Legal

Data Processing Agreement

Last reviewed: July 2026

For enterprise customers who require a signed DPA as part of their GDPR, UK GDPR, HIPAA, or procurement process.

Overview

Where Cerbi processes personal data on behalf of a customer — for example, if a customer enables optional diagnostic telemetry in their CerbiShield deployment — Cerbi acts as a data processor and the customer acts as a data controller.

Under GDPR Art. 28 and equivalent legislation, a written data processing agreement is required between controllers and processors. Cerbi provides a standard DPA that covers these obligations.

Note that for most CerbiShield deployments, diagnostic telemetry is disabled by default. In that configuration, Cerbi does not act as a processor for your application data — your Azure tenant and its services do. The DPA is still available for customers whose procurement processes require it regardless of telemetry configuration.

What the Cerbi DPA covers

Controller/processor relationship and respective obligations
Subject matter, nature, and purpose of processing
Types of personal data and categories of data subjects
Sub-processor obligations and prior approval process
Technical and organizational security measures (TOMs)
Cross-border transfer mechanisms (EU Standard Contractual Clauses, UK IDTA)
Data subject rights assistance obligations
Breach notification obligations (72-hour GDPR timeline)
Audit rights and evidence provision
Data deletion and return obligations on contract termination

Who typically needs a DPA

  • Organizations subject to GDPR or UK GDPR whose procurement or legal teams require a signed DPA before deploying a vendor product
  • Healthcare organizations subject to HIPAA requiring a Business Associate Agreement (BAA)
  • Organizations subject to state privacy laws (CCPA, VCDPA, etc.) that include data processing agreement requirements
  • Enterprise customers whose InfoSec or GRC teams require documented processor commitments as part of third-party risk management

Cross-border transfer mechanisms

For transfers of personal data from the EEA, UK, or Switzerland to the United States, the Cerbi DPA incorporates the following mechanisms:

EU Standard Contractual Clauses (SCCs)

2021 European Commission SCCs (controller-to-processor module). Included as an exhibit to the DPA.

UK International Data Transfer Addendum (IDTA)

ICO-approved IDTA incorporated as an addendum for UK personal data transfers.

Swiss SCCs

Available on request for processing of personal data subject to the Swiss FADP.

Request the DPA

To receive the Cerbi DPA for review or signature, email us with:

  • Your organization name and registered address
  • The legal entity that will be the contracting party
  • Whether you require the EU SCCs, UK IDTA, or both
  • Whether you require a HIPAA BAA
  • Any specific exhibit requirements from your legal team

We typically respond to DPA requests within 2 business days. Standard DPA review and countersignature takes 5–10 business days depending on requested modifications.

Self-service and trial customers

If you are on a self-service trial and do not yet have a signed subscription agreement, you may still request the DPA for procurement review. We will send you the standard form DPA that would apply to a paid subscription. Contact legal@cerbi.io.

Related documents

  • Privacy Policy — how Cerbi handles personal data as a controller
  • Subprocessors — third-party vendors covered by the DPA sub-processor provisions
  • Security Overview — technical and organizational measures referenced in the DPA
  • Trust Hub — full enterprise evaluation package

[ cerbi ] · Start now

One NuGet package. No pipeline changes. Policy-as-code governance that runs in-process before sensitive data ever reaches Splunk, Datadog, or Azure Monitor.

14-day free trial/No credit card/Works with Serilog · NLog · MEL
Data Processing Agreement | Cerbi