Does Patchstack process personal data on your behalf?
When delivering our vulnerability scanning, firewall (WAF), and vPatching services, our systems inspect inbound web traffic and site content to detect and mitigate threats. As part of this we process data incidental to those security events, which may include personal data such as visitor IP address, approximate location derived from IP, user-agent string, HTTP method, requested URL, and — where relevant to identifying an attack — the request payload (which may contain form fields submitted by the visitor). We retain this data only as needed to operate, investigate, and improve the service. The same fields are processed whether you are a direct Patchstack customer or use Patchstack through a hosting/reseller partner. For this data, Patchstack acts as a processor on your behalf (or, where you use Patchstack via a reseller, as a sub-processor), and our DPA applies.
Patchstack also processes personal data about you as our customer (for account, billing, and support purposes). For that data Patchstack is a controller, and our Privacy Policy applies.
Signing a DPA
Business customers using Patchstack to protect sites or applications containing third-party personal data should have a DPA in place with us. Contact us at privacy@patchstack.com for a copy of our DPA.
Sub-processors
You can find the list of our sub-processors here.