Pylon
Platform Services Field Notes CompanyAboutDispatchProcess Start a Conversation
Services Embedded CISO Embedded CIO Governance, Risk & Compliance AI Engineering All services → Platform Scout Anvil Command Soon Field Notes Company About Dispatch Process Start a Conversation
Home/Data Processing Addendum

Data Processing Addendum

Last updated: July 10, 2026

About this document. This Data Processing Addendum governs how The Pylon Group processes personal data on behalf of its customers across the Scout, Command, and Anvil platforms. If you need a countersigned copy for your records, or have questions about our sub-processors or transfer mechanisms, contact [email protected].

This Data Processing Addendum, including its Exhibits (this "DPA"), forms part of and is incorporated into the agreement for the provision of the Services (the "Agreement") between the customer identified in the Agreement or an Order Form ("Customer") and Advosec, LLC, a Pennsylvania limited liability company, doing business as The Pylon Group ("Pylon"). Pylon and Customer are each a "party" and together the "parties."

This DPA applies to Pylon's Processing of Personal Data on behalf of Customer in connection with the Services, which comprise the following products, individually and collectively:

  • Scout: third-party and vendor risk management (scout.thepylongroup.com);
  • Command: security governance, risk, and compliance operations (command.thepylongroup.com); and
  • Anvil: M&A diligence and data-room workflows (anvil.thepylongroup.com).

In the event of a conflict, the order of precedence is: (1) the EU SCCs and the UK Addendum (Exhibits D and E), then (2) the body of this DPA, then (3) the Agreement, in each case solely with respect to the subject matter of this DPA.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in Data Protection Law.

1.1 "Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) Regulation (EU) 2016/679 ("GDPR"); (b) the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 ("UK GDPR"); (c) the U.S. state privacy laws applicable to Customer's use of the Services, including the California Consumer Privacy Act as amended ("CCPA/CPRA"); and (d) any successor or implementing legislation to the foregoing.

1.2 "Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Personal Data Breach," and "Supervisory Authority" have the meanings given in GDPR (or, where the CCPA/CPRA applies, the equivalent terms "Business," "Service Provider," "Consumer," and "Personal Information" apply correspondingly).

1.3 "Customer Personal Data" means Personal Data that Pylon Processes on behalf of Customer under the Agreement, as further described in Exhibit A.

1.4 "EU SCCs" means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.

1.5 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under s.119A of the Data Protection Act 2018, version B1.0 (or its successor).

1.6 "Restricted Transfer" means a transfer of Customer Personal Data from the European Economic Area ("EEA") or the United Kingdom to a country that has not received an adequacy decision, where such transfer would be prohibited absent an appropriate safeguard under Data Protection Law.

1.7 "Sub-processor" means any third party engaged by Pylon to Process Customer Personal Data on Pylon's behalf. For clarity, third-party systems, applications, or accounts that Customer connects to the Services or directs Pylon to access (each a "Connector," such as Customer's Okta, Microsoft Entra, Google Workspace, AWS, GitHub, or HRIS tenants) are Customer's own vendors and processing sources, and are not Pylon Sub-processors.

1.8 "Services" means the Scout, Command, and Anvil products and related services provided by Pylon under the Agreement.

2. Roles of the Parties; Description of Processing

2.1 Roles. With respect to Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Pylon is the Processor. Where Customer acts as a Processor for a third-party Controller, Customer represents that it is authorized to instruct Pylon in accordance with this DPA.

2.2 Description. The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data, and the categories of Data Subjects are set out in Exhibit A.

2.3 Instructions. Pylon will Process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and Customer's configuration and use of the Services, unless required to do otherwise by applicable law (in which case Pylon will, where legally permitted, inform Customer of that legal requirement before Processing). Pylon will inform Customer if, in Pylon's opinion, an instruction infringes Data Protection Law.

3. Customer's Obligations

3.1 Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which Customer acquired it.

3.2 Customer represents and warrants that it has a valid legal basis for the Processing of Customer Personal Data contemplated by the Agreement, including for connecting any Connector and directing Pylon to ingest data from it, and has provided all notices and obtained all consents required under Data Protection Law.

3.3 Customer's instructions to Pylon will comply with Data Protection Law.

4. Use of Personal Data

4.1 Purpose limitation. Pylon will Process Customer Personal Data only to provide, maintain, secure, and support the Services in accordance with Customer's instructions, and will not "sell" or "share" (as defined under CCPA/CPRA) Customer Personal Data, nor Process it for Pylon's own independent commercial purposes.

4.2 Artificial intelligence features. Certain Services features use third-party AI sub-processors (identified in Exhibit B) to generate summaries, findings, assessments, policy drafts, transcripts, embeddings, and agent responses. With respect to those features:

  • (a) Customer Personal Data submitted to an AI Sub-processor is Processed solely to return output to Customer as part of the Services;
  • (b) Pylon will not, and will contractually require its AI Sub-processors not to, use Customer Personal Data to train, fine-tune, or improve any generally available foundation model; and
  • (c) Pylon's use of AI Sub-processors is subject to Sections 6 (Sub-processors) and 9 (International Transfers).

4.3 Aggregated and de-identified data. Pylon may create and use aggregated or de-identified data that does not identify Customer or any Data Subject, provided Pylon does not attempt to re-identify it and maintains it in de-identified form.

5. Audit

5.1 Pylon will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, and will allow for and contribute to audits as described in this Section.

5.2 Pylon maintains a security program aligned to SOC 2 principles and is pursuing an independent SOC 2 Type II attestation. On Customer's written request (no more than once in any twelve-month period, unless required by a Supervisory Authority or following a Personal Data Breach affecting Customer), Pylon will provide its then-current security documentation and, once available, its SOC 2 Type II report or a comparable third-party attestation, subject to confidentiality obligations, by contacting [email protected].

5.3 Where the information described in Section 5.2 is insufficient to demonstrate compliance, Customer may conduct an audit on reasonable prior written notice, during business hours, no more than once per year, in a manner that does not disrupt Pylon's operations or compromise the confidentiality or security of other customers' data.

6. Authorized Sub-processors

6.1 General authorization. Customer provides general written authorization for Pylon to engage Sub-processors to Process Customer Personal Data. Pylon's current Sub-processors are listed in Exhibit B.

6.2 Sub-processor terms. Pylon will impose on each Sub-processor data-protection obligations that are no less protective than those in this DPA, and remains responsible for each Sub-processor's performance of its obligations.

6.3 Changes. Pylon will notify Customer at least 30 days before authorizing any new Sub-processor by email to Customer's designated contact and by updating the Sub-processor list in Exhibit B on this page. Customer may object to a new Sub-processor on reasonable data-protection grounds within 30 days of notice. If the parties cannot resolve the objection, Customer may, as its sole remedy, terminate the affected portion of the Services in accordance with the Agreement.

7. Confidentiality and Security

7.1 Confidentiality. Pylon will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and are Processing on a need-to-know basis.

7.2 Security measures. Pylon will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art and the risks of the Processing. Pylon's current measures are described in Exhibit C.

8. Personal Data Breach

8.1 Pylon will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 The notification will describe, to the extent known and permitted by law: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed. Where Pylon cannot provide all information at once, it may provide it in phases without undue further delay.

8.3 Pylon will take reasonable steps to mitigate the effects of the breach and will cooperate with Customer's reasonable requests in connection with Customer's own notification obligations. Pylon's notification is not an acknowledgment of fault or liability.

8.4 Notices under this Section will be sent to the notice contact designated by Customer in the Agreement or, absent one, to Customer's administrative account contact.

9. International Transfers

9.1 Pylon will not make a Restricted Transfer of Customer Personal Data except in accordance with this Section.

9.2 EEA transfers. Where Customer Personal Data originating in the EEA is subject to a Restricted Transfer, the parties agree that the EU SCCs are hereby incorporated into this DPA and completed as set out in Exhibit D. For such transfers:

  • (a) Module Two (Controller to Processor) applies (or Module Three, Processor to Processor, where Customer is itself a Processor);
  • (b) the optional docking clause (Clause 7) applies;
  • (c) under Clause 9, Option 2 (general written authorization) applies, with the notice period stated in Section 6.3;
  • (d) under Clause 11, the optional independent-dispute-resolution language does not apply;
  • (e) under Clause 17, the EU SCCs are governed by the law of Ireland; and
  • (f) under Clause 18(b), disputes will be resolved before the courts of Ireland.

9.3 UK transfers. Where Customer Personal Data originating in the United Kingdom is subject to a Restricted Transfer, the UK Addendum is incorporated and completed as set out in Exhibit E, appending the EU SCCs as the "Approved EU SCCs."

9.4 Conflict. If there is a conflict between this DPA and the EU SCCs or UK Addendum, the EU SCCs or UK Addendum (as applicable) prevail with respect to Restricted Transfers.

9.5 Alternative mechanisms. If Pylon adopts an alternative lawful transfer mechanism (such as an adequacy decision or a certification), that mechanism will apply in place of the mechanism above to the extent it provides a valid basis under Data Protection Law.

10. Data Protection Impact Assessments and Consultation

Taking into account the nature of the Processing and information available to Pylon, Pylon will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Law, in each case solely in relation to the Processing of Customer Personal Data by Pylon.

11. Data Subject Requests

11.1 Taking into account the nature of the Processing, Pylon will provide Customer with the self-service functionality of the Services and reasonable additional assistance to enable Customer to respond to requests from Data Subjects to exercise their rights under Data Protection Law (including access, rectification, erasure, restriction, portability, and objection).

11.2 If Pylon receives a request directly from a Data Subject relating to Customer Personal Data, Pylon will not respond except to acknowledge and direct the Data Subject to Customer, unless legally required or authorized by Customer.

12. Return or Deletion of Personal Data

12.1 On expiry or termination of the Agreement, Pylon will, at Customer's election, delete or return Customer Personal Data, and delete existing copies, unless retention is required by applicable law.

12.2 Pylon will complete such deletion or return within 90 days of the later of termination or Customer's election. Residual copies in routine backups will be deleted in the ordinary course of Pylon's backup rotation and remain protected by this DPA until deleted.

13. Pylon as Controller

Pylon acts as an independent Controller with respect to a limited set of data it collects to operate its business, such as account registration data, billing and contact information, and product usage and telemetry used to secure and improve the Services. Pylon's Processing of such data is governed by Pylon's applicable privacy policy, or policies, rather than by this DPA. Pylon's Privacy Policy is the entry point and links to the privacy policies specific to Scout, Command, and Anvil.

14. General

14.1 Term. This DPA takes effect on the effective date of the Agreement and continues until Pylon ceases all Processing of Customer Personal Data.

14.2 Liability. Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.

14.3 Governing law. Except as required by Section 9 (which governs the EU SCCs and UK Addendum for Restricted Transfers), this DPA is governed by the law and jurisdiction stated in the Agreement, and otherwise by the laws of the Commonwealth of Pennsylvania.

14.4 Changes. Pylon may update this DPA to reflect changes in the Services, Sub-processors, or Data Protection Law, provided the updates do not materially diminish the protections for Customer Personal Data.

Exhibit A

Details of Processing

A.1 Subject matter. Pylon's provision of the Services (Scout, Command, and Anvil) to Customer under the Agreement.

A.2 Duration. For the term of the Agreement plus the return and deletion period in Section 12.

A.3 Nature and purpose of Processing. Hosting, storage, and Processing of Customer Personal Data to provide vendor risk management (Scout), security governance, risk, and compliance operations (Command), and M&A diligence and data-room workflows (Anvil), including AI-assisted analysis, alerting, reporting, notifications, and collaboration features.

A.4 Categories of Data Subjects (as applicable to Customer's configuration):

  • Customer's authorized users and administrators.
  • Scout: contacts at Customer's third-party vendors and vendor-portal respondents.
  • Command: Customer's employees, contractors, and other workforce members whose identity, access, device, HR, or security-tooling records are ingested through Customer-connected Connectors; and personnel referenced in policies, findings, assessments, incidents, and meeting transcripts.
  • Anvil: members of Customer's deal team and advisors; and contacts at target companies and their representatives who participate in the data room.

A.5 Categories of Personal Data (as applicable):

  • Identity and contact data (name, business email, phone, job title, organization).
  • Account and authentication data (user IDs, SSO identifiers, MFA enrollment status, authentication events).
  • User-generated content that may contain Personal Data (assessments, questionnaire responses, findings, risk entries, policies, documents and uploads, comments, notifications, and Command meeting and call transcripts).
  • Security- and workforce-context data ingested via Customer-connected Connectors (for example, account and group membership, MFA and device posture, offboarding status, security-tool signals).
  • Product usage and audit-log metadata.

A.6 Special categories of Personal Data. The Services are not intended to Process special categories of Personal Data (Article 9 GDPR). Customer will not upload such data except as incidental to documents Customer chooses to submit, and remains responsible for any such data.

A.7 Frequency of transfer. Continuous, for the duration of the Agreement.

Exhibit B

Authorized Sub-processors

Pylon engages the following Sub-processors to Process Customer Personal Data. Locations reflect the primary Processing location; providers may operate globally.

Sub-processorPurposeProcessing location
Supabase, Inc.Primary application platform: managed PostgreSQL database, authentication, object storage, and serverless (Edge) functions, the system of record for Customer Personal Data. Hosted on Amazon Web Services (AWS) infrastructure.United States
Cloudflare, Inc.Application hosting (Pages), content delivery, edge routing, and DDoS and network security for the web applications.United States (global edge)
Anthropic, PBCAI Processing (Claude) for the Hudson agent, document and assessment analysis, policy drafting, and related generative features.United States
OpenAI, L.L.C.AI Processing, including speech-to-text transcription (fallback) for Command meeting and call transcript features.United States
Groq, Inc.Speech-to-text transcription (primary) for Command meeting and call transcript features.United States
Voyage AI, Inc.Text embeddings for search and retrieval (RAG) features.United States
Brave Software, Inc.Web search used by AI and enrichment features to retrieve external context.United States
VirusTotal (Google LLC)File and URL reputation and scanning for uploaded artifacts and monitored assets.United States
Resend, Inc.Transactional and notification email delivery (recipient names and email addresses).United States
WorkOS, Inc.Enterprise authentication: Single Sign-On (SSO) and directory and identity federation.United States

Not Sub-processors. Third-party systems that Customer connects to the Services or directs Pylon to access, including Customer's identity, cloud, code, HR, endpoint, email-security, and compliance tools (for example, Okta, Microsoft Entra and 365, Google Workspace, AWS, Azure, GCP, GitHub, GitLab, CrowdStrike, and Customer's HRIS), are Customer's own vendors and data sources, not Pylon Sub-processors. Pylon accesses them under Customer's authorization and instructions.

Exhibit C

Technical and Organizational Measures

Pylon maintains the following measures, which serve as Annex II to the EU SCCs. Measures may be updated provided they do not materially diminish protection.

C.1 Access control and authentication

  • Mandatory multi-factor authentication (TOTP) for user accounts and support for enterprise SSO (via WorkOS).
  • Role-based access within customer organizations; least-privilege access for Pylon personnel.

C.2 Tenant isolation

  • Multi-tenant architecture with row-level security (RLS) policies scoping data to each customer organization, enforced at the database layer, with automated cross-tenant isolation testing.

C.3 Encryption

  • Encryption of Customer Personal Data in transit (TLS) and at rest (managed database and object storage encryption).

C.4 Operational security

  • Privileged service credentials restricted to server-side functions; server-side enforcement of authorization on API endpoints.
  • Audit logging of security-relevant actions (activity logs), including AI-agent actions attributed to an actor and session.
  • Segregation of production from development environments.

C.5 Resilience and recovery

  • Managed, redundant infrastructure with routine automated backups and defined restoration procedures.

C.6 Governance

  • Security program aligned to SOC 2 principles, with an independent SOC 2 Type II attestation in progress; internal policies covering access management, change management, incident response, and vendor management.
  • Personnel bound by confidentiality obligations.
Exhibit D

EU Standard Contractual Clauses (Completion)

The EU SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and completed as follows:

  • Modules: Module Two (Controller to Processor); Module Three (Processor to Processor) where Customer is a Processor.
  • Clause 7 (Docking): applies.
  • Clause 9 (Sub-processors): Option 2 (general written authorization); notice period per Section 6.3.
  • Clause 11 (Redress): optional language does not apply.
  • Clause 17 (Governing law): the law of Ireland.
  • Clause 18 (Forum): the courts of Ireland.

Annex I.A: List of Parties

  • Data exporter: Customer (as identified in the Agreement). Role: Controller (or Processor). Contact: as identified in the Agreement.
  • Data importer: Advosec, LLC d/b/a The Pylon Group. Role: Processor. Contact: [email protected]. Address: Pennsylvania, United States.

Annex I.B: Description of Transfer. As set out in Exhibit A (categories of Data Subjects and Personal Data, frequency, nature and purpose, duration, and Sub-processors per Exhibit B).

Annex I.C: Competent Supervisory Authority. The Irish Data Protection Commission, as the supervisory authority of the member state chosen under Clause 17.

Annex II: Technical and Organizational Measures. As set out in Exhibit C.

Annex III: List of Sub-processors. As set out in Exhibit B.

Exhibit E

UK International Data Transfer Addendum (Completion)

The UK Addendum (Template B1.0) is incorporated for Restricted Transfers of UK-origin Customer Personal Data.

Table 1: Parties. As set out in Exhibit D, Annex I.A.

Table 2: Selected SCCs, Modules and Clauses. The EU SCCs completed in Exhibit D, including their Annexes, are the "Approved EU SCCs" for the purposes of the UK Addendum.

Table 3: Appendix Information. The information in Exhibit A (Annex I.B), Exhibit C (Annex II), and Exhibit B (Annex III) applies.

Table 4: Ending the Addendum. Neither party may end the UK Addendum other than as provided in the UK Addendum.

Contact

Questions about this DPA, our sub-processors, or our transfer mechanisms can be directed to:

Advosec, LLC d/b/a The Pylon Group
Pennsylvania, United States
Privacy inquiries: [email protected]
Security reports: [email protected]

The Pylon Group

Cybersecurity, technology, and AI advisory from operators, not observers.

Services Embedded CISO Embedded CIO Governance, Risk & Compliance AI Engineering All services →
Products Scout Anvil Command Soon All software →
Company About Process Field Notes Dispatch Start a conversation
Connect LinkedIn [email protected]
© 2026 The Pylon Group, LLC. All rights reserved.
Privacy Terms DPA