Safeguard

Legal

Data Processing Agreement

Last reviewed: June 2026

This page summarises how Safeguard handles personal data on behalf of customers. It is a plain-language overview — the binding terms are in the signed Data Processing Agreement (DPA), which forms part of your contract.

Roles

For personal data in customer accounts, the customer is the data controller and Safeguard.sh Inc is the data processor, processing that data only on the customer's documented instructions. For our own marketing and account contacts, Safeguard is the controller — that processing is described in the Privacy & Cookie Policy.

What we process

Safeguard is a software supply chain security platform, so the data we process is overwhelmingly technical: source-code metadata, dependency manifests, SBOMs, scan results, and audit events. The personal data involved is limited — typically the account identities of your engineers (name, work email, role) and the identifiers attached to commits and findings. Customer source code is processed transiently during a scan and is not added to model training corpora.

Security measures

We maintain technical and organisational measures appropriate to the risk: encryption in transit and at rest, per-tenant isolation, least-privilege access with logging, signed audit trails, and a coordinated vulnerability-disclosure programme. Our current posture — SOC 2 Type II (audit in progress), ISO/IEC 27001:2022 alignment, and FedRAMP HIGH / IL7-ready architecture — is detailed in the Trust Center.

Sub-processors

We use a limited set of sub-processors to deliver the service and impose data-protection terms on each. The current list, and how to subscribe to change notifications, is maintained on the Trust Center. Customers may object to a new sub-processor as set out in the DPA.

International transfers

Where personal data moves across borders, we rely on appropriate safeguards — the EU Standard Contractual Clauses and the UK Addendum where applicable — and we offer in-region and sovereign deployment options for customers with data-residency requirements.

Sub-processor and data-subject requests

We assist controllers with data-subject requests and, on termination, delete or return personal data in line with the DPA. We notify affected customers of a personal-data breach without undue delay.

How to execute the DPA

A pre-signed DPA, including the SCCs, is available to customers and prospects. Request it from sales@safeguard.sh (or your account contact), and reach our privacy team at hi@safeguard.sh. See also the Privacy & Cookie Policy and Terms of Service.