Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tenable Nova LLC, a Georgia limited liability company ("Processor," "we," "us"), and the organization subscribing to the TeNova Axiom platform ("Controller," "you").

This DPA applies to all processing of Personal Data that the Processor carries out on behalf of the Controller in connection with the TeNova Axiom platform and associated APIs, SDKs, and services (collectively, the "Service").

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (the "GDPR") and any applicable data protection legislation.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

The Processor processes Personal Data for the purpose of providing the Service, which includes compliance evidence collection, AI inference witnessing, verdict adjudication, and audit artifact generation. Processing continues for the duration of the subscription agreement and ceases upon termination, subject to the data deletion provisions in Section 12.

The Processor processes Personal Data solely to provide the Service as described in the Terms of Service. Processing activities include:

• Account authentication and session management
• Tenant isolation and access control enforcement
• Storage of compliance verdicts and SWT3 Witness Anchors
• Storage of AI inference metadata (hashes, latency, token counts)
• Audit trail maintenance (login events, attestations, key management)
• Generation of compliance exports (OSCAL, POA&M, Assessment Results)
• Transmission of FAIL notifications via configured webhooks

The following categories of Personal Data may be processed:

• Email addresses (account registration and authentication)
• Organization names (tenant identification)
• User roles and access permissions
• IP addresses (access logs, rate limiting, security monitoring)
• Attestation identity (name or identifier of attesting personnel)
• API key metadata (creation date, last-used timestamp, label)

The Service is designed on a zero-knowledge principle for AI witness data. At Clearing Level 1 and above, raw prompts and AI model responses are never transmitted to the Processor. Only cryptographic hashes (SHA-256) and numeric factors (latency, token count, confidence score) are stored.

Data subjects include:

• Employees and contractors of the Controller who use the Service
• Third-party auditors and assessors granted access via audit share links
• Personnel identified in attestation records

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organisational measures as set out in Section 9
• Respect the conditions for engaging Sub-processors as set out in Section 8
• Assist the Controller in responding to requests from data subjects exercising their rights under the GDPR
• Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and information available to the Processor
• At the choice of the Controller, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by law
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations, and allow for and contribute to audits
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions

The Controller provides general written authorisation for the engagement of Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object within 30 days.

Current Sub-processors:

Each Sub-processor is bound by contractual obligations providing at least the same level of data protection as this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

The Processor implements and maintains the following technical and organisational measures pursuant to Article 32 of the GDPR:

Encryption

• TLS 1.3 for all data in transit (HSTS enforced, HTTP/2)
• AES-256 encryption at rest for all database storage (Supabase managed)
• SHA-256 hashing for API keys, audit tokens, and witness fingerprints

Access Control

• Row-Level Security (RLS) enforcing tenant isolation at the database layer
• Role-based access control (admin, analyst, assessor)
• Multi-factor authentication (TOTP) available for all accounts
• SSH key-only access to infrastructure (password authentication disabled)
• Root login disabled; administrative access requires named accounts with sudo

Monitoring and Detection

• Daily vulnerability scanning (Trivy, NIST NVD correlation)
• File integrity monitoring (SI-7) with hash-based change detection
• Automated POA&M generation for detected vulnerabilities
• Audit event logging for all authentication, attestation, and administrative actions
• Rate limiting on all API endpoints

Availability

• Automated daily backups with verified restoration capability
• Process monitoring with automatic restart on failure
• Health endpoint monitoring at 30-minute intervals

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of the Processor's point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests under Chapter III of the GDPR, including requests for access, rectification, erasure, restriction of processing, data portability, and objection.

If a data subject contacts the Processor directly regarding their rights, the Processor shall promptly redirect the request to the Controller and shall not respond directly unless instructed by the Controller.

Upon termination or expiry of the Service agreement, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a structured, machine-readable format (JSON export via API), or
• Delete all Personal Data and confirm deletion in writing

The Controller has 30 days following termination to request data export. After this period, the Processor shall delete all Personal Data unless retention is required by applicable law. SWT3 Witness Anchors (cryptographic hashes only, containing no Personal Data) may be retained in the Merkle accumulator for protocol integrity.

Personal Data is processed in the United States. For transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States, the Processor relies on:

• The EU-US Data Privacy Framework (where applicable to Sub-processors)
• Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission, incorporated by reference into this DPA

The Processor shall promptly inform the Controller if it becomes aware that it can no longer comply with the Standard Contractual Clauses or the Data Privacy Framework, and shall cooperate to implement supplementary measures or alternative transfer mechanisms.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations. The Controller may conduct audits, including inspections, either directly or through an appointed independent auditor, subject to reasonable advance notice (minimum 30 days) and during normal business hours.

Audits shall be limited to once per calendar year unless a Data Breach has occurred or a supervisory authority requires additional verification. The Controller shall bear the costs of any audit. The Processor may charge a reasonable fee for time spent assisting with audits beyond the first annual audit.

The Processor also provides continuous compliance evidence through the Service itself, including real-time verdict status, SWT3 Witness Anchors with cryptographic fingerprints, and OSCAL-formatted assessment results.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that neither party excludes or limits liability for breaches of its obligations under data protection law to the extent such limitation is not permitted by applicable law.

This DPA shall be governed by the laws of the State of Georgia, United States, without regard to its conflict of laws principles. For data subjects in the European Economic Area, nothing in this DPA restricts their rights under the GDPR, including the right to lodge a complaint with their local supervisory authority.

This DPA may be amended by the Processor to reflect changes in applicable data protection law or Sub-processor arrangements. Material changes will be notified to the Controller at least 30 days before taking effect. Continued use of the Service after the effective date of changes constitutes acceptance.

For questions regarding this DPA or to exercise any rights described herein, contact:

Tenable Nova LLC
Data Protection Inquiries
contact@tenovaai.com