Menu

Data Processing Addendum (DPA)

Effective date: January 1, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Palisade Networks LLC ("Palisade," "Processor") and the Customer ("Controller") and governs Palisade's processing of Personal Data on the Controller's behalf.

1. Roles and scope

1.1 For Customer Data that constitutes Personal Data — including data the Agent collects from Managed Devices and Connected Devices — the Customer is the Controller and Palisade is the Processor (or sub-processor where the Customer is itself a processor).

1.2 Palisade processes Personal Data only to provide the Service and only on the Controller's documented instructions, including as set out in the Terms and this DPA.

1.3 The Controller is responsible for the lawfulness of the Personal Data and its instructions, including obtaining any required notices and consents from device users (e.g. employee-monitoring disclosures).

2. Processor obligations

Palisade will:

(a) Process on instructions — process Personal Data only per the Controller's documented instructions, and inform the Controller if an instruction appears to violate applicable law; (b) Confidentiality — ensure personnel authorized to process Personal Data are under confidentiality obligations; (c) Security — implement appropriate technical and organizational measures (see Annex II and /security); (d) Sub-processors — engage sub-processors only under Section 4; (e) Assist the Controller — taking into account the nature of processing, assist with data-subject requests and with the Controller's obligations regarding security, breach notification, and data-protection impact assessments; (f) Breach notification — notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's Personal Data, with available details; (g) Deletion/return — on termination, delete or return Personal Data per the Terms, except where retention is required by law; (h) Audits — make available information necessary to demonstrate compliance and allow for reasonable audits, subject to confidentiality and Section 6.

3. Data-subject requests

If Palisade receives a request from a data subject regarding the Controller's Personal Data, Palisade will, where legally permitted, redirect the request to the Controller and assist the Controller in responding.

4. Sub-processors

4.1 The Controller authorizes Palisade to engage sub-processors to provide the Service. Current sub-processors are listed in Annex III.

4.2 Palisade will impose data-protection obligations on sub-processors substantially similar to those in this DPA and remains responsible for their performance.

4.3 Palisade will give notice of new sub-processors and a reasonable opportunity to object on reasonable data-protection grounds.

5. International transfers

Where processing involves transfer of Personal Data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, including the EU Standard Contractual Clauses (and the UK Addendum / Swiss amendments as applicable), which are incorporated by reference and completed using the details in the Annexes.

6. Audits

The Controller may audit Palisade's compliance no more than once per year (and on a breach), on reasonable prior notice, during business hours, subject to confidentiality and not unreasonably interfering with operations. Palisade may satisfy audit requests by providing third-party reports or its security documentation.

7. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.


Annex I — Details of processing

  • Subject matter: provision of the Palisade endpoint-administration Service.
  • Duration: the term of the Terms of Service.
  • Nature and purpose: hosting, transmitting, and processing device and operational data to enable remote administration, monitoring, network discovery, and device access at the Controller's direction.
  • Categories of data subjects: the Controller's personnel, Authorized Users, and end users of Managed Devices.
  • Categories of Personal Data: account and contact data; device identifiers and inventory (hostname, IPs, logged-in user); usage, telemetry, and log data; network-discovery data; data incidentally present in administered sessions/files.
  • Special categories: none intended; the Controller must not submit special-category data except as lawfully permitted.

Annex II — Technical and organizational measures

Summarized at /security: TLS 1.2+ in transit; tokens stored as SHA-256 digests; bcrypt passwords; AES-256-GCM encryption of sensitive secrets at rest with domain-separated keys; role-based access control with a per-message agent-channel allowlist; multi-tenant isolation scoped by organization; MFA; append-only audit logging with retention.

Annex III — Sub-processors

Sub-processorPurposeLocation
Amazon Web ServicesTransactional email (SES) and edge relayUnited States
StripeBilling and payment processingUnited States
CloudflareDNS, CDN, and web analyticsUnited States / Global
GoogleSite and product analyticsUnited States