Data Processing Agreement (DPA)
Compliance & Security Standards
1. Definitions
This Data Processing Agreement ("DPA") is entered into between:
Data Controller ("Controller")
The Customer who determines the purposes and means of processing Personal Data through the use of LiteSOC services.
Data Processor ("Processor")
Rubiest Development, operating as LiteSOC, which processes Personal Data on behalf of the Controller in accordance with the Controller's instructions.
1.1 Key Terms
- "Personal Data" means any information relating to an identified or identifiable natural person, including IP addresses, Actor IDs, email addresses, and geolocation data.
- "Processing" means any operation performed on Personal Data, including collection, storage, analysis, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Security Event" means any log entry submitted to LiteSOC for security monitoring and threat detection purposes.
- "Data Breach" means any unauthorized access, disclosure, or loss of Personal Data.
2. Scope and Purpose of Processing
2.1 Nature of Processing
The Processor processes Personal Data to provide security observability services, including but not limited to:
- Brute Force Detection - Identifying repeated failed authentication attempts
- Impossible Travel Detection - Flagging geographically improbable login patterns
- Geo-Anomaly Detection - Detecting unusual access from high-risk regions
- Unauthorized Access Monitoring - Tracking privilege escalation and access denied events
- Network Intelligence - Identifying VPN, Tor, proxy, and datacenter IP addresses
2.2 Categories of Personal Data
| Data Category | Examples | Purpose |
|---|---|---|
| IP Addresses | IPv4/IPv6 addresses | Geolocation, threat scoring |
| Actor Identifiers | User IDs, email addresses | Activity correlation |
| Device Information | User Agent strings | Device fingerprinting |
| Geolocation Data | Country, city, coordinates | Impossible travel detection |
| Event Metadata | Timestamps, event types | Security event correlation |
2.3 Data Subjects
The categories of data subjects whose Personal Data may be processed include:
- End-users of the Controller's applications
- Employees and contractors of the Controller
- Third parties accessing the Controller's systems
3. Processor Obligations
3.1 Processing Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by applicable law.
3.2 Confidentiality
The Processor ensures that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under appropriate statutory confidentiality obligations.
3.3 Assistance to Controller
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability) and in ensuring compliance with GDPR Articles 32-36.
3.4 Data Deletion
Upon termination of services or upon Controller's request, the Processor shall delete or return all Personal Data within 30 days, unless retention is required by applicable law.
4. Technical & Organizational Security Measures
The Processor implements the following security measures in accordance with SOC 2 Type 1 requirements and industry best practices:
4.1 Encryption at Rest
All Personal Data is encrypted using AES-256 encryption in our PostgreSQL database hosted on Supabase.
4.2 Encryption in Transit
All data transmissions use TLS 1.3 encryption. HSTS is enabled with preload for all domains.
4.3 Row Level Security (RLS)
Strict tenant isolation using PostgreSQL Row Level Security policies. Each organization can only access their own data.
4.4 PII Auto-Redaction
Automated redaction of sensitive PII in security logs to minimize data exposure while maintaining forensic utility.
4.5 Additional Security Controls
- Multi-Factor Authentication (MFA) available for all accounts
- Role-Based Access Control (RBAC) for team management
- API key rotation and revocation capabilities
- Comprehensive audit logging of all administrative actions
- Regular security assessments and penetration testing
- DDoS protection and rate limiting at the edge (Cloudflare)
5. Data Breach Notification
72-Hour Notification Commitment
The Processor commits to notifying the Controller of any confirmed Personal Data Breach within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
5.1 Breach Notification Contents
Upon discovery of a Data Breach, the Processor shall provide the Controller with:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
- Contact details for further information
5.2 Cooperation
The Processor shall cooperate with the Controller and provide reasonable assistance in investigating and remediating any Data Breach, including assistance with any required regulatory notifications.
6. Sub-processors
6.1 The Controller provides general authorization for the Processor to engage Sub-processors listed below. The Processor shall notify the Controller of any intended changes to Sub-processors, giving the Controller an opportunity to object.
6.2 Authorized Sub-processors
| Sub-processor | Purpose | Location | Compliance |
|---|---|---|---|
| Vercel Inc. | Application hosting, edge computing | United States | SOC 2, GDPR |
| Supabase Inc. | PostgreSQL database, authentication | United States (AWS) | SOC 2, HIPAA |
| Upstash Inc. | Redis caching, queue processing | United States (AWS) | SOC 2 |
| Resend Inc. | Transactional email delivery | United States | SOC 2 |
| Stripe Inc. | Payment processing, billing | United States | PCI DSS, SOC 2 |
6.3 The Processor ensures that all Sub-processors are bound by data protection obligations no less protective than those set out in this DPA.
7. International Data Transfers
7.1 Personal Data may be transferred to and processed in the United States where our Sub-processors are located. Such transfers are conducted in compliance with GDPR Chapter V requirements.
7.2 For transfers to the United States, we rely on:
- EU-U.S. Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures including encryption and access controls
8. Data Retention
8.1 Security event data is retained according to the Controller's plan:
- Free Plan: 7 days
- Pro Plan: 30 days
- Enterprise Plan: 90 days (customizable)
8.2 Data beyond the retention period is automatically and permanently deleted from all systems, including backups, within 30 days.
9. Audits and Compliance Verification
9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws.
9.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
9.3 Upon request, the Processor shall provide copies of relevant certifications, including SOC 2 Type 1 reports (when available), to demonstrate compliance with security requirements.
10. Term and Termination
10.1 This DPA shall remain in effect for the duration of the Controller's use of LiteSOC services.
10.2 Upon termination, the Processor shall:
- Cease all processing of Personal Data on behalf of the Controller
- Provide the Controller with an export of their data upon request (within 30 days)
- Delete all Personal Data within 30 days of termination, unless retention is required by law
- Provide written certification of data deletion upon request
11. Governing Law
11.1 This DPA shall be governed by the laws of Malaysia, without regard to conflict of law principles.
11.2 For EU data subjects, the provisions of the GDPR shall apply to the extent they provide greater protection than Malaysian law.
12. Contact Information
For questions regarding this DPA or to exercise data subject rights:
- Data Protection Contact: privacy@litesoc.io
- Company: Rubiest Development
- Address: Unit 17.2, Level 17, Wisma Sunway, 1 Jln Tengku Ampuan Zabedah C9/C, Seksyen 9, 40100 Shah Alam, Selangor, Malaysia