Skip to content
Cybrshield
  • Home
  • Platform
  • Solutions
  • Pricing
  • Contact
Sign InLogin Start FreeSignup
Home Platform Solutions Pricing Contact
Sign In Start Free
Legal

Data Processing Agreement

How we process personal data on your behalf under UK and EU data protection law.

Last updated: July 2026

1. Parties & Roles

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service between you ("Customer") and Cyberlight Ltd, the company behind Cybrshield ("we", "us", "our"). It applies where we process personal data on your behalf in the course of providing the Cybrshield platform (the "Service").

  • For personal data contained in endpoint and telemetry data that you route through the Service (for example, device identifiers, user names, and application execution events), you are the data controller and we act as your data processor.
  • For the account and billing data we collect to operate our business and your relationship with us, we act as an independent controller, as described in our Privacy Policy.

2. Definitions

Terms such as "personal data", "processing", "data controller", "data processor", "sub-processor", "data subject", and "personal data breach" have the meanings given to them in the UK GDPR and the Data Protection Act 2018, and, where applicable, the EU GDPR (together, "Data Protection Law").

3. Scope, Duration, Nature & Purpose

We process personal data only to provide, operate, secure, and support the Service in accordance with your use of it and your documented instructions. Processing continues for the duration of your use of the Service and until deletion or return of the data as described in this DPA. Further particulars are set out in Annex 1.

4. Our Obligations as Processor

Where we act as your processor, we will:

  • process personal data only on your documented instructions, including as set out in the Terms of Service, this DPA, and your configuration of the Service, unless required to do otherwise by law (in which case we will inform you where legally permitted);
  • ensure that personnel authorised to process the personal data are bound by appropriate confidentiality obligations;
  • implement appropriate technical and organisational measures to protect the personal data, taking into account Article 32 of the UK GDPR (see Annex 2);
  • assist you, taking into account the nature of the processing, in responding to data-subject requests and in meeting your obligations around security, breach notification, and data protection impact assessments;
  • notify you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf;
  • at your choice, delete or return the personal data at the end of the provision of the Service, unless we are required to retain it by law;
  • make available to you the information reasonably necessary to demonstrate compliance with this DPA and, where required, allow for and contribute to audits, subject to reasonable confidentiality and security controls.

5. Sub-processors

You provide general authorisation for us to engage the sub-processors listed below to help us deliver the Service. We impose data-protection obligations on our sub-processors that are no less protective than those in this DPA, and we remain responsible for their performance. Where we intend to add or replace a sub-processor, we will update this page and, where required, give you the opportunity to object on reasonable data-protection grounds.

Sub-processor Purpose Location
Netcup GmbH Cloud hosting and infrastructure Germany (EU)
Cloudflare, Inc. Content delivery, proxy, and web application firewall Global (EU/US)
Stripe, Inc. / Stripe Payments Europe Payment processing (we do not store card data; PCI DSS SAQ-A) EU/US
OpenAI AI triage of unknown executables — file metadata and hashes only; no client file content US
PolySwarm, Jotti, CIRCL Threat-intelligence lookups — file hashes only; no file content or metadata EU/US

6. International Transfers

The Service is hosted within the EU. Where any transfer of personal data outside the UK or EEA takes place (for example, to a sub-processor in the United States), we rely on an appropriate transfer mechanism, such as the UK International Data Transfer Agreement (IDTA) or Addendum, or the EU Standard Contractual Clauses, together with any additional safeguards required by Data Protection Law.

7. Data-Subject Requests

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as this is possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Data Protection Law. If a data subject contacts us directly regarding personal data we process on your behalf, we will, where lawful, refer them to you. Our handling of data-subject requests aligns with the 30-day response commitment in our Privacy Policy.

8. Data Minimisation at the Endpoint

The Cybrshield agent is designed to minimise the personal data that leaves your devices. For the purposes of threat-intelligence and AI analysis, only file hashes and metadata leave the endpoint — client file content is never transmitted. Threat-intelligence lookups use file hashes only.

9. Liability

Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service, including the aggregate liability cap set out there. This DPA does not create any liability beyond that agreed in the Terms of Service.

10. Governing Law & Contact

This DPA is governed by the laws of England and Wales, and disputes are subject to the exclusive jurisdiction of the courts of England and Wales. For any data-protection enquiry, or to exercise rights or raise questions under this DPA, contact us at [email protected].

Annex 1 — Particulars of Processing

  • Subject matter: provision of the Cybrshield application-control platform.
  • Duration: for the term of your use of the Service and until deletion or return of the data.
  • Nature and purpose: allowlisting and controlling application execution on managed endpoints, classifying software, resolving requests, and providing related security, reporting, and support.
  • Types of personal data: account and contact details; device and endpoint identifiers; user names associated with devices; application execution events, file hashes, and policy outcomes.
  • Categories of data subjects: your personnel, contractors, and the users of the devices you manage with the Service.

Annex 2 — Technical & Organisational Measures

We maintain measures appropriate to the risk, including:

  • encryption of data in transit using TLS;
  • hashed storage of passwords and access controls based on role (RBAC);
  • two-factor authentication (TOTP) and login rate-limiting;
  • multi-tenant isolation of customer data;
  • hardened operating-system permissions on endpoint runtime data (SYSTEM-only writer, restricted DACL);
  • secret scanning and security testing in our development pipeline, and hardened remote access to our infrastructure.

Annex 3 — Sub-processors

The current list of sub-processors we engage is set out in Section 5 above, together with each sub-processor's purpose and location.

Data-protection questions?

Email [email protected] or use our contact page.

Cybrshield

Intelligent app control security for Windows. Powered by AI, built for IT teams of every size.

© 2026 Cybrshield. All rights reserved.

Product

  • Home
  • Platform
  • Pricing

Company

  • About Us
  • Solutions
  • Contact

Support & Legal

  • Help Centre
  • Contact Us
  • FAQ
  • Privacy Policy
  • Terms of Service
  • Data Processing Agreement
  • Acceptable Use Policy
  • Service Level Agreement
  • End User Licence Agreement

Account

  • Sign In
  • Get Started Free
Deny first / Then trust.
We use only essential cookies to keep you signed in and secure — no tracking or advertising. Learn more.