Sikurd

Legal

Data Processing Agreement

Last updated: May 27, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Sikurd LLC, a Florida limited liability company with its principal place of business in Englewood, Florida, United States (“Sikurd”, “we”, “our”) and the customer (“Customer”, “you”) for the use of the Sikurd platform (the “Services”). It sets out the terms on which Sikurd, acting as a processor, will process personal data on behalf of the Customer, who acts as the controller of that personal data.

By using the Services, the Customer agrees to this DPA. If you require a counter-signed copy for your records, email privacy@sikurd.com with your legal entity name + address and we’ll return a signed version within 5 business days.

1. Definitions

Terms not defined in this DPA have the meaning given in the Sikurd Terms of Service or, where used in this document, in the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the UK GDPR as amended by the Data Protection Act 2018. In particular:

  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on personal data, automated or not.
  • Controller means the entity that determines the purposes and means of processing.
  • Processor means the entity that processes personal data on the controller’s behalf.
  • Sub-processor means a processor engaged by Sikurd to assist in providing the Services.
  • Data Subject means the natural person to whom personal data relates.
  • Standard Contractual Clauses or “SCCs” means the clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (controller to processor).

2. Role of the parties

For personal data processed in connection with the Services, the Customer is the Controller and Sikurd is the Processor. The Customer’s end customers (e.g. callers reaching the Customer’s 3CX phone system) are the data subjects of certain categories of personal data; Sikurd processes that data only at the Customer’s direction.

Where Sikurd determines the purposes and means of processing independently — for example, our own business operations (billing, customer support records, security logs about the Customer’s own users) — Sikurd is a separate Controller for that data. The treatment of those categories is described in our Privacy Policy.

3. Subject matter, duration, nature, and purpose

Subject matter:Sikurd’s processing of personal data on behalf of the Customer to deliver the Services (3CX fleet monitoring, alerting, AI-generated summaries, billing).

Duration:Processing continues for the term of the Customer’s agreement to use the Services, plus any post-termination periods explicitly covered in section 11 (Return and Deletion).

Nature and purpose:Sikurd polls the Customer’s configured 3CX instances, stores fleet metadata (instance configuration, version, license, trunk registration, backup timestamps, active call records, extensions, queues, ring groups), generates alerts, sends notifications to the Customer’s designated recipients, and (when the Customer opts in) generates AI summaries of incidents and version changes.

4. Categories of data subjects and personal data

Data subjects:

  • The Customer’s personnel (employees, contractors) who use the Sikurd portal.
  • The Customer’s personnel who appear in 3CX records (extensions, voicemail boxes, users with login credentials on the PBX).
  • The Customer’s end customers and external callers whose phone numbers appear transiently in the active-calls table polled from 3CX.

Categories of personal data:

  • Account data: name, work email, role, optional phone number for voice-call alerts.
  • Instance metadata: 3CX FQDN, administrator username, encrypted administrator password (AES-256-GCM at rest), system version, license type, geographic location (derived from public IP for distance-weighted MOS aggregation).
  • 3CX configuration: extension lists, queue lists, ring group lists, digital receptionist (IVR) lists, trunk lists. All synced read-only from the Customer’s PBX.
  • Active call records (transient): caller and callee numbers, call state, start time, direction. Active call rows are deleted on every poll cycle and replaced with the current state.
  • Operational metadata: alert history, audit log of Customer-personnel actions, MOS/network probe measurements, weekly digest preferences.
  • Billing data (for Sikurd’s separate-controller activities): billing email, billing address, invoice history, payment status.

Special categories of personal data: Sikurd does not intentionally process special categories of personal data (Article 9 GDPR) such as health, biometric, or political data. The Customer must not configure the Services to capture special categories — for example, by typing such categories into an AI-summary prompt or storing them in instance notes.

5. Customer instructions

Sikurd processes personal data only on documented instructions from the Customer. The Customer’s configuration of the Services (which 3CX instances are connected, which alerts are enabled, which recipients are listed, which integrations are active) constitutes the Customer’s ongoing instructions. Sikurd will notify the Customer if, in its opinion, an instruction infringes applicable data protection law.

6. Confidentiality

Sikurd ensures that personnel authorised to process Customer personal data are bound by confidentiality obligations (by contract or statute) and receive appropriate training on data protection.

7. Security measures

Sikurd implements appropriate technical and organisational measures, taking into account the state of the art, cost of implementation, and the nature, scope, context, and purposes of processing. Current measures include:

  • Encryption of 3CX administrator credentials at rest using AES-256-GCM with versioned keys.
  • TLS 1.2+ in transit for all customer-facing and internal traffic.
  • Multi-tenant isolation: every database query is scoped to the Customer’s tenant and validated server-side before any data is returned.
  • Role-based access control within the Customer’s tenant (OWNER / ADMIN / MEMBER) plus per-user instance-access restrictions.
  • Tamper-evident audit logging of privileged actions (password resets, plan changes, tenant operations).
  • Soft-deletion grace periods for accounts and instances, with hard-purge after the documented retention window.
  • Sub-processor due-diligence reviews before onboarding; all sub-processors are bound by Article 28-compliant contracts with terms no less protective than this DPA.
  • Restricted internal access to production systems; production database access is logged and audited.

A current description of Sikurd’s security controls is maintained at sikurd.com/trust. The Customer can request the latest version by emailing privacy@sikurd.com.

8. Sub-processors

The Customer authorises Sikurd to engage the sub-processors listed at sikurd.com/legal/sub-processors for the purposes described there.

Sikurd will notify the Customer at least 30 daysbefore any new sub-processor begins processing Customer personal data, by updating the sub-processor page and (if the Customer has subscribed to change notices) sending an email to the tenant’s administrative contact. The Customer may terminate the affected Services without penalty during that notice period if it reasonably objects to the new sub-processor on data-protection grounds.

Sikurd remains liable to the Customer for the acts and omissions of its sub-processors as if they were Sikurd’s own.

9. Data subject rights

Taking into account the nature of the processing, Sikurd will provide reasonable assistance to the Customer in responding to data subject requests under Articles 15–22 of the GDPR. The Customer is responsible for verifying the requesting data subject’s identity and for the substantive response.

Each Customer-personnel user can exercise their own access and deletion rights directly within the Sikurd portal at Settings → Privacy & datawithout involving the Customer’s administrators.

10. Personal data breach notification

Sikurd will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer personal data. The notice will describe:

  • the nature of the breach, categories of data subjects, and approximate number of records affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Sikurd’s notification under this section is not, and may not be construed as, an admission of fault or liability.

11. Return and deletion of personal data

On termination of the Customer’s agreement, Sikurd will:

  • Retain the Customer’s data in read-only form for 30 days to allow the Customer to export it. The Customer can export at any time from Settings → Privacy & data → Export my data, or contact privacy@sikurd.com for a full tenant-scoped export.
  • After the 30-day grace period, permanently delete all Customer personal data from active production systems within 30 days.
  • Purge Customer personal data from backups within the standard backup-rotation period (≤ 30 days).
  • Retain only the categories of data necessary for Sikurd’s own controller-role processing (anonymised usage statistics, billing records required by tax law).

12. Audits

Sikurd will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Customer or an independent auditor mandated by the Customer. Audits will be conducted:

  • during normal business hours;
  • with at least 30 days’ advance written notice;
  • subject to reasonable confidentiality protections;
  • at the Customer’s expense, unless the audit reveals a material breach of this DPA, in which case Sikurd will reimburse reasonable audit costs.

Sikurd may satisfy this requirement by providing the Customer with a current third-party audit report (e.g. SOC 2 Type II) where one is available.

13. International transfers — Annex II Standard Contractual Clauses

Where Sikurd transfers personal data of EEA-, UK-, or Switzerland-located data subjects to a country outside the EEA that has not been the subject of an adequacy decision by the European Commission (or, for UK data subjects, the UK Information Commissioner), the transfer is subject to the Standard Contractual Clauses (Module Two, controller-to- processor) which are incorporated into this DPA by reference. For UK data subjects, the UK Information Commissioner’s International Data Transfer Addendum to the SCCs applies.

The SCCs are completed as follows:

  • Data Exporter: the Customer, in its capacity as Controller.
  • Data Importer: Sikurd LLC, in its capacity as Processor.
  • Clause 7 (docking): the option for additional parties to join applies.
  • Clause 9 (sub-processors): Option 2 (general written authorisation) applies, with the 30-day notice period in section 8 above.
  • Clause 11 (redress): the optional independent dispute resolution body is not selected.
  • Clause 17 (governing law): the law of Ireland applies.
  • Clause 18 (forum and jurisdiction): the courts of Ireland have exclusive jurisdiction.
  • Annex I.A: the parties are Sikurd LLC, a Florida limited liability company with its principal place of business in Englewood, Florida, United States (Data Importer / Processor), and the Customer as named in the Sikurd account (Data Exporter / Controller).
  • Annex I.B: the categories of data subjects and personal data are as described in section 4 above.
  • Annex I.C: the competent supervisory authority is the Irish Data Protection Commission, acting as lead supervisory authority for one-stop-shop purposes.
  • Annex II: the technical and organisational measures are as described in section 7 above and at sikurd.com/trust.
  • Annex III: sub-processors are listed at sikurd.com/legal/sub-processors.

Sikurd has conducted a Transfer Impact Assessment (TIA) for the US-located sub-processors listed in section 8 and concluded that the transfers, in conjunction with the security measures in section 7 (in particular, encryption of credentials at rest and TLS in transit), provide an essentially equivalent level of protection to that guaranteed within the EEA. The TIA is available on request to privacy@sikurd.com.

14. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying Sikurd Terms of Service. Nothing in this DPA limits a data subject’s right to receive compensation under Article 82 of the GDPR.

15. General

This DPA constitutes the parties’ entire agreement relating to the processing of personal data and supersedes any previous data processing agreement between them. In the event of any conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict for matters relating to data protection. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

Contact

For questions about this DPA, sub-processor change notices, or to request a counter-signed copy: privacy@sikurd.com.