an instruction violates U.S. Privacy Laws.

4. CPRA Service-Provider/Contractor Terms

TensorGuard certifies it understands and will comply with the following:

(a) No Sale/Share. TensorGuard will not sell or share Personal Information.

(b) Purpose Limitation. TensorGuard will not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement and this DPA, including not for cross-context behavioral advertising.

(c) No Outside Use. TensorGuard will not retain, use, or disclose Personal Information outside the direct business relationship with Customer.

(d) Combining Data. TensorGuard will not combine Personal Information it receives from Customer with Personal Information it receives from another source, except as permitted by U.S. Privacy Laws (e.g., to detect security incidents, protect against illegal activity, or to improve the Services using operational metadata as described in §5.2).

(e) Subcontracting. TensorGuard will bind sub-processors by written contracts imposing materially the same obligations as this §4 and §5–§10.

(f) Profiling and Workplace Monitoring. In the event the Services are utilized by Customer to conduct “Profiling” (as defined by the CPRA) for insider threat detection or behavioral anomaly identification, TensorGuard acts strictly as a Service Provider. Customer represents and warrants that it maintains the lawful basis for such Profiling activities and assumes sole responsibility for providing any legally required notices or opt-out mechanisms to its employees or consumers as required by U.S. Privacy Laws.

5. Confidentiality, Security & Improvement Use

5.1 Confidentiality. TensorGuard ensures personnel authorized to Process Personal Information are subject to appropriate confidentiality obligations and have a need to know.

5.2 Telemetry, Grading, and Improvement. TensorGuard may use operational metadata, error logs, and statistical telemetry derived from Customer’s use of the Services to maintain and improve the platform. TensorGuard may also temporarily process Customer’s data to evaluate and grade the accuracy of our models. TensorGuard will (i) explicitly exclude raw Forensic Data contents from perpetual retention for heuristic tuning; (ii) take reasonable measures to ensure any retained telemetry cannot be associated with a consumer or household; (iii) not attempt to re-identify the data; and (iv) never use Customer’s data to train, retrain, or fine-tune generative Artificial Intelligence models across tenant boundaries.

5.3 Security Measures. TensorGuard implements and maintains administrative, physical, and technical safeguards appropriate to the nature, scope, and risks of the Processing, including encryption at rest and in transit, access controls, logging/monitoring, vulnerability management, and secure software development practices. The current measures are summarized in Annex B.

6. Sub-processors

6.1 Authorization. Customer provides general authorization for TensorGuard to engage sub-processors to support the Services.

6.2 Process. TensorGuard will:

(a) maintain a current list of sub-processors (available on request);

(b) impose data protection obligations materially equivalent to this DPA; and

(c) provide ≥30 days’ prior notice of material additions or replacements, allowing Customer to object on reasonable data-protection grounds. If the Parties cannot resolve an objection in good faith within 30 days, Customer may terminate the Agreement for cause without penalty and receive a pro-rata refund for any prepaid, unused Services.

6.3 Named Sub-processors (Authentication/Identity). Enterprise Identity Providers (e.g., Microsoft Corporation, Okta, Inc., Google LLC, GitLab Inc.) may be used as identity providers (IdPs) for authentication depending on Customer configuration; IdP transactions may be processed on their own infrastructure consistent with their architectures. TensorGuard does not store user passwords.

6.4 Other Current Sub-processors (Core Services). Google Cloud (hosting, compute, and enterprise AI processing), Hetzner US, and Cloudflare (hosting, networking/security); Mailgun (email); Stripe and Mercury (payments/invoicing); CookieYes (consent management). Customer-designated tools (e.g., a Customer’s SIEM) are not TensorGuard sub-processors.

7. Data Location

TensorGuard stores and Processes Customer-controlled data (including Forensic Data) in U.S. regions only, including backups and disaster recovery. Authentication transactions handled by Google/GitLab may be processed per those providers’ regional architectures.

8. Incident Management

TensorGuard will notify Customer without undue delay, and in no event later than 72 hours after confirming a Security Incident compromising TensorGuard’s platform infrastructure. TensorGuard will investigate, mitigate, and cooperate with Customer consistent with law and industry practice. For the avoidance of doubt, this notification obligation relates strictly to a breach of TensorGuard’s own security boundaries, and does not apply to malware, unauthorized access, or historical breaches detected on the Customer’s own networks/endpoints as part of the intended diagnostic and compromise assessment function of the Services.

9. Assistance

TensorGuard will, taking into account the nature of Processing and the information available to TensorGuard:

(a) Consumer Requests. Provide reasonable assistance to Customer for verifiable consumer requests under U.S. Privacy Laws (access, deletion, correction, etc.).

(b) Security/DPIAs. Provide information reasonably required to support risk assessments, DPIAs, or consultations with authorities related to TensorGuard’s Processing.

(c) Opt-Out Signals. Because TensorGuard does not sell/share Personal Information or use it for targeted advertising, no global privacy control processing is required for Services data.

10. Audits & Information

Upon reasonable written request no more than once per 12 months, TensorGuard will make available information necessary to demonstrate compliance with this DPA, which may include comprehensive internal security architecture documentation, penetration testing summaries, or industry-standard security attestations (such as a SOC 2 report, to the extent TensorGuard has completed such formal audits), and sub-processor lists.

11. Return & Deletion

At termination or upon Customer’s written instruction, TensorGuard will delete or return Personal Information, and delete existing copies within a reasonable period, unless retention is required by law or a documented legal hold. Where Customer elects archival (if available under the Agreement), retention will follow the agreed archival terms.

Statutory Exceptions for Evidentiary Integrity: The right to deletion does not apply to Forensic Data payloads, Chain of Custody logs, Audit Trails, or associated identifying information (e.g., Real Name, Email Address, Timestamps, IP Addresses) that have been immutably written into a forensic record prior to your request. To maintain the evidentiary viability of historical investigations and prevent the spoliation of evidence, TensorGuard and your Organization expressly reserve the right to retain such data. We rely on the statutory exemptions provided by applicable U.S. Privacy Laws (including, but not limited to, Cal. Civ. Code § 1798.105(d)) to refuse deletion requests where retention is strictly necessary to: (i) help ensure security and integrity; (ii) detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activity; (iii) prosecute those responsible for that activity; or (iv) exercise or defend legal claims.

12. Government & Law Enforcement Requests

TensorGuard will not disclose Personal Information to public authorities unless required by law. Where legally permitted, TensorGuard will provide Customer with notice of any demand and will challenge unlawful or overbroad requests.

13. Minors

Customer represents it will not instruct TensorGuard to intentionally target or profile the Personal Information of individuals under 18. TensorGuard will promptly notify Customer if it becomes aware of Processing intentionally involving minors contrary to this representation.

14. Liability; Precedence; Governing Law

14.1 Liability. The Parties’ liability under this DPA is governed by the limitations and exclusions in the Agreement.

14.2 Precedence. If there is a conflict between this DPA and any privacy policy, the DPA controls.

14.3 Governing Law. This DPA is governed by Delaware law, consistent with the Agreement.

Annex A — Details of Processing

Subject Matter & Purpose. Provision, maintenance, support, and security of TensorGuard’s DFIR, insider-threat, and investigation Services; generation of reports and dashboards; limited improvement of Services using operational metadata and error logs.

Duration. For the term of the Agreement and any post-termination archival or legal-hold period.

Frequency & Nature. Continuous, as initiated by Customer’s Administrators/users and the Services’ operation.

Categories of Data Subjects. Customer’s and End Users’ personnel, contractors, and other authorized users; individuals whose data resides on devices/accounts Customer lawfully collects for investigation.

Types of Personal Information.

  • Account & Identity: name, email, org identifiers, roles, IdP identifiers.
  • Operational/Logs: IP addresses, timestamps, device IDs, usage metadata.
  • Forensic Data: device, cloud workspace, and account artifacts potentially containing files, file metadata, system logs, process/network artifacts, browser history, communications content and headers (including emails and direct messages), and other content Customer chooses to upload, collect, or authorize via API integration.
  • Sensitive Personal Information (SPI): may be included within Forensic Data; TensorGuard Processes SPI solely to provide the Services per Customer’s instructions.

Special Processing. No biometric, health, or education records are targeted; such data may exist within Forensic Data at Customer’s direction. No intentional Processing of children’s data (<18).

Annex B — Technical & Organizational Security Measures

  1. Governance & Access: role-based access control; least privilege; MFA for admin access; background-checked personnel where permitted.
  2. Encryption: TLS for data in transit; strong encryption for data at rest; managed keys.
  3. Network & Infrastructure: segmented environments; endpoint hardening; vulnerability scanning and timely patching; DDoS/WAF protections.
  4. Monitoring & Logging: centralized logging; security event monitoring; audit trails for admin actions and data access.
  5. Secure Development: code review; dependency scanning; secrets management; change control.
  6. Resilience: regular backups; tested restoration; disaster recovery in U.S. regions.
  7. Third Parties: risk assessment and contractual controls for sub-processors; periodic reviews.
  8. Incident Response: documented plan; 24×7 alerting; breach notification within 72 hours of confirmation.
  9. Data Lifecycle: data minimization; retention aligned to Agreement (default deletion, optional archival); secure deletion.

Annex C — Current Sub-processors

Authentication/Identity (IdPs):

  • Microsoft Corporation — Authentication/IdP
  • Okta, Inc. — Authentication/IdP
  • Google LLC — Authentication/IdP
  • GitLab Inc. — Authentication/IdP

Hosting/Processing/Networking:

  • Google Cloud — Cloud hosting, compute, and zero-training Enterprise AI API processing (U.S. regions)
  • Hetzner US — Cloud hosting/compute (U.S. regions)
  • Cloudflare, Inc. — Network edge, CDN, WAF, DDoS mitigation

Communications, Consent, & Payments:

  • Mailgun Technologies, Inc. — Transactional email
  • Stripe, Inc. — Payment processing (tokenized billing data only)
  • Mercury Technologies, Inc. — Invoicing and payment operations
  • CookieYes Limited — Consent management platform (IP address hashing for audit trails only)

Note: Authentication transactions may be processed by IdPs on their own infrastructure per their architectures. Customer tools designated by Customer (e.g., SIEMs) are not TensorGuard sub-processors.



Start with a Compromise Assessment.

The best way to see the power of TensorGuard is to use it. For a simple, flat fee, we will conduct a full, AI-powered Compromise Assessment on a selection of your critical systems.

TensorGuard Automated DFIR Platform Dashboard