Data Processing Agreement (DPA)
1. Definitions
- "Controller" — the business customer that determines the purpose of email analysis
- "Processor" — SecureSphereLabs, acting on behalf of the Controller
- "Data Subject" — the individual whose email content is being analyzed
- "Personal Data" — any information relating to an identified or identifiable natural person contained within submitted email content
2. Nature and Purpose of Processing
SecureSphereLabs processes email content submitted by the Controller solely for the purpose of providing threat analysis services as described in the Terms of Service. Processing is conducted:
- In-memory only — no raw email content is written to persistent storage
- For the duration of the analysis request only
- Exclusively as instructed by the Controller via API call or email submission
3. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis for submitting email content containing personal data (e.g. legitimate interests in detecting security threats, employee consent, or contractual necessity)
- It has informed relevant data subjects of the processing where required
- It complies with applicable data protection laws including GDPR where applicable
4. Processor Obligations (SecureSphereLabs)
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorised to process personal data are bound by confidentiality
- Implement appropriate technical and organisational security measures (see Security Policy)
- Assist the Controller in fulfilling data subject rights requests where feasible
- Delete or return personal data at the end of service provision (in practice: email content is discarded immediately after analysis)
- Make available all information necessary to demonstrate compliance with GDPR Article 28
5. Sub-processors
SecureSphereLabs engages the following sub-processors who may receive personal data contained in submitted email content:
| Sub-processor | Location | Purpose | Data Shared |
|---|---|---|---|
| SphereAI™ Infrastructure (SecureSphereLabs) | Internal | AI-powered threat analysis engine | Email headers, body text (transient, discarded after analysis) |
| VirusTotal (Google) | United States | URL/domain/hash reputation | URLs, domains, IPs, hashes — not email body |
| AbuseIPDB | United States | IP reputation | IP addresses only |
We will provide 30 days' advance notice of any changes to sub-processors that materially affect data handling.
6. International Transfers
Third-party sub-processors (VirusTotal/Google, AbuseIPDB) are located in the United States. Transfers are conducted under Google's and AbuseIPDB's respective data processing terms. For EU customers, we rely on standard contractual clauses or equivalent transfer mechanisms where applicable. SphereAI™ processing is handled internally by SecureSphereLabs.
7. Requesting a Signed DPA
Enterprise customers and MSSPs who require a signed Data Processing Agreement for GDPR compliance or vendor procurement purposes may request one by contacting:
Please include your company name, registration number, jurisdiction, and use case. We will respond within 5 business days.
These documents were last updated on May 26, 2026. For questions, contact legal@securespherelabs.com. · Back to SphereMail
SphereMail