Data Processing Agreement.

Under UK GDPR, when you process personal data through EtherITSM as your tenant we are the processor and you are the controller. The DPA below is the headline summary; the full signable contract is available on request.

Scope

The DPA covers tenant data — tickets, change records, problem records, knowledge articles, configuration items, attachments, audit logs and end-user contact details — for as long as your subscription is active.

Where data is processed

Customer tenant data is processed in the United Kingdom on equipment owned by Ether-X Ltd. We do not transfer tenant data outside the UK as part of the standard service. Sub-processor exposure is limited to the operational tooling listed below.

Sub-processors

The current sub-processor list is published on the security page. We notify customers of new sub-processors with at least 30 days' notice; customers may object in writing, in which case we'll work to a substitute or grant termination rights.

Security measures

Tenant isolation enforced at the row level in the database. Audit log on every read and write. Penetration tests against the live platform on every major release with results shared under NDA. Detail on /security.

Breach notification

We notify the controller within 24 hours of confirming a personal-data breach affecting their tenant, with details of the data involved, likely consequences, and the measures taken or proposed.

Sub-processor and DPA requests

Email [email protected] to receive the signable DPA, schedule a security review, or request the current sub-processor inventory in writing.

This page is the headline summary. The signed DPA between Ether-X Ltd and the customer is the binding instrument; nothing on this page modifies it.