Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory

Data Processing Addendum

Last updated: June 22, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement between the customer (“Customer,” “you”) and Mallory.ai Inc. (“Mallory,” “we,” “us”) governing access to and use of the Services (the “Agreement,” comprising our Terms of Service and any applicable order form). This DPA applies to the extent Mallory processes Customer Personal Data on Customer’s behalf in the course of providing the Services. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data.

1. Definitions

  • “Applicable Data Protection Laws” means all privacy and data protection laws applicable to the processing of Customer Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, and U.S. state privacy laws including the California Consumer Privacy Act as amended (“CCPA/CPRA”).
  • “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” have the meanings given in the GDPR (or the equivalent terms under other Applicable Data Protection Laws).
  • “Customer Personal Data” means Personal Data contained within Customer Data that Mallory processes solely on behalf of and under the instructions of Customer in providing the Services.
  • “Sub-processor” means any third party engaged by Mallory to process Customer Personal Data.
  • “Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in decision 2021/914 of 4 June 2021, and the UK International Data Transfer Addendum where applicable.

2. Roles of the Parties

With respect to Customer Personal Data, the parties acknowledge that Customer is the Controller, Mallory is the Processor, and Mallory may engage Sub-processors in accordance with Section 6. Customer Data uploaded, submitted, or transmitted through the Services remains the property of Customer at all times unless ownership is explicitly shared or transferred by a written agreement. Mallory acts as an independent Controller only with respect to account-holder and billing data it collects to administer the Services, the processing of which is described in our Privacy Policy.

3. Scope and Instructions for Processing

Mallory will process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by applicable law. The Agreement, this DPA, and Customer’s configuration and use of the Services constitute Customer’s complete and final documented instructions.

Mallory will promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws or if Mallory is unable to follow an instruction for technical or legal reasons. Mallory will process Customer Personal Data only for the purposes described in Annex 1 and will not retain, use, or disclose Customer Personal Data for any purpose other than performing the Services, including not “selling” or “sharing” it as those terms are defined under the CCPA/CPRA.

4. Confidentiality

Mallory will keep Customer Personal Data confidential and will ensure that any personnel and authorized parties (including Sub-processors) who process Customer Personal Data are subject to a binding duty of confidentiality and process such data only as necessary to provide the Services.

5. Security Measures

Mallory will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further described in Annex 2. Mallory maintains a SOC 2 Type 2 attestation and will, on reasonable request, make available a summary of its current security measures.

6. Sub-processors

Customer provides a general authorization for Mallory to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors is available at mallory.ai/subprocessors.

Mallory will provide advance notice of the addition or replacement of any Sub-processor before that Sub-processor begins processing Customer Personal Data and will give Customer the opportunity to object on reasonable data-protection grounds. Mallory will impose on each Sub-processor data protection and security obligations at least equivalent to those set out in this DPA, and remains responsible for each Sub-processor’s performance of those obligations.

7. Assistance to Customer

Taking into account the nature of the processing, Mallory will provide reasonable assistance to Customer through appropriate technical and organizational measures, insofar as possible, to enable Customer to:

  • respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (access, correction, deletion, portability, objection, and opt-out);
  • fulfill its obligations regarding the security of processing, the notification of Personal Data Breaches, and data protection impact assessments and prior consultations with supervisory authorities.

If Mallory receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond directly (except to confirm receipt or as legally required) and will, where permitted, promptly forward the request to Customer.

8. Personal Data Breach Notification

Mallory will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. Mallory will reasonably cooperate with and assist Customer in managing and mitigating the consequences of the breach, including supporting Customer’s own notification obligations.

9. Records and Cooperation with Regulators

Mallory will maintain records of its processing activities carried out on behalf of Customer as required by Applicable Data Protection Laws, and will cooperate, on request, with the relevant supervisory or regulatory authorities in the performance of their tasks.

10. Audits and Information

Mallory will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including its most recent SOC 2 Type 2 report and security documentation, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality, scheduling, and scope limitations.

11. International Data Transfers

Customer Personal Data is hosted in the United States. Where the provision of the Services involves the transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, the parties agree that the Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) are incorporated into and form part of this DPA. Mallory will not engage in onward transfers of Customer Personal Data to additional countries outside the EEA without the prior permission of Customer and appropriate safeguards.

12. Return and Deletion of Customer Personal Data

Upon termination or expiry of the Agreement, Mallory will, at Customer’s choice, delete or return all Customer Personal Data and delete existing copies, unless retention is required by applicable law. Mallory will make Customer Data available for export for thirty (30) days following termination, after which it may be securely deleted in accordance with Mallory’s data management procedures.

13. General Provisions

This DPA is governed by the same law that governs the Agreement, except where Applicable Data Protection Laws require otherwise. Except as amended by this DPA, the Agreement remains in full force and effect. If any provision of this DPA is found to be unenforceable, the remaining provisions will remain in effect.

Annex 1 — Details of Processing

  • Subject matter and duration: Processing of Customer Personal Data for the provision of the Services for the duration of the Agreement.
  • Nature and purpose: Hosting, storage, analysis, and delivery of threat-intelligence and related functionality as configured by Customer.
  • Categories of Data Subjects: Customer’s authorized users and any individuals whose Personal Data is contained in Customer Data submitted to the Services.
  • Types of Personal Data: Account identifiers (name, business email), authentication and usage data, and any Personal Data Customer elects to submit within Customer Data.

Annex 2 — Technical and Organizational Measures

Mallory maintains measures including: encryption of Customer Data in transit (TLS 1.2+) and at rest (AES-256); role-based access controls and least-privilege access enforced with multi-factor authentication for production systems; network segmentation and a web application firewall; centralized logging, monitoring, and threat detection with alerting; secrets management via a managed key-management and secrets service; vulnerability management and regular independent penetration testing; a documented incident response program; secure software development practices with mandatory code review; vendor risk management; and a security awareness program for personnel. These measures are independently examined under Mallory’s SOC 2 Type 2 attestation.

Annex 3 — Sub-processors

The current list of authorized Sub-processors is maintained at mallory.ai/subprocessors.

Contact

Questions about this DPA or to request a signable copy for execution, please contact:

Mallory.ai Inc.

Email: privacy@mallory.ai