Definitions
Terms not defined here have the meaning given in the EU General Data Protection Regulation (“GDPR”) or the UK GDPR. “Personal Data”, “Data Subject”, “Processing”, “Controller”, and “Processor” carry their GDPR meanings.
Roles and scope
You are the Controller of Personal Data submitted to the Service. CyberTwin is the Processor. CyberTwin processes the Personal Data only on your documented instructions, including transfers to third countries, except as required by law.
Categories of data and subjects
- Subjects: your employees, contractors, customers' personnel referenced in environment data, integration users.
- Categories: identifiers (name, email), professional context (role, organization, MFA status), audit-trail data (sign-ins, configuration changes), and any Personal Data you choose to upload via documents.
We do not require, and we recommend you do not submit, special-category Personal Data (health, biometric, genetic, religious, political, sex life). If you do, you remain the Controller and warrant that you have an appropriate legal basis.
Subprocessors
Current subprocessors are listed on our Trust & security page. We will notify you in writing 30 days before adding a subprocessor. You may object on reasonable grounds; if we cannot accommodate the objection, you may terminate the affected portion of the Service for a prorated refund.
International transfers
For transfers of Personal Data from the EEA, UK, or Switzerland to a third country lacking an adequacy decision, the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and, where applicable, the UK International Data Transfer Addendum are deemed incorporated and govern the transfer.
Security measures
We implement the technical and organizational measures described on our Trust & security page, including TLS 1.2+ in transit, encryption at rest, KMS-isolated integration credentials, audit logging, and alignment with the SOC 2 Trust Services Criteria. We can update these measures as long as the level of protection is not reduced.
Personal Data breach notification
We notify you without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting your data. Notifications include the categories and approximate volumes of records affected, the likely consequences, and the measures taken or proposed.
Data Subject requests
We assist you in responding to Data Subject access, rectification, deletion, restriction, portability, and objection requests, taking into account the nature of the processing. Data export (supporting access and portability) is self-serve from Settings → Data management; deletion and other requests can be addressed to privacy@cybertwin.io.
Audits
On reasonable written notice, and not more than once per year except after a Personal Data breach, you may audit our compliance with this DPA. We satisfy audit obligations through our security-controls documentation (available under NDA) and, once issued, our SOC 2 Type II attestation. SOC 2 Type II is in progress — attestation expected Q2 2027.
Return and deletion
On termination of the Service, Personal Data remains available for export for 90 days, is retained a further 90 days for re-activation, and is then deleted — 180 days total — except as legally required to retain. Backups expire on their normal cycles.
Conflicts
In case of conflict, this DPA controls over the Terms of Service for matters relating to Personal Data Processing.
Signatures
Acceptance of these terms by your authorized representative (in-app, by email, or by signed order form) constitutes execution of this DPA on behalf of the Controller.