SilentProof
Updated April 23, 2026
Data Processing Addendum
Processor terms for authorized SilentProof reviews.
This DPA preview describes how SilentProof handles personal data when it acts as a processor for a customer during an authorized review.
This public page is a practical preview for intake and procurement. Customer-specific terms can be attached to the versioned authorization record or a separate signed agreement.
01
Subject matter and duration
SilentProof processes limited personal data to verify, conduct, report, and support an authorized security review. Processing lasts for the engagement period and any agreed retention period for authorization records, final reports, evidence, retest, and support.
02
Nature and purpose
- 01Verify requester authority and approved scope before testing starts.
- 02Conduct non-destructive security review activity on approved customer-owned application surfaces.
- 03Prepare private reports, remediation guidance, and retest notes.
- 04Maintain limited records needed for auditability, safety, abuse prevention, and legal defense.
03
Data categories and data subjects
- 01Requester and customer contact data: names, work emails, titles, company names, approval metadata, and communication history.
- 02Application data encountered during review: account identifiers, public profile data, contact details, object IDs, logs, tokens, or other data visible in the approved scope.
- 03Data subjects may include customer staff, customer users, test accounts, public contacts, and people whose data appears in reviewed application surfaces.
04
Documented instructions
SilentProof processes customer personal data only for the documented review instructions: the approved Authorization & Rules of Engagement, the in-scope assets, the report delivery process, and any written customer follow-up. If an instruction appears unsafe, unlawful, or outside scope, SilentProof may pause and ask for clarification.
05
Confidentiality and security
- 01People processing customer data must be subject to confidentiality obligations.
- 02Evidence should be minimized, redacted where practical, and stored with access limited to people who need it for delivery.
- 03SilentProof uses reasonable technical and organizational measures for access control, secure transport, retention discipline, and incident handling.
06
Subprocessors
SilentProof may use hosting, email, logging, storage, and security tooling providers to operate the service. Subprocessors must be bound by data protection terms appropriate to their role. Customer-specific subprocessor lists can be provided during procurement.
07
Assistance, breach notice, and audits
- 01SilentProof will reasonably assist the customer with data subject requests, security incidents, DPIA-style questions, and supervisory authority communications related to the review.
- 02SilentProof will notify the customer without undue delay after becoming aware of a personal data breach affecting customer review data.
- 03Audit or inspection requests should be handled through documentation, written answers, or a reasonable review process that protects other customers and SilentProof security.
08
End of engagement
At the end of the engagement, SilentProof will delete or return customer personal data according to the agreed retention rules, except where limited records must be kept for authorization proof, legal obligations, dispute handling, or security abuse prevention.