Data Processing Agreement
Last updated: December 15, 2024
What is a Data Processing Agreement?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller (you) and a data processor (VulnerabilityScan.com). It is required under GDPR and other data protection regulations when a service provider processes personal data on your behalf. The DPA establishes the rights and obligations of each party regarding data protection, security measures, and compliance responsibilities.
DATA PROCESSING AGREEMENT
This Data Processing Agreement forms part of the Terms of Service between:
- Data Controller: Customer (as identified in the Agreement)
- Data Processor: VulnerabilityScan.com
1. Definitions
Personal Data means any information relating to an identified or identifiable natural person as defined in applicable Data Protection Laws.
Data Protection Laws means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other relevant regulations.
Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
Sub-processor means any third party engaged by VulnerabilityScan.com to process Personal Data on behalf of the Customer.
2. Scope and Purpose of Processing
VulnerabilityScan.com processes Personal Data solely to provide the vulnerability scanning services described in the Agreement. The categories of Personal Data processed may include:
- Contact information (names, email addresses) of Customer personnel
- Technical identifiers (IP addresses, hostnames) of systems being scanned
- Account credentials provided for authenticated scanning
- Usage data related to the Customer use of the Services
3. Processor Obligations
VulnerabilityScan.com agrees to:
- Process Personal Data only on documented instructions from the Customer
- Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Customer in responding to data subject requests
- Assist with data protection impact assessments when required
- Delete or return all Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
- Notify the Customer of any Personal Data breach without undue delay
4. Security Measures
VulnerabilityScan.com implements and maintains the following security measures:
- Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Incident detection and response capabilities
- Employee security training and background checks
- Physical security controls at data center facilities
A detailed description of security measures is available in our Security Practices documentation.
5. Sub-processors
The Customer authorizes VulnerabilityScan.com to engage Sub-processors to perform specific processing activities. Current Sub-processors include:
- Cloud Infrastructure: Amazon Web Services (AWS) - United States
- Payment Processing: Stripe - United States
- Email Services: Resend - United States
VulnerabilityScan.com will notify the Customer of any intended changes to Sub-processors, providing the Customer an opportunity to object. VulnerabilityScan.com remains liable for the acts and omissions of its Sub-processors.
6. International Data Transfers
VulnerabilityScan.com is based in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, VulnerabilityScan.com relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Additional safeguards where required by applicable law
The SCCs are incorporated into this DPA by reference.
7. Data Subject Rights
VulnerabilityScan.com will assist the Customer in fulfilling data subject requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to object to processing
- Right to restrict processing
The Customer should direct data subjects to contact VulnerabilityScan.com at privacy@vulnerabilityscan.com for requests related to data we process.
8. Data Breach Notification
VulnerabilityScan.com will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include:
- Nature of the breach, including categories and approximate number of data subjects affected
- Name and contact details of VulnerabilityScan.com data protection contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. Audit Rights
VulnerabilityScan.com will make available to the Customer information necessary to demonstrate compliance with this DPA. Upon reasonable notice, the Customer may conduct audits or inspections, or appoint a third-party auditor, subject to reasonable confidentiality requirements.
VulnerabilityScan.com also provides SOC 2 Type II reports and other audit documentation upon request.
10. Duration and Termination
This DPA remains in effect for the duration of the Agreement. Upon termination:
- VulnerabilityScan.com will delete or return all Personal Data within 90 days
- Upon request, VulnerabilityScan.com will certify the deletion of Personal Data
- Anonymized or aggregated data may be retained for service improvement
11. Liability
Liability under this DPA is subject to the limitations set forth in the Agreement. Each party shall be liable for damages caused by processing that violates Data Protection Laws or this DPA.
12. Contact Information
For DPA-related inquiries:
Email: privacy@vulnerabilityscan.com
Address: Pittsburgh, PA
By using VulnerabilityScan.com services, the Customer agrees to the terms of this Data Processing Agreement. For a signed copy of this DPA, please contact us at privacy@vulnerabilityscan.com.
Enterprise customers can request a countersigned copy of this DPA.