Data Processing Agreement

Last updated June 11, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer organization ("Controller") and Impaque, operator of Spotting The Bait ("Processor", "we"), and governs the processing of personal data we carry out on the Controller's behalf. It is a starting-point draft — confirm the controller/processor split and terms with your counsel.

1. Roles & scope

For personal data in the employee roster the Controller uploads and the challenge-response data we generate on its behalf, the Controller is the data controller and we are the data processor. For our own administrator-account data we act as an independent controller (see the Privacy Policy). This DPA applies to the processor relationship.

2. Subject matter, duration, nature & purpose

• Subject matter: delivery of a simulated-phishing security-awareness training service.
• Duration:the term of the Controller's subscription, plus the deletion window in section 8.
• Nature & purpose: sending simulated phishing emails to enrolled staff, recording their responses, and producing training reports for the Controller.

3. Categories of data subjects & personal data

• Data subjects:the Controller's staff members (and the Controller's own administrators).
• Personal data:name (optional), email address, role and department (optional), and challenge-activity data (which challenges were sent, opened, clicked, the answer chosen, timestamps, and a one-way hash of the responder's IP address). We do not intend to process special-category data; the Controller should not place such data in roster fields.

4. Our obligations as processor

• Process personal data only on the Controller's documented instructions (including those given through the product), unless required by law, in which case we will inform the Controller where permitted.
• Ensure personnel authorized to process the data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (section 6).
• Assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and impact-assessment obligations.
• Make available information necessary to demonstrate compliance and allow for reasonable audits (section 9).

5. Sub-processors

The Controller authorizes us to engage the sub-processors below to deliver the service. We impose data-protection obligations on each that are no less protective than this DPA, and we remain responsible for their performance. We will give the Controller advance notice of any intended change and an opportunity to object.

• Vercel Inc. — application hosting (United States).
• Neon Inc. — managed Postgres database.
• Stripe, Inc. — payment processing (administrator billing data).
• Resend (Plus Five Five, Inc.) — transactional and challenge email delivery.

6. Security

We maintain measures including encryption of data in transit, hashed passwords, signed and time-limited email-click links, optional two-step verification for administrators, least-privilege access to production systems, and storage of only a one-way hash of responder IP addresses. We review these measures and improve them over time.

7. Personal-data breaches

We will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, with the information reasonably available to help the Controller meet its own notification obligations.

8. Return & deletion

On termination, or on the Controller's instruction, we will delete or return the Controller's personal data and delete existing copies within [30] days, except where retention is required by law. Administrators can also export or delete their organization's data themselves at any time from Account settings.

9. Audits

We will make available information necessary to demonstrate compliance with this DPA and contribute to audits conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and frequency limits.

10. International transfers

Some sub-processors are located in the United States. Where personal data is transferred outside the EEA/UK, the transfer relies on an appropriate safeguard such as the EU Standard Contractual Clauses (and the UK Addendum where applicable). [Confirm the transfer mechanism with counsel.]

11. General

In case of conflict between this DPA and the main agreement on data protection, this DPA prevails. Liability, governing law, and jurisdiction follow the main agreement. [Review with counsel.]

Contact

Data-protection questions: privacy@spottingthebait.com. See also our Privacy Policy and Terms of Service.

Spotting The Bait is operated by Impaque. Questions about this document? Email legal@spottingthebait.com.