Data Processing Addendum
This Data Processing Addendum and its schedules (“DPA”) shall apply solely between Invicti and the entity purchasing or licensed to use the Invicti Solution (“Client”) where the provision of the Invicti Solution and/or Support by Invicti to Client involves the Processing of Client Personal Data subject to Data Protection Law.
This Addendum shall be incorporated into, and form an integral part of: (i) the Subscription Services Agreement(https://www.invicti.com/legal/ssa) or other negotiated agreement between Customer and Invicti (the “SSA”), or (ii) the End User License Agreement (https://invicti.com/legal/EULA), as amended, between End User and Invicti, whichever applies to the Client’s access to the Invicti Solution and related Support (the applicable framework agreement being referred to as the “Underlying Agreement”). If there is a conflict between this Addendum and the terms of the Underlying Agreement, this Addendum shall prevail with respect to its subject matter. Capitalized terms used herein but not otherwise defined shall have the meaning ascribed to them in the Underlying Agreement, and references to “Customer” or End User” shall apply to the Client as the context requires.
1. DEFINITIONS.
1.1. Any capitalized term not defined in this DPA will have the meaning given to it in the Underlying Agreement.
“CCPA” means the California Consumer Privacy Act of 2018, along with its regulations, and as amended.
“Controller” means an entity that, alone or jointly with others, determines the purposes for and means of Processing. “Controller” has the same meaning as “Business”, as that term is defined under applicable Data Protection Laws.
“Client Personal Data” means Personal Data Processed by Invicti (i) on behalf of Client and (ii) in connection with its provision of the Invicti Solution and related Support.
“Client Audit” means a review of the security of the Invicti Solution conducted by Client at its expense;
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Underlying Agreement, including, but not limited to, the CCPA, the EU GDPR, and all other applicable data protection and privacy legislation in force from time to time in the EU (as may be applicable depending on the location of Client, Data Subjects and Processing of the relevant Personal Data).
“Data Subject” means an identified or identifiable person.
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.
“Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to accessing, collecting, using, storing, transferring, retaining, disclosing, selling, sharing, deleting, and destroying Personal Data.
“Processor” means an entity that Processes Personal Data on behalf of a Controller. “Processor” has the same meaning as “Service Provider” as that term is defined under applicable Data Protection Laws.
“Restricted Country” means any country (i) which is not a member of the European Economic Area; or (ii) which has not been approved by the European Commission pursuant to Article 45, GDPR as ensuring an adequate level of data protection in relation to personal data.
“Restricted Transfer” means a transfer of personal data between Customer and Invicti to a Restricted Country.
“Personal Data” means information that Processor Processes on behalf of Controller that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to a Data Subject, or as that term or a similar term is defined under applicable Data Protection Laws.
“Personal Data Breach” means a breach of Invicti’s security obligations under this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Client Personal Data.
“Standard Contractual Clauses” means the standard contractual clauses set out in Commission Implementing Decision (EU)2021/914 for the transfer of Personal Data to third countries pursuant to EU GDPR as updated, amended, replaced, and superseded from time to time.
“Sub-processors” means any person or entity engaged by Invicti or an Affiliate to Process Client Personal Data in the provision of the Invicti Solution and related Support to Client.
“Supervisory Authority” means a governmental or government-chartered regulatory body having binding legal authority over Client.
“Third Party Audit Reports” means reports and certifications resulting from Invicti and/or its Sub-processors engaging qualified third party auditors to perform examinations and provide reports of its systems and services.
“TOMs” means Invicti’s Technical and Organizational Measures to ensure the security of the data located at the following URL: https://trust.invicti.com/profile.
“UK Addendum” refers to the UK’s International Data Transfer Addendum to the Standard Contractual Clauses, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
2. PURPOSE.
2.1. Invicti has agreed to provide the Invicti Solution to Client in accordance with the terms of the Agreement. Subject to the sections of this DPA, Client appoints Invicti to Process Client Personal Data for the purpose of providing the Invicti Solution and any related Support.
2.2. With respect to Client Personal Data under this DPA, the parties agree that Invicti may act as Processor to Client, where Client may act either as the Controller or Processor. Invicti may also act as a sub-processor. Where Client acts as Controller, Client shall be responsible for all Controller obligations under this DPA. Where Client acts as Processor, Customer shall be responsible for all Controller obligations under this DPA; and Client represents and warrants that the Controller has appointed Client as Processor to Process Personal Data of the Controller on the Controller’s behalf and that it is authorized to instruct Invicti and otherwise act on behalf of Client Affiliate(s) or Client's client in relation to the Client Personal Data in accordance with the Underlying Agreement and this DPA. The details of Processing and the description of transfer are stated at Schedule 1.
3. INVICTI OBLIGATIONS.
3.1. Invicti may Process Client Personal Data for the purpose of the Invicti Solution and related Support and only in accordance with the scope of the Agreement, this DPA, and Client’s documented instructions. This DPA is Client’s complete and final documented instruction to Invicti in relation to Client Personal Data. Additional instructions outside the scope of this DPA (if any) require prior written agreement between Invicti and Client, including agreement on any additional fees payable by Client to Invicti for carrying out such instructions.
3.2. Invicti will inform Client if it becomes aware or reasonably suspects that Client’s instructions regarding the Processing of Personal Data may violate any applicable Data Protection Laws.
3.3. Invicti will ensure that all employees, agents, officers, and contractors involved in the handling of Client Personal Data: (i) are aware of the confidential nature of the Client Personal Data and are contractually bound to keep the Client Personal Data confidential; (ii) have received appropriate training on their responsibilities as a Processor; and (iii) are bound by terms materially no less restrictive than the terms of this DPA.
3.4. Invicti will implement appropriate administrative, technical, and organizational safeguards required of Invicti by the GDPR to ensure the security of Client Personal Data. This requirement shall be deemed to have been fulfilled by adopting those measures detailed in the TOMs.
3.5. Any Restricted Transfer between Invicti and Client shall be subject to the Standard Contractual Clauses, if the cross-border or onward transfer involves Personal Data about individuals in EEA or Switzerland, and in tandem with the UK Addendum, if the cross-border onward transfer involves Personal Data about individuals in the United Kingdom (“UK”). In the event the parties rely on the Standard Contractual Clauses for such transfers, references to a “Member State” and “EU Member State” will not be read to limit or prevent Data Subjects in Switzerland from seeking to exercise their rights. The Standard Contractual Clauses and UK Addendum are hereby incorporated into this DPA by reference and deemed executed by the parties as of the Effective Date. For the purposes of the Standard Contractual Clauses, as applicable:
(A). the data exporter is Client;
(B). the data importer is Invicti;
(C). Where Client is:
(i). a Controller and Invicti is a Processor, Module 2 of the Standard Contractual Clauses shall apply to such transfers; or
(ii). a Processor and Invicti is also a Processor, Module 3 of the Standard Contractual Clauses shall apply to such transfers.
(D). (i) Clause 7 shall not apply; (ii) for the purposes of clause 9 the parties select Option 2 (general authorization) with a time period of 14 days; (iii) the optional language in clause 11(a) shall not apply; (iv) the supervisory authority for the purposes of clause 13(a) shall be determined by the place of establishment of the data exporter; and (v) the governing law (clause 17) and choice of forum (clause 18) shall be Maltese law and the courts of Malta respectively.
(E). The technical and organizational security measures are as described in the TOMs.
3.6. Invicti will reasonably assist Client in meeting its obligation under applicable Data Protection Laws, including to carry out data protection impact assessments, taking into account the nature of Processing and the Personal Data available to Invicti.
3.7. Client and Invicti and, where applicable, their representatives, will cooperate, upon request, with a Supervisory Authority in the performance of their respective obligations under this DPA.
3.8. Upon Invicti’s or Sub-processors’ receipt of a legally-binding request for access to Personal Data from a Supervisory Authority and where permitted by applicable law, Invicti will (i) notify Client of the request for access and provide details about the requesting party, the types of Personal Data requested, and the purpose and methods of the disclosure (so as to provide Client the opportunity to comply with its notice and consent obligations with respect to affected Data Subjects or oppose the disclosure and obtain a protective order or seek other relief), and (ii) where applicable, also comply with the notice obligations set forth in Clause 15.1 of the Standard Contractual Clauses.
3.9. Invicti will not “sell” or “share” Personal Data, as those terms are defined under applicable Data Protection Laws.
3.10. Notwithstanding section 3.1, Invicti may Process Client Personal Data outside of Client’s instructions where that Processing is required by any law or order to which Invicti is subject. In such case, Invicti shall, except where prohibited by law from doing so, inform Client of that requirement.
4. CLIENT OBLIGATIONS.
4.1. Client represents and warrants that: (i) it will comply with the terms of the Underlying Agreement, this DPA, and the Data Protection Laws, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by Invicti; (ii) it will ensure that its use of the Invicti Solution and any related Support will not violate the rights of any Data Subjects; and (iii) its instructions to Invicti will comply with Data Protection Laws, and that the Processing of Personal Data in accordance with Controller’s instructions will not cause Processor to be in breach of the Data Protection Laws. All Client Affiliates who use the Invicti Solution will comply with the obligations of Client set out in this DPA.
4.2. Client has sole responsibility for (i) the quality, legality, and accuracy of Client Personal Data, (ii) the means by which Client acquired any such Personal Data, and (iii) the instructions it provides to Processor regarding the Processing of such Personal Data. Client further represents and warrants that it has obtained any and all necessary permissions and authorizations necessary to permit Invicti, its Affiliates, and Sub-processors, to execute their rights or perform their obligations under this DPA.
4.3. Client must inform Invicti of any notice, inquiry (including any notice, investigation, complaint, or request) relating to Invicti’s processing of Personal Data and provide Invicti with a copy thereof within 48 hours of receipt. Notices should be sent to: privacy@invicti.com.
4.4. Client is responsible for making an independent determination as to whether the TOMs meet Client's requirements, including any of its security obligations under applicable Data Protection Laws. Client agrees that the Invicti Solution, and related Support and the TOMs meet Client’s needs with respect to Client’s security obligations under applicable Data Protection Law.
5. NOTIFICATION OF SECURITY BREACH.
5.1. Invicti will notify Client without undue delay after becoming aware of (and in any event within 72 hours of discovering) any confirmed Personal Data Breach.
5.2. Invicti will take all commercially reasonable measures to secure the Client Personal Data, to remediate the Personal Data Breach, and to assist Client in meeting Client’s obligations under applicable Data Protection Law(s). In the event of a Personal Data Breach, Invicti’s System Administration Team and Security Team will perform a risk-based assessment of the situation and develop appropriate strategies in accordance with Invicti incident response procedures, which include contacting Client and Client’s primary (technical or business) point of contact or Security Operation Center (“SOC”) to brief them on the situation and provide resolution status updates.
6. AUDIT.
6.1. No more than once in any 12 month period, for a maximum period of 1 Business Day, and upon not less than 30 days’ prior written notice from Client, unless in case of a confirmed Personal Data Breach, Invicti agrees to permit Client to perform a Client Audit of the security practices applicable to Personal Data processed by the Service, provided Invicti has not already provided adequate evidence to demonstrate its compliance with these data security practices. Client Audits may only be conducted by Client’s internal or external auditors who have entered into a nondisclosure agreement with and have been approved in writing by Invicti. The parties must mutually agree on the scope of the review, prior to the date of the Client Audit. The Client Audit must avoid disrupting Invicti operations and must be conducted strictly in accordance with Invicti’s security policies and procedures, and industry best practices. If the audit reveals that Invicti has breached its obligations under this DPA, Invicti will promptly initiate a remedy to such breach. Client Audits must be limited in scope to the security of Client Personal Data within Invicti premises, which are not covered by the Third Party Audit Reports or any other information made available to Client by the Invicti outside of the Client Audit.
7. DATA SUBJECTS.
7.1. Invicti shall, to the extent legally permitted, promptly notify Client if Invicti receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing (“Data Subject Request”).
7.2. Taking into account the nature of the processing, Invicti shall assist Client by appropriate TOMs, insofar as this is possible, for the fulfillment of Client’s obligation to respond to a Data Subject Request under the Data Protection Laws.
7.3. If Client does not have the ability to address a Data Subject Request, Invicti may upon Client’s request, and to the extent possible and legally permitted, provide commercially reasonable efforts to assist Client in responding to such Data Subject Request regarding Invicti’s processing of Personal Data. To the extent legally permitted, Client will be responsible for any costs arising from Invicti’s provision of such assistance.
8. SUB-PROCESSORS.
8.1. Client agrees (by way of the grant of a general authorization) that Invicti may engage Sub-processors in connection with the provision of the Invicti Solution and Support. The list of Sub-processors can be found at the following URL: https://www.invicti.com/legal/subprocessors/.
8.2. Invicti shall, with respect to each Sub-processor, ensure in each case that it has in place a written agreement with such Sub-processor which imposes equivalent data protection obligations to those contained in this DPA (“Sub-processor Agreement“).
8.3. During the term of this DPA, Invicti will provide Client with prior notification, via email, of any changes to the list of Sub-processors who may process Client Personal Data before authorizing any new or replacement Sub-processors to process Client Personal Data in connection with the provision of the Invicti Solution and Support.
8.4. Client may object to the use of a new or replacement Sub-processor, by notifying Invicti promptly in writing within 14 days after receipt of Invicti’s notice. If Client objects to a new or replacement Sub-processor, that objection is reasonable, and such objection is not resolved within twenty (20) days of Invicti receiving the objection, Client may terminate the Underlying Agreement with respect to those Invicti Solution and Support which cannot be provided by Invicti without the use of the new or replacement Sub-processor. Invicti shall have no penalty or liability for termination under this section, and this is Client’s sole and exclusive remedy for termination under this section.
9. LIABILITY.
9.1. Each party and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, whether in contract, tort, or under any other theory of liability is subject to the “Limitation on Damages” section of the Underlying Agreement.
9.2. The parties agree that Invicti will, subject to the liability limit in section 9.1, be liable for any breaches of this DPA caused by the acts and omissions of its Sub-processors to the same extent Invicti would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
9.3. The parties agree that Client will be liable for any breaches of this DPA caused by the acts and omissions of its Affiliates and Users as if such acts and omissions had been committed by Client itself.
10. TERM AND TERMINATION.
10.1. This DPA shall come into effect on the effective date of the Underlying Agreement (“Effective Date”) and will automatically terminate upon the termination of the Underlying Agreement.
10.2. Subject to section 10.3, Client hereby instructs Invicti to delete the Client Personal Data remaining with Invicti within a reasonable time period in line with Data Protection Laws (not to exceed six months) following the termination of the Underlying Agreement. If Client wishes to retain any Client Personal Data following the termination of the Underlying Agreement, it may instruct Invicti within 30 days following the date of termination to return that Client Personal Data to Client.
10.3. Invicti and each contracted Sub-Processor may (acting as a Controller) retain one archival copy of such Client Personal Data solely for the purposes of ensuring compliance with the Underlying Agreement or to the extent and for such period as may be required by any applicable law, or by any order or direction of any competent Court, tribunal government or regulatory body, to which it may be subject.
10.4. Where any Client Personal Data is retained for such reasons, the Client Personal Data must be treated as Confidential Information.
11. GENERAL.
11.1. This DPA sets out the entire understanding of the parties, and supersedes all prior and contemporaneous agreements and understandings, with regards to the subject matter. No modification or waiver of any term in this DPA is effective unless both parties sign it.
11.2. Should a provision of this DPA be invalid or become invalid, then the legal effect of the other provisions will be unaffected. A valid provision is deemed to have been agreed upon, which comes closest to what the parties intended commercially and will replace the invalid provision. The same will apply to any omissions.
11.3. To the extent of any conflict or inconsistency between the terms of this DPA and the Underlying Agreement, the following order of precedent applies: (i) this DPA; and (ii) the Underlying Agreement. Subject to the amendments in this DPA, the Underlying Agreement remains in full force and effect.
11.4. Client may send any questions or concerns regarding this DPA to: privacy@invicti.com.
SCHEDULE 1 – ANNEX/APPENDIX 1 OF THE APPROVED EU SCCS
1. LIST OF PARTIES
2. DESCRIPTION OF TRANSFER
3. COMPETENT SUPERVISORY AUTHORITY
The Office of the Information and Data Protection Commissioner (Malta) (https://idpc.org.mt/)
4. Table 4 of the UK Addendum:
Last updated as of: 04 June 2026