This Data Processing Agreement ("DPA") forms part of the agreement between Warrn Inc. ("Warrn," the "Processor") and the customer (the "Controller") for the provision of the Warrn incident management platform and related services (the "Service"). This DPA sets out the terms under which Warrn processes personal data on behalf of the Controller.
1. Scope and Purpose
This DPA applies to all processing of personal data carried out by Warrn on behalf of the Controller in connection with the Service, including alert and incident data, on-call schedules, user accounts, and data received from integrations the Controller connects to the Service.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data, including collection, storage, use, and deletion
- Data Subject: The individual to whom the personal data relates
- Sub-processor: A third party engaged by the Processor to process personal data
3. Obligations of the Processor
Warrn shall:
- Process personal data only on documented instructions from the Controller, including instructions given through the Controller's configuration of the Service
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject requests
- Delete or return all personal data upon termination of services
- Make available all information necessary to demonstrate compliance
4. Security Measures
Warrn implements the following security measures:
- Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
- Regular testing and evaluation of security measures
- Role-based access controls and multi-factor authentication
- Incident detection and response procedures
- Regular backups and disaster recovery capabilities
- Employee security awareness training
5. Sub-processing
The Controller provides general authorization for Warrn to engage sub-processors in the following categories, subject to the conditions below. The current list is maintained at warrn.io/subprocessors.
- Cloud infrastructure and hosting (e.g., Amazon Web Services)
- AI model providers used for incident investigation and summarization, configured not to train on Controller data
- Communication providers for alert delivery (e.g., email, SMS, and voice providers)
When a sub-processor is engaged:
- Warrn shall impose data protection obligations equivalent to those in this DPA
- Warrn remains fully liable for the sub-processor's performance
- The Controller shall be informed of any intended changes to sub-processors and may object on reasonable data protection grounds
6. Data Transfers
Any transfer of personal data to a country outside the European Economic Area shall be subject to appropriate safeguards, including:
- Standard contractual clauses
- Binding corporate rules
- Adequacy decisions by relevant authorities
7. Data Breach Notification
Warrn shall notify the Controller without undue delay (and no later than 48 hours) upon becoming aware of a personal data breach affecting the Controller's data. The notification shall include:
- The nature of the breach
- Categories and approximate number of affected data subjects
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. Audit Rights
The Controller has the right to conduct audits and inspections to verify Warrn's compliance with this DPA, no more than once per year and with reasonable prior notice, unless required by a supervisory authority. Warrn shall cooperate and provide access to relevant records; audits shall not unreasonably disrupt Warrn's operations.
9. Duration and Termination
This DPA shall remain in effect for the duration of the service agreement. Upon termination, Warrn shall, at the Controller's choice, delete or return all personal data and certify that it has done so, subject to any retention required by applicable law.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the main service agreement and our Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law.
Contact
For questions about this DPA or to exercise rights under it, contact support@warrn.com.