Roles of the parties

seqrity.ai is typically engaged by customer organizations to provide an application security operations platform. Under frameworks such as the GDPR, the parties usually have the following roles:

• • The customer organization acts as controller of the personal data it chooses to process through seqrity.ai.
• • seqrity.ai acts as processor (or service provider/processor under other regimes) with respect to that data.
• • Each party remains independently responsible for its own compliance obligations under applicable law.

Subject matter, duration and nature of processing

The DPA typically describes the subject matter and duration of processing as the provision of the seqrity.ai platform and related support services for the term of the customer agreement, plus any retention periods required for audit, security and legal obligations.

The nature of processing includes collecting, storing, organizing, analyzing and presenting data related to Signals, assets, findings and workflow activity, as instructed by the customer.

Customer instructions

seqrity.ai processes personal data only on documented instructions from the customer, except where required to do so by applicable law.

• • The primary instruction is embodied in the customer's configuration of workspaces, integrations and users.
• • seqrity.ai will notify the customer if it is required by law to process data in a way that conflicts with customer instructions, where permitted to do so.

Sub‑processors

seqrity.ai may engage sub‑processors, such as cloud infrastructure providers and support tools, to help deliver the service.

• • Sub‑processors are bound by written agreements that include data protection obligations no less protective than those in the DPA.
• • Customers are typically notified of core sub‑processors, and may have the opportunity to subscribe to updates.
• • Where required, seqrity.ai will work with customers to assess the impact of new or changed sub‑processors.

Technical and organizational measures

seqrity.ai implements technical and organizational measures designed to protect customer data against unauthorized access, loss or alteration. High‑level themes may include:

• • Encryption in transit and at rest for customer data.
• • Access controls, least‑privilege permissions and segregation of duties.
• • Secure software development lifecycle practices, including code review and vulnerability management.
• • Logging and monitoring of key administrative operations.
• • Business continuity and disaster recovery procedures for the platform.

Further detail is typically available in separate security documentation or annexes to the DPA.

Assistance with data subject requests and assessments

seqrity.ai supports customers in meeting their own obligations under data protection law, to the extent reasonably possible and as described in the DPA.

• • Providing information about the service needed to complete data protection impact assessments.
• • Assisting, where appropriate, with responses to data subject requests that involve seqrity.ai systems.
• • Notifying customers of personal data breaches without undue delay, and cooperating in investigations and notifications, as required.

Audit, certification and documentation

The DPA normally describes how seqrity.ai's compliance posture can be assessed.

• • Access to third‑party reports (for example, SOC 2 or ISO certifications) where available.
• • Reasonable customer audit rights, subject to safeguards and scheduling requirements, as set out in the agreement.
• • Documentation of technical and organizational measures in security or compliance portals.