Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Scanspire (“Processor”) and the entity using Scanspire’s services (“Controller”) (each a “Party” and together “the Parties”).
1. Definitions
1.1. “Applicable Data Protection Law” means all laws and regulations relating to the processing of Personal Data, including but not limited to the General Data Protection Regulation (GDPR) and any national implementing laws, regulations, and secondary legislation.
1.2. “Personal Data” means any information relating to an identified or identifiable natural person as defined in Applicable Data Protection Law.
1.3. “Processing” means any operation performed on Personal Data, whether or not by automated means.
1.4. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
2. Processing of Personal Data
2.1. The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject.
2.2. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are set forth in Appendix 1 to this DPA.
3. Confidentiality
3.1. The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security of Processing
4.1. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
a) The pseudonymization and encryption of Personal Data;
b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5. Sub-processors
5.1. The Processor shall not engage another processor without prior specific or general written authorization of the Controller.
5.2. Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract.
6. Data Subject Rights
6.1. The Processor shall assist the Controller by appropriate technical and organizational measures for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights under Applicable Data Protection Law.
7. Personal Data Breach
7.1. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach.
7.2. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor.
8. Deletion or Return of Personal Data
8.1. At the choice of the Controller, the Processor shall delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
9. Audit Rights
9.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
10. Data Transfers
10.1. The Processor shall not transfer Personal Data to a third country or an international organization unless it has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available.
11. Governing Law and Jurisdiction
11.1. This DPA shall be governed by and construed in accordance with the laws of [Jurisdiction], without regard to its conflict of law principles.
11.2. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of [Jurisdiction].
12. Agreement to Terms
12.1. By using Scanspire’s services, you acknowledge that you have read this Data Processing Agreement and agree to be bound by its terms and conditions.
12.2. This DPA forms part of the Terms of Service between Scanspire (the Processor) and the user of Scanspire’s services (the Controller).
12.3. Acceptance of this DPA is indicated by continued use of Scanspire’s services. If you do not agree to this DPA, please discontinue use of our services immediately.
Last updated: Oct 15 2024
For any questions regarding this Data Processing Agreement, please contact us at [Insert Contact Email].
Appendix 1: Details of Processing
Subject matter of Processing:
The Processing of Personal Data in connection with the provision of vulnerability scanning and security assessment services by Scanspire.
Duration of Processing:
The Processing will continue for the duration of the Agreement between the Parties.
Nature and purpose of Processing:
The Processing is performed to provide vulnerability scanning, security assessment, and related services to the Controller.
Types of Personal Data:
User account information (name, email address, etc.)
IP addresses and domain names of scanned assets
Vulnerability and security assessment data
Categories of Data Subjects:
Controller’s employees and authorized users
Controller’s clients or customers (indirectly, through scanned assets)
Processing operations:
Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.