Overview
Where Cerbi processes personal data on behalf of a customer — for example, if a customer enables optional diagnostic telemetry in their CerbiShield deployment — Cerbi acts as a data processor and the customer acts as a data controller.
Under GDPR Art. 28 and equivalent legislation, a written data processing agreement is required between controllers and processors. Cerbi provides a standard DPA that covers these obligations.
Note that for most CerbiShield deployments, diagnostic telemetry is disabled by default. In that configuration, Cerbi does not act as a processor for your application data — your Azure tenant and its services do. The DPA is still available for customers whose procurement processes require it regardless of telemetry configuration.
What the Cerbi DPA covers
Who typically needs a DPA
- •Organizations subject to GDPR or UK GDPR whose procurement or legal teams require a signed DPA before deploying a vendor product
- •Healthcare organizations subject to HIPAA requiring a Business Associate Agreement (BAA)
- •Organizations subject to state privacy laws (CCPA, VCDPA, etc.) that include data processing agreement requirements
- •Enterprise customers whose InfoSec or GRC teams require documented processor commitments as part of third-party risk management
Cross-border transfer mechanisms
For transfers of personal data from the EEA, UK, or Switzerland to the United States, the Cerbi DPA incorporates the following mechanisms:
EU Standard Contractual Clauses (SCCs)
2021 European Commission SCCs (controller-to-processor module). Included as an exhibit to the DPA.
UK International Data Transfer Addendum (IDTA)
ICO-approved IDTA incorporated as an addendum for UK personal data transfers.
Swiss SCCs
Available on request for processing of personal data subject to the Swiss FADP.
Request the DPA
To receive the Cerbi DPA for review or signature, email us with:
- Your organization name and registered address
- The legal entity that will be the contracting party
- Whether you require the EU SCCs, UK IDTA, or both
- Whether you require a HIPAA BAA
- Any specific exhibit requirements from your legal team
We typically respond to DPA requests within 2 business days. Standard DPA review and countersignature takes 5–10 business days depending on requested modifications.
Self-service and trial customers
If you are on a self-service trial and do not yet have a signed subscription agreement, you may still request the DPA for procurement review. We will send you the standard form DPA that would apply to a paid subscription. Contact legal@cerbi.io.
Related documents
- Privacy Policy — how Cerbi handles personal data as a controller
- Subprocessors — third-party vendors covered by the DPA sub-processor provisions
- Security Overview — technical and organizational measures referenced in the DPA
- Trust Hub — full enterprise evaluation package
