How Index8 processes data on your behalf.
Last updated June 16, 2026. For a signed copy: legal@index8.app.
This page summarizes the data-processing terms Index8 offers and is a draft prepared for legal review. It is informational and is not a signed agreement on its own. To execute a Data Processing Addendum for your organization, contact legal@index8.app. Where this summary and a signed addendum differ, the signed addendum governs.
Roles
For workspace content you add, your organization is the data controller and Index8 is the data processor. Index8 processes that personal data only to provide the service and only on your documented instructions, which include your use of the product and this addendum.
Scope and duration
This addendum applies for as long as Index8 processes personal data on your behalf, which is the term of your use of the workspace. The subject matter is the security readiness service; the nature and purpose are to host your workspace, compute your readiness score, generate the documents you request, and send transactional email.
Categories of data and data subjects
Personal data may include the names and work emails of your team members and contacts you add, account details, and the workspace content you choose to enter (assessment answers, policies, evidence, training records, insurance preparation notes). Data subjects are your team members and any individuals named in content you add. We ask you not to enter regulated identifiers such as Social Security numbers, full payment card numbers, or login credentials.
Our obligations as processor
Index8 will: process personal data only on your instructions; keep personnel who access it bound by confidentiality; apply the security measures below; assist you, taking into account the nature of processing, in responding to data-subject requests; and notify you without undue delay after becoming aware of a personal-data breach affecting your data.
Security measures
Traffic is encrypted in transit. Access is scoped to your organization in the application layer and protected by row-level security in the database, with role-based permissions. Evidence files live in a private bucket served through short-lived signed links. Staff access to customer data is limited to support needs and is logged. Our security posture describes these practices in more detail. No vendor can promise perfect security, and we do not.
Sub-processing
You authorize Index8 to engage the third-party processors listed on our subprocessors page, each bound to data-protection obligations no less protective than those in this addendum. We remain responsible for their performance and will post additions or changes to that page. On request we will add you to a notice list for subprocessor changes.
Data-subject requests
If we receive a request from one of your data subjects, we will direct them to you rather than respond directly, unless legally required otherwise. We provide tools in workspace settings and will assist with access, correction, export, and deletion requests sent to privacy@index8.app.
Return and deletion
On termination, you may export your report content, and we will delete your workspace personal data on request, confirming the deletion to you. Removed evidence is held briefly so accidental deletions can be recovered, then purged. Backups age out on our database provider's standard schedule.
International transfers
Index8 is operated from the United States, and our subprocessors are engaged accordingly. Where personal data is transferred from another region, the parties will rely on a lawful transfer mechanism set out in the signed addendum.
Audits
On reasonable request and notice, we will make available the information needed to demonstrate compliance with this addendum, including our security posture documentation and answers to a reasonable security questionnaire.
Requesting a signed addendum
To put an executed Data Processing Addendum in place for your organization, email legal@index8.app with your legal entity name. We will return a copy for signature.