DATA PROTECTION ADDENDUM
Breachday LLC · breachday.io
Effective Date: June 2026
1. Definitions
1.1 "Agreement" means the Breachday Terms of Service located at breachday.io/terms, and any applicable order form, MSP agreement, or enterprise addendum, as updated from time to time.
1.2 "Controller" means the natural or legal person, public authority, or other body that determines the purposes and means of Processing of Personal Data. In the context of this DPA, Customer is the Controller.
1.3 "Customer Data" has the meaning given in the Agreement, and includes all data, content, and materials submitted to the Service by Customer or its users — including scenarios, injects, session logs, business continuity program data, playbooks, and generated reports.
1.4 "Customer Instructions" means: (i) Processing necessary to provide the Service and perform Breachday's obligations under the Agreement (including this DPA); and (ii) other reasonable documented instructions from Customer consistent with the Agreement.
1.5 "Customer Personal Data" means Personal Data contained within Customer Data.
1.6 "Data Protection Laws" means all laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including as applicable: the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); the General Data Protection Regulation (EU GDPR); the UK GDPR; the Swiss FADP; and any other applicable U.S. state or international privacy laws, each as updated from time to time.
1.7 "Data Subject" means the identified or identifiable natural person to whom Customer Personal Data relates.
1.8 "DPA Effective Date" means the date Customer accepts the Breachday Terms of Service, or the date of execution of a DPA Setup Page, whichever is earlier.
1.9 "Personal Data" means information about an identified or identifiable natural person as defined in applicable Data Protection Laws.
1.10 "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, erasure, or destruction, whether or not by automated means.
1.11 "Processor" means a natural or legal person that Processes Personal Data on behalf of a Controller. In the context of this DPA, Breachday is the Processor.
1.12 "Restricted Transfer" means a transfer of Customer Personal Data from the EEA, UK, or Switzerland to a country not subject to an adequacy determination under the applicable Data Protection Law.
1.13 "Security Incident" means any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Breachday. Security Incidents do not include unsuccessful attempts or activities that do not result in actual access to Customer Personal Data, including failed login attempts, port scans, or denial-of-service attacks.
1.14 "Service" means the Breachday tabletop exercise platform available at app.breachday.io, including all associated features, APIs, exports, and system templates.
1.15 "Specified Notice Period" is 48 hours from Breachday becoming aware of a confirmed Security Incident affecting Customer Personal Data.
1.16 "Subprocessor" means any third party authorized by Breachday to Process Customer Personal Data in connection with providing the Service.
1.17 "Subprocessor List" means the list of Breachday's current Subprocessors, maintained at breachday.io/subprocessors.
2. Scope and Duration
2.1 Roles of the Parties
This DPA applies to Breachday as Processor of Customer Personal Data and to Customer as Controller of Customer Personal Data. Where Customer itself acts as a processor on behalf of a third-party controller, Customer represents that it has authority to enter into this DPA on behalf of that controller.
2.2 Scope
This DPA applies to Breachday's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws.
2.3 Duration
This DPA commences on the DPA Effective Date and remains in effect until expiration or termination of the Agreement, or, if later, until Breachday has ceased all Processing of Customer Personal Data.
2.4 Order of Precedence
In the event of conflict, the order of precedence is: (1) applicable Standard Contractual Clauses or cross-border transfer mechanisms agreed in writing; (2) this DPA; (3) the Agreement. To the fullest extent permitted by Data Protection Laws, claims arising under this DPA are subject to the limitations of liability in the Agreement.
3. Processing of Customer Personal Data
3.1 Customer Instructions
Breachday will Process Customer Personal Data only: (i) in accordance with Customer Instructions; or (ii) as required to comply with applicable legal obligations, subject to any notification requirements under Data Protection Laws. Breachday will promptly notify Customer if it determines that a Customer Instruction infringes Data Protection Laws (but Breachday has no obligation to actively monitor Customer's compliance).
3.2 Details of Processing
The subject matter, nature, purpose, and duration of Processing, and the categories of Customer Personal Data and Data Subjects, are set out in Schedule 1 (Subject Matter and Details of Processing) attached to this DPA.
3.3 Confidentiality
Breachday will protect Customer Personal Data in accordance with its confidentiality obligations under the Agreement. Breachday will ensure that personnel authorized to Process Customer Personal Data are subject to binding confidentiality obligations.
3.4 No AI Training on Customer Data
Breachday will not use Customer Personal Data — or any Customer Data — to train, fine-tune, benchmark, or otherwise improve machine learning or artificial intelligence models, whether operated by Breachday or any third party. Customer Data is used exclusively to operate and deliver the Service to Customer.
Where Customer uses the AI Scenario Builder feature, scenario prompts and structural parameters are transmitted to OpenRouter under Zero Data Retention (ZDR) settings, meaning input and output data is not stored beyond the duration of the API request, not logged for retention, and not used for model training by OpenRouter or its upstream model providers. Free-tier models that do not support ZDR are disabled.
3.5 Compliance with Laws
Each party will comply with Data Protection Laws applicable to its own Processing of Customer Personal Data. Customer is responsible for ensuring it has established lawful bases under Data Protection Laws for Breachday's Processing of Customer Personal Data as contemplated by the Agreement.
4. Subprocessors
4.1 Current Subprocessors
Customer authorizes Breachday to engage the Subprocessors listed at breachday.io/subprocessors. Breachday's current Subprocessors are:
| Subprocessor | Location | Role / Data Processed |
|---|---|---|
| Supabase | United States | Postgres database, Auth, Realtime channels, file storage (org logos, playbook PDFs, all application data) |
| Vercel | United States | Next.js application hosting (serverless). Request data passes through but is not persistently stored by Vercel. |
| Stripe | United States | Payment processing and subscription management. Payment card data is held exclusively by Stripe. |
| Resend | United States | Transactional email delivery (verification, invitations, billing notices, support notifications) |
| Inngest | United States | Scheduled background job execution for data lifecycle operations. No persistent Customer Data stored. |
| OpenRouter | United States | AI model routing for AI Scenario Builder and Weekly Scenario Recommendations features. ZDR (Zero Data Retention) is enforced on all requests — input and output data is not stored or used for model training. Free-tier models are disabled. AI Scenario Builder receives scenario prompts and structural parameters from authenticated users; Weekly Scenario Recommendations receives only publicly available threat intelligence headlines and internal template metadata. |
4.2 Subprocessor Obligations
Breachday will: (i) enter into written agreements with each Subprocessor imposing data protection obligations substantially equivalent to those in this DPA; and (ii) remain liable for each Subprocessor's compliance with this DPA.
4.3 Notice of New Subprocessors
Breachday will update the Subprocessor List at breachday.io/subprocessors at least 30 days before any new Subprocessor begins Processing Customer Personal Data, and will notify Customer by in app notifications.
4.4 Objection to New Subprocessors
If Customer reasonably objects to a new Subprocessor on data protection grounds within 30 days of notice, the parties will work together in good faith to address the concern. If the parties cannot resolve the objection, Customer may, as its sole remedy, terminate the affected Subscription for convenience and receive a pro-rata refund of prepaid, unused fees.
5. Security
5.1 Security Measures
Breachday implements and maintains reasonable technical and organizational security measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, as further described in Schedule 2:
- TLS encryption for all data in transit, with HSTS enforced in production
- Encryption at rest for database infrastructure via Supabase
- Row-level tenant isolation — organizations cannot access each other's data
- Two-factor authentication (TOTP) available for all users; required for high-impact operations
- IP-based rate limiting on public exercise join and submission endpoints
- Room passwords hashed for verification; encrypted copy held for facilitator reference
- Platform admin audit logging for all cross-tenant administrative actions
- Content Security Policy, HSTS, X-Frame-Options, and restrictive Permissions-Policy headers
Breachday's infrastructure subprocessors (Supabase, Vercel, Stripe) maintain their own SOC 2 certifications. Breachday has not yet completed a SOC 2 audit; SOC 2 Type II certification is on Breachday's roadmap. Breachday will make available any completed audit reports upon written request, subject to confidentiality obligations.
5.2 Security Incident Response
Breachday will: (i) maintain procedures to detect and respond to Security Incidents; (ii) notify Customer without undue delay and no later than the Specified Notice Period (48 hours) after becoming aware of a Security Incident affecting Customer Personal Data; and (iii) make reasonable efforts to identify and mitigate the cause of the Security Incident. Notification of a Security Incident is not an admission of fault or liability by Breachday. Customer is solely responsible for complying with Security Incident notification obligations applicable to Customer.
5.3 Customer Responsibilities
Customer is responsible for independently evaluating whether the Service meets Customer's own security requirements and legal obligations. Customer is responsible for configuring appropriate access controls within the Service, including role assignments and two-factor authentication enrollment.
6. Data Subject Requests
If Breachday receives a request directly from a Data Subject relating to Customer Personal Data, Breachday will promptly notify Customer and direct the Data Subject to submit the request to Customer. Breachday will not otherwise communicate with the Data Subject regarding the request except as required by Data Protection Laws. Upon Customer's request, Breachday will provide reasonable assistance — through available technical and organizational measures — to help Customer respond to Data Subject requests under applicable Data Protection Laws.
7. Data Return and Deletion
7.1 During the Subscription Term
Customer may access, export, and delete Customer Data through the features of the Service at any time during the active Subscription Term, including through PDF, DOCX, and JSON export formats.
7.2 Post-Cancellation Retention Period
Following cancellation of a Subscription, Customer enters a six-month read-only retention period during which all Customer Data remains accessible for export. Breachday will send reminder emails at 30 and 5 days before the end of the retention period. At the end of the retention period, Breachday will permanently and irreversibly delete all Customer Personal Data from its systems, unless earlier deletion is requested by Customer.
7.3 Post-Termination Deletion
Following expiration or termination of the Agreement, Breachday will delete Customer Personal Data in accordance with its data retention and deletion obligations under the Agreement and Data Protection Laws, using industry-standard secure deletion practices. Breachday will issue a written certificate of deletion upon Customer's written request. Notwithstanding the foregoing, Breachday may retain Customer Personal Data as required by applicable law, or in accordance with its standard backup retention policies, subject to ongoing confidentiality obligations.
7.4 Ephemeral Sessions
Organizations on eligible plan tiers may enable the "data protection mode" ephemeral session purge feature, which automatically deletes Exercise Session data (actions, votes, participant records) after a configurable retention window (default 48 hours) following session completion. This feature is available on Plus and Pro plans.
8. Audits and Compliance
8.1 Records
Breachday will maintain records of its Processing activities as required by applicable Data Protection Laws and will make such records available to Customer upon written request to the extent reasonably necessary to demonstrate compliance with this DPA.
8.2 Audit Reports
Breachday will describe its third-party audit and certification programs (if any) and make summary copies of audit reports available to Customer upon written request at reasonable intervals, subject to confidentiality obligations. Customer agrees that audit rights granted by Data Protection Laws will be satisfied first through review of available audit reports.
8.3 Customer Audit Rights
Subject to the parameters below, Customer has the right, at Customer's expense, to conduct an audit of reasonable scope to verify Breachday's compliance with this DPA. Each audit must: (i) be conducted by an independent third party subject to confidentiality obligations; (ii) occur no more than once per calendar year (unless required by a government authority or following a Security Incident); (iii) be scheduled at a mutually agreed date during Breachday's regular business hours; (iv) be limited to matters reasonably necessary to assess compliance with this DPA; and (v) treat all findings as confidential.
9. Cross-Border Data Transfers
Breachday processes and stores Customer Personal Data in the United States. Breachday currently serves U.S.-based customers. If Customer is located outside the United States and Customer Personal Data is subject to GDPR, UK GDPR, or FADP restrictions on cross-border transfers, the parties will work together in good faith to implement appropriate transfer mechanisms (such as Standard Contractual Clauses) before such Processing begins. Breachday will comply with any agreed transfer mechanism and update this DPA accordingly.
10. General Provisions
10.1 Amendments. The parties may amend this DPA as necessary to address changes in Data Protection Laws by mutual written agreement. Breachday may update this DPA with reasonable notice for non-material changes.
10.2 Severability. If any provision of this DPA is found unenforceable, the remaining provisions remain in full force.
10.3 Entire Agreement. This DPA, together with the Agreement and any applicable order form, constitutes the entire agreement between the parties regarding the Processing of Customer Personal Data and supersedes any prior agreements on this subject.
10.4 No Third-Party Beneficiaries. This DPA is for the benefit of the parties only and does not create rights for any third party, including Data Subjects (whose rights are governed by applicable Data Protection Laws).
10.5 Contact. Privacy and data protection inquiries: compliance@breachday.io
Schedule 1 — Subject Matter and Details of Processing
| Item | Details |
|---|---|
| Subject Matter | Operation of the Breachday tabletop exercise platform: authentication, exercise facilitation, report generation, billing, and platform administration. |
| Nature of Processing | Collection, storage, retrieval, use, transmission, and deletion of Customer Personal Data as necessary to provide the Service. |
| Purpose of Processing | To provide and operate the Service; manage subscriptions and billing; deliver transactional communications; maintain security and platform integrity; support Customer requests; comply with legal obligations. |
| Duration | Duration of the Subscription Term plus the six-month post-cancellation retention period, unless earlier deletion is requested or required. |
| Categories of Data Subjects | Account holders (Admins, Facilitators, Observers); Exercise Participants (display name only, no account required); MSP users; Breachday staff (platform admin accounts only). |
| Categories of Personal Data (Account Holders) | Name; business email address; hashed password credential; email verification status; organization name and role; 2FA TOTP secret and backup code hashes (if enabled); profile image URL (if provided); MSP role and relationships (if applicable). |
| Categories of Personal Data (Participants) | Display name only (up to 50 characters, chosen by participant). No account, no PII required to join. Participant session ID stored in browser sessionStorage for reconnection. |
| Categories of Personal Data (Customer-entered) | Vendor emergency contact names, email addresses, and phone numbers entered into the vendor register by Customer. Breachday recommends using fictional or anonymized data in exercise content. |
| Special Categories | Breachday does not intentionally process special categories of personal data (health, biometric, etc.). Customer must not upload actual special-category data to the Service. |
| Data Not Processed by Breachday | Payment card numbers and CVV (held exclusively by Stripe). BleepingComputer or other third-party news content (not stored). AI Scenario Builder inputs (scenario prompts and structural parameters) and Weekly Scenario Recommendations inputs (public threat intelligence headlines and internal template metadata) are transmitted to OpenRouter under Zero Data Retention (ZDR) — not stored beyond the API request duration, not used for model training. No Personal Data is contained in AI Scenario Builder inputs except insofar as Customer voluntarily includes it in scenario prompts. |
Schedule 2 — Technical and Organizational Measures
Breachday implements the following technical and organizational measures to protect Customer Personal Data:
Access Controls
- Role-based access control within each Organization (ADMIN, FACILITATOR, OBSERVER)
- Platform admin access restricted to Breachday staff via isPlatformAdmin flag, managed at /admin/admins
- Two-factor authentication (TOTP + backup codes) available for all users; required for high-impact operations including organization deletion
- MSP facilitator access to client organizations controlled via OrgMembership grants
- Exercise participants access only their own session via room code and password; no account required
Encryption
- TLS 1.2+ encryption for all data in transit; HSTS enforced in production
- Encryption at rest for database infrastructure provided by Supabase (AES-256)
- Room passwords cryptographically hashed (bcrypt) for verification; encrypted copy stored for facilitator reference
- Supabase Storage (org logos, playbook PDFs) encrypted at rest
Tenant Isolation
- All application data scoped by organizationId at the query level; enforced in all tRPC procedures
- MSP users accessing client organizations authenticated via OrgMembership; no cross-tenant data leakage
- Platform admin procedures isolated from organization-level procedures; separate audit log maintained
Network and Application Security
- Content Security Policy (CSP), X-Frame-Options, Referrer-Policy, and restrictive Permissions-Policy headers
- IP-based rate limiting on public exercise join (/join) and action submission endpoints
- Stripe webhook signature verification on every incoming webhook
- Continuous SAST/DAST scanning via Aikido Security on every commit
Data Lifecycle and Deletion
- Automated post-cancellation data deletion at end of six-month retention window via Inngest daily job
- Ephemeral session purge (data protection mode) available on Plus and Pro plans: configurable automatic deletion of session data after retention window (default 48 hours)
- Unverified signup accounts automatically deleted after 15 days
- Server and security logs retained for up to 90 days, then deleted
Organizational Measures
- Personnel with access to Customer Personal Data subject to confidentiality obligations
- Platform admin actions recorded in a tamper-evident audit log (admin user ID, action, entity, timestamp)
- Security vulnerability reporting via compliance@breachday.io
- Infrastructure subprocessors (Supabase, Vercel, Stripe) maintain SOC 2 certifications
- Breachday SOC 2 Type II certification on roadmap; not yet completed