Data Processing Agreement
Effective date: July 9, 2026
- Company/product
- Cracken / https://cracken.ai
- Legal entity
- CrackenAGI Ltd.
- Registered office
- 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT
- Governing law for self-serve terms
- England and Wales
- This Data Processing Agreement ("DPA") forms part of the agreement between Cracken and the customer that uses Cracken services. It applies when Cracken processes Customer Personal Data on behalf of the customer as a processor or service provider.
1. Definitions
"Agreement" means the applicable Terms, order form, subscription agreement, Acceptable Use Policy, Rules of Engagement and other documents governing the customer's use of Cracken.
"Customer Personal Data" means Personal Data contained in Customer Content that Cracken processes on behalf of Customer to provide the services.
"Customer Content" means targets, scope information, prompts, instructions, credentials, uploaded files, logs, telemetry, screenshots, vulnerability evidence, reports, integration data, support tickets, approval requests and other information submitted to or generated through Cracken for Customer.
"Data Protection Laws" means privacy and data-protection laws applicable to the processing of Customer Personal Data.
"Restricted Territories" means, at minimum, Russia; Belarus; Cuba; Iran; North Korea / DPRK; Syria; Crimea / Sevastopol / occupied or non-government-controlled Ukrainian territories, including Donetsk, Luhansk, Kherson and Zaporizhzhia areas, and any other country, region, party, end user, end use, sector or transaction restricted by applicable export, sanctions, anti-boycott or cyber-tool controls. Restricted Territories and prohibited parties should be interpreted with reference to applicable EAR, ITAR, OFAC, EU, UK, UN and other relevant restrictions, including sanctioned-party, denied-party, entity, unverified, military end-user and debarred-party lists.
"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Cracken or its sub-processors.
"Sub-processor" means a third party engaged by Cracken to process Customer Personal Data on Cracken's behalf.
2. Roles and scope
Customer is the controller or business for Customer Personal Data. Cracken is the processor or service provider. Customer determines the purposes and means of processing, including what data is submitted, which targets are tested, which users are authorized and what scope is approved.
This DPA does not apply to personal data for which Cracken acts as an independent controller, including account administration, marketing, billing, compliance screening, website analytics, security monitoring and legal enforcement, which are addressed in the Privacy Policy.
3. Customer instructions
Cracken will process Customer Personal Data only on Customer's documented instructions, including the Agreement, Acceptable Use Policy, Rules of Engagement, product configurations, dashboard/API instructions and written instructions accepted by Cracken, unless applicable law requires otherwise.
Customer instructs Cracken to process Customer Personal Data to:
- provide and secure the services;
- configure, execute and report on authorized security-testing workflows;
- validate vulnerabilities and evidence within approved scope;
- provide support and troubleshoot issues;
- detect and prevent abuse, unauthorized hacking, unsafe activity and legal violations;
- comply with export, sanctions and restricted-territory controls;
- use sub-processors as permitted by this DPA;
- return, delete or retain data as described in the Agreement and Data Retention Policy.
Cracken may decline or suspend an instruction that it reasonably believes violates law, export/sanctions rules, the Rules of Engagement, acceptable-use requirements or third-party rights.
4. Customer obligations
Customer represents and warrants that:
- it has all rights, notices, consents, permissions and legal bases required to provide Customer Personal Data to Cracken;
- all tested targets are owned by Customer or Customer has explicit written authorization from the owner to test them;
- Customer will define scope, stop conditions and Rules of Engagement accurately;
- Customer will not submit prohibited sensitive data unless expressly permitted by the Agreement and law;
- Customer will not use Cracken from, for the benefit of, or in connection with Restricted Territories or restricted parties;
- Customer will not reverse engineer, extract, reconstruct, derive, disclose, copy, benchmark for replication, or attempt to discover Cracken code, prompts, system prompts, playbooks, skills, agents, workflows, guardrails, detection logic, "tentacles" or other non-public methods or proprietary components;
- Customer will not instruct Cracken to conduct unauthorized hacking, denial-of-service, extortion, public disclosure of unremediated findings, credential theft, persistence, out-of-scope pivoting or other illegal or unethical activity.
5. Confidentiality
Cracken will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive access only where needed for service delivery, support, security, compliance, incident response or legal obligations.
6. Security measures
Cracken will maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of cybersecurity testing data and the risk of unauthorized disclosure or misuse. Measures may include:
- encryption in transit;
- encryption at rest where supported by the storage layer;
- role-based access control and least privilege;
- MFA for administrative access;
- logging and monitoring of administrative and security-relevant events;
- segregation of customer workspaces or logical tenant isolation;
- secure development and change-management practices;
- vulnerability management and remediation processes;
- personnel security and confidentiality controls;
- incident-response procedures;
- sub-processor security diligence;
- backup and recovery controls consistent with the retention policy.
7. Sub-processors
Customer grants Cracken general authorization to use Sub-processors listed in the Sub-processor List to provide the services. Where support tickets, feedback, attachments or high-risk target approval requests contain Customer Personal Data, Cracken may use the support ticketing portal at https://crackenai.featurebase.app/ as described in the Sub-processor List. The Sub-processor List also identifies controller-side and website service providers, including Google Analytics for website analytics, although this DPA applies only when Cracken processes Customer Personal Data on behalf of Customer.
Cracken will:
- maintain a public or customer-accessible Sub-processor List;
- enter into written agreements imposing data-protection obligations substantially similar to those in this DPA;
- remain responsible for Sub-processors' processing of Customer Personal Data as required by applicable law and the Agreement;
- provide mandatory email notice of material Sub-processor changes to the relevant customer contact;
- provide a reasonable objection process for legitimate data-protection concerns.
8. AI providers and model/system improvement
Cracken uses Anthropic models through AWS Bedrock and self-hosted LLM processing on Google Cloud Platform. AWS Bedrock processing may occur in US East and EU West regions. Self-hosted LLM processing on Google Cloud Platform is in an EU West region.
Cracken's self-serve posture is: aggregated and de-identified telemetry may be used for self-serve product and system improvement. For all plans below the Pro plan, storage for product, safety, abuse-prevention, model, agent and system improvement is enabled by default, subject to the Agreement, this DPA and applicable law. For Pro plan and higher subscriptions, customers may opt out of optional improvement storage where Cracken makes that control available; operational, security, billing, legal, export/sanctions, abuse-prevention, incident-response and service-delivery retention may still apply. Customer-content training for cross-customer model improvement is not used by default and requires separate negotiated permission or an applicable customer setting. Customer content may be used during the subscription for customer-specific model adaptation, safety tuning, retrieval, evaluation, workflow improvement and similar customer-specific service improvements.
Cracken will not intentionally permit third-party AI providers to use Customer Personal Data for their own model training.
9. Data subject requests
Customer is responsible for responding to data subject requests relating to Customer Personal Data. Cracken will provide reasonable assistance, taking into account the nature of processing and available information. If Cracken receives a request directly and can identify the relevant customer, Cracken may redirect the requester to Customer or notify Customer, unless prohibited by law.
10. Security incidents
Cracken will notify Customer without undue delay and within any legally or contractually required notification period after confirming a Security Incident affecting Customer Personal Data. The notice will include information reasonably available to Cracken, such as the nature of the incident, affected data categories, likely consequences, mitigation steps and points of contact. Cracken will reasonably assist Customer with legally required notices, investigations and remediation.
11. Audits and compliance information
Upon reasonable request and subject to confidentiality, Cracken will provide information necessary to demonstrate compliance with this DPA, such as security summaries, certifications, audit reports, questionnaires or sub-processor information. Cracken will perform a main audit at least annually, and may perform ad-hoc audits after significant changes or material incidents. Customer-requested intrusive audits must be reasonable, protect other customers and Cracken confidential information, and avoid unnecessary disruption.
12. International transfers and data residency
Cracken's main infrastructure is hosted in Microsoft Azure UK South. AI processing may occur through AWS Bedrock in US East and EU West regions and through self-hosted LLM infrastructure on Google Cloud Platform in an EU West region. Where required for EEA, UK or Swiss data, the parties will rely on appropriate safeguards such as Standard Contractual Clauses, UK addendum, Swiss adaptations, adequacy decisions, Data Privacy Framework certifications or successor mechanisms.
13. Return and deletion
Upon termination or expiry, Cracken will return, export, delete, de-identify or retain Customer Personal Data according to the Data Retention Policy, customer configuration, applicable law and Agreement. Customer data in main storage may be deleted by request, subject to legal, security, abuse-prevention, export/sanctions, backup and dispute exceptions. Backups may persist until they are overwritten or deleted under Cracken's backup lifecycle and are retained only as long as reasonably necessary for resilience, security, legal or operational purposes.
14. Restricted territories and legal compliance
Cracken may suspend, terminate, block, delete, quarantine or preserve processing where required or reasonably appropriate for export-control, sanctions, restricted-territory, prohibited-party, military end-use/end-user, anti-abuse, security or legal reasons. Customer must immediately stop using the services and notify Cracken if Customer, its users, targets, beneficial owners, transactions or intended end uses become restricted, prohibited, license-controlled or otherwise unlawful. Cracken should not rely only on a country list when party status, sectoral sanctions, regional sanctions or end-use restrictions may independently prohibit or require authorization for service.
15. Governing law and order of precedence
This DPA is governed by the laws of England and Wales, except where mandatory data-transfer clauses require a different governing law for the restricted transfer. If this DPA conflicts with mandatory Standard Contractual Clauses, the SCCs control for the restricted transfer. Otherwise, the conflict order should be defined in the Terms or master agreement.
16. Contact
Privacy / DPA contact: privacy@cracken.ai
Security contact: security@cracken.ai
Legal contact: legal@cracken.ai
