Data Processing Addendum (DPA)
Effective date: January 1, 2025
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Palisade Networks LLC ("Palisade," "Processor") and the Customer ("Controller") and governs Palisade's processing of Personal Data on the Controller's behalf.
1. Roles and scope
1.1 For Customer Data that constitutes Personal Data — including data the Agent collects from Managed Devices and Connected Devices — the Customer is the Controller and Palisade is the Processor (or sub-processor where the Customer is itself a processor).
1.2 Palisade processes Personal Data only to provide the Service and only on the Controller's documented instructions, including as set out in the Terms and this DPA.
1.3 The Controller is responsible for the lawfulness of the Personal Data and its instructions, including obtaining any required notices and consents from device users (e.g. employee-monitoring disclosures).
2. Processor obligations
Palisade will:
(a) Process on instructions — process Personal Data only per the Controller's documented instructions, and inform the Controller if an instruction appears to violate applicable law; (b) Confidentiality — ensure personnel authorized to process Personal Data are under confidentiality obligations; (c) Security — implement appropriate technical and organizational measures (see Annex II and /security); (d) Sub-processors — engage sub-processors only under Section 4; (e) Assist the Controller — taking into account the nature of processing, assist with data-subject requests and with the Controller's obligations regarding security, breach notification, and data-protection impact assessments; (f) Breach notification — notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's Personal Data, with available details; (g) Deletion/return — on termination, delete or return Personal Data per the Terms, except where retention is required by law; (h) Audits — make available information necessary to demonstrate compliance and allow for reasonable audits, subject to confidentiality and Section 6.
3. Data-subject requests
If Palisade receives a request from a data subject regarding the Controller's Personal Data, Palisade will, where legally permitted, redirect the request to the Controller and assist the Controller in responding.
4. Sub-processors
4.1 The Controller authorizes Palisade to engage sub-processors to provide the Service. Current sub-processors are listed in Annex III.
4.2 Palisade will impose data-protection obligations on sub-processors substantially similar to those in this DPA and remains responsible for their performance.
4.3 Palisade will give notice of new sub-processors and a reasonable opportunity to object on reasonable data-protection grounds.
5. International transfers
Where processing involves transfer of Personal Data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, including the EU Standard Contractual Clauses (and the UK Addendum / Swiss amendments as applicable), which are incorporated by reference and completed using the details in the Annexes.
6. Audits
The Controller may audit Palisade's compliance no more than once per year (and on a breach), on reasonable prior notice, during business hours, subject to confidentiality and not unreasonably interfering with operations. Palisade may satisfy audit requests by providing third-party reports or its security documentation.
7. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.
Annex I — Details of processing
- Subject matter: provision of the Palisade endpoint-administration Service.
- Duration: the term of the Terms of Service.
- Nature and purpose: hosting, transmitting, and processing device and operational data to enable remote administration, monitoring, network discovery, and device access at the Controller's direction.
- Categories of data subjects: the Controller's personnel, Authorized Users, and end users of Managed Devices.
- Categories of Personal Data: account and contact data; device identifiers and inventory (hostname, IPs, logged-in user); usage, telemetry, and log data; network-discovery data; data incidentally present in administered sessions/files.
- Special categories: none intended; the Controller must not submit special-category data except as lawfully permitted.
Annex II — Technical and organizational measures
Summarized at /security: TLS 1.2+ in transit; tokens stored as SHA-256 digests; bcrypt passwords; AES-256-GCM encryption of sensitive secrets at rest with domain-separated keys; role-based access control with a per-message agent-channel allowlist; multi-tenant isolation scoped by organization; MFA; append-only audit logging with retention.
Annex III — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Transactional email (SES) and edge relay | United States |
| Stripe | Billing and payment processing | United States |
| Cloudflare | DNS, CDN, and web analytics | United States / Global |
| Site and product analytics | United States |