Security at Immuta

Data Processing Agreement

When licensees use Immuta SaaS services to manage access to licensee personal data, Immuta acts as a data processor. Licensees may act as data controllers or data processors, and Immuta acts as a data processor or sub-processor. Immuta contractual terms incorporate Immuta’s commitments as a data processor. Our security controls are described below, and our list of sub-processors is available here.

When Immuta processes personal data and determines the purposes and means of processing that personal data, it acts as a data controller. For more information about how Immuta processes personal data as a data controller, see the Immuta Privacy Policy and SaaS Privacy Notice.

A Subprocessor is a third party utilized by Immuta to deliver its SaaS Services as a data processor. Immuta engages different types of Subprocessors to perform the various services explained below.

Please see below for a list (current as of the dates mentioned below) of the names and locations of Immuta’s Subprocessors (including members of the Immuta Group and third parties).

Immuta utilizes the AWS cloud service provider to host Immuta SaaS services. Licensee metadata, such as data dictionaries, policy-related data, user data, and audit logs, will thus live in an AWS environment, in the Immuta geographical region selected by Licensee, which could be Immuta APJ, Europe, or US. This list was last updated: 03/16/2026.

Immuta works with a few third parties to support specific services within its overall SaaS offering. These providers are Subprocessors, as they may have access to personal data related to Licensee’s authorized users. This list was last updated: 03/16/2026.

Immuta is cloud-native, including all our supporting cloud computing infrastructure and our software solution (Software-as-a-Service).

Our cloud computing infrastructure is provided by Amazon Web Services (AWS). This infrastructure is built and managed not only in accordance with security best practices and standards, but also with the unique needs of the cloud in mind. AWS uses redundant and layered controls, continuous validation and testing, and substantial automation to ensure that the underlying infrastructure is monitored and protected 24×7.

We make continuous backups, which we keep for 7 days. In case of an incident, we can restore this backup immediately.

We rely on AWS for the physical security of our supporting cloud computing infrastructure. We also take physical security measures for our own offices (such as badge access and video surveillance).

We have a clearly defined software development process designed to ensure that our software is well tested and ready for production.

We take security measures to protect our software solution from cyber attacks and to detect fraudulent or malicious activities. Our software is monitored and protected by an industry-leading continuous process of cloud security improvement and adaptation, which includes active defenses against known and unknown attacks. In addition, we also have periodic security measures carried out by a qualified external party (such as penetration testing).

We take security measures to secure your data. We comply with applicable legislation relating to data protection and data privacy. We do not keep your data longer than necessary. Our DPA provides additional detail regarding our data retention practices.

Immuta offers a number of global deployment options to help meet customers’ compliance needs.

We only access your data on request or with your permission.

We can demonstrate that we have appropriate controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks.

Our security measures are audited annually by an independent and external party. If you need more information or if you would like to receive a copy of our SOC2 report, please make the request via your assigned account manager