This Data Processing Agreement ("DPA") applies automatically when you use PolicyForge to process personal data for which you are the controller. It supplements our Terms of Serviceand our Privacy Notice, in accordance with Article 28 GDPR.
1. Roles
You (the Customer) act as the Data Controller for the personal data you input or upload into PolicyForge.
NAGASHIELD SECURITY (French SAS, share capital €1, Paris RCS 989 235 999, registered office: 60 rue François 1er, 75008 Paris, France), publisher of the PolicyForge service, acts as the Data Processor and processes such data only on your documented instructions.
2. Subject matter and duration
Subject: provision of the PolicyForge service (generation, editing, export and storage of security policies, management of your organisation's users). Duration: the entire term of your active subscription, plus the reversibility period (30 days).
3. Nature of data and categories of data subjects
Categories of data: professional identifiers (name, email, role), policy content (which may mention employees, contractors, customers depending on your use).
Categories of data subjects: your employees, contractors, and any person referenced in the policies you generate.
4. PolicyForge obligations
- Process data only on your documented instructions.
- Ensure confidentiality through written undertakings from all personnel with access to data.
- Implement the technical and organisational measures described in Annex B.
- Assist you in responding to data subject requests (access, rectification, erasure).
- Notify you of any data breach without undue delay (within 48 hours in practice).
- Delete or return your data at the end of the service, at your choice.
- Make available the information necessary to demonstrate compliance, and allow audits.
5. Sub-processing
You authorise us to engage the subprocessors listed on the Subprocessorspage. We notify any change (addition/replacement) at least 30 days before it takes effect, giving you the opportunity to object on legitimate grounds (in which case you may terminate without penalty).
6. International transfers
Where data is transferred outside the EU, transfers rely on the European Commission's Standard Contractual Clauses (SCCs), supplemented by technical measures (end-to-end encryption, access controls). See the current list on the Subprocessors page.
7. Security (Annex B — summary)
- Encryption: AES-256 at rest, TLS 1.2+ in transit.
- Authentication: MFA available, server-side JWT validation, DB role lookup on every sensitive request.
- Multi-tenant: strict isolation via PostgreSQL Row Level Security.
- Audit logs: all sensitive actions tracked, retained for 12 months.
- Backups: automated, encrypted, geographically separated.
- Penetration testing: annual, by independent third party.
- Vulnerability management: continuous scanning, Critical SLA 72h, High 14 days.
- Training: mandatory security awareness for all personnel at onboarding and annually.
8. Breach notification
In the event of a data breach affecting your data, we notify you by email at the administrative address of your organisation, with: nature of the breach, approximate categories and volumes affected, likely consequences, measures taken or proposed.
9. Return and deletion
At the end of the service, you can export all your data in JSON format (from "My account") or request a full export by email. We then delete your data within 30 days, except where legal retention obligations apply.
10. Audit
You may audit our compliance once a year, on reasonable notice, either by reviewing the reports of our independent audits (SOC 2 / ISO 27001 when available), or, for Enterprise customers, on site with a third-party auditor of your choice under a confidentiality agreement.
11. Liability
Our liability under this DPA is governed by the Terms of Service and applicable law (GDPR). We remain liable for any failure by our sub-processors.
12. Acceptance
By creating an account and using PolicyForge, you accept this DPA on behalf of your organisation. For a formally signed version (PDF), contact contact@nagashieldsecurity.com.