Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Customer” or “Controller”) and EVRIZ USA, Inc. (“Company”). This DPA governs the processing of personal data by Company on behalf of Customer in connection with the PhishSense platform (“Service”).

All server infrastructure on which customer data is stored and processed is owned and operated by EVRIZ(이브리즈) (“EVRIZ Korea”), a sole proprietorship located in the Republic of Korea. EVRIZ Korea is the primary infrastructure operator and data processor. EVRIZ USA, Inc. operates the PhishSense brand and website under a licensing arrangement with EVRIZ Korea.

• Personal Data: Any information relating to an identified or identifiable natural person processed through the Service.
• Controller: The Customer, who determines the purposes and means of processing Personal Data.
• Processor: EVRIZ Korea, which processes Personal Data on behalf of the Controller.
• Sub-processor: Any third party engaged by the Processor to process Personal Data.
• Data Subject: The individual to whom the Personal Data relates.
• Applicable Data Protection Law: GDPR, PIPA, CCPA, and any other applicable data protection legislation.

2.1 Subject Matter

The Processor processes Personal Data as necessary to provide the Service, which includes phishing simulation campaigns, security awareness training, and associated reporting and analytics.

2.2 Categories of Data Subjects

Employees, contractors, and authorized personnel of the Customer who are designated as targets for phishing simulation campaigns.

2.3 Types of Personal Data

• Name and email address of simulation targets
• Organizational role and department
• Simulation interaction data (email opened, link clicked, credentials submitted)
• Training completion and assessment results
• IP address and device/browser information collected during simulation interactions

2.4 Duration

Processing continues for the duration of the Customer’s subscription, plus a 30-day data retention period following termination or expiration, unless a longer period is required by applicable law.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Assist the Controller in responding to Data Subject access requests and in ensuring compliance with data protection obligations.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach.

The Processor maintains the following security measures:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Regular access control reviews and principle of least privilege
• Multi-factor authentication for administrative access
• Regular vulnerability assessments and penetration testing
• Secure data center facilities with physical access controls
• Automated backup and disaster recovery procedures
• Employee security awareness training and confidentiality agreements
• Incident response and breach notification procedures

5.1 Authorization

The Customer provides general authorization for the Processor to engage sub-processors. The Processor will inform the Customer of any intended changes to the list of sub-processors at least 14 days in advance, allowing the Customer to object.

5.2 Current Sub-processors

5.3 Obligations

The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests, including rights of access, rectification, erasure, data portability, and restriction or objection to processing, as applicable under Applicable Data Protection Law.

If the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to such request without the Controller’s instructions, unless required by applicable law.

All customer data is stored exclusively on servers located in the Republic of Korea, operated by EVRIZ Korea. Where Personal Data is transferred to a sub-processor in a country that does not provide an adequate level of data protection, the Processor will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable.

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
• Provide sufficient information to enable the Controller to meet its notification obligations under Applicable Data Protection Law.
• Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

Upon termination or expiration of the Customer’s subscription, the Processor shall, at the Controller’s choice:

• Return all Personal Data to the Controller in a commonly used format; or
• Delete all Personal Data and certify such deletion.

Deletion will be completed within 30 days of the end of the subscription period, except to the extent that applicable law requires retention of the Personal Data.

For questions regarding this Data Processing Agreement:

For matters related to data processing infrastructure: