Data Processing Agreement

1. Parties and effective date

This Data Processing Agreement ("DPA") is entered into between Protect Your Vibes ("Processor", "we", "us") and the customer entity identified in the signature block below ("Controller", "you"). The DPA is effective as of the date of signature and supplements the Protect Your Vibes Terms of Service.

2. Definitions

• Data Controller — the customer, who determines the purposes and means of processing personal data.
• Data Processor— Protect Your Vibes, acting on the Controller's documented instructions.
• Personal Data — any information relating to an identified or identifiable natural person, as defined by GDPR Art. 4(1) and equivalent CCPA terms.
• Sub-processor— a third party engaged by the Processor to process Personal Data on the Controller's behalf.
• Applicable Data Protection Law — GDPR, UK GDPR, CCPA/CPRA, and any other data-protection law applicable to the parties.

3. Scope and subject matter

This DPA governs the Processor's processing of Personal Data provided by, or collected on behalf of, the Controller through its use of the Protect Your Vibes security-scanning service.

4. Duration and termination

This DPA is in force for as long as the Processor processes Personal Data on the Controller's behalf. Termination of the Protect Your Vibes Terms of Service automatically terminates this DPA, subject to the return/deletion obligations in Section 13.

5. Nature and purpose of processing

The Processor processes Personal Data solely to provide, secure, and improve the security-scanning service: running scans authorized by the Controller, storing scan results, surfacing findings to the Controller, sending account and transactional email, and complying with legal obligations.

6. Types of personal data processed

• Account email address
• Scan URL and domain
• Scan evidence, which may incidentally contain Personal Data exposed by the Controller's own application (for example, leaked rows from misconfigured databases)
• IP address of the user who initiated the scan
• Authentication session identifiers
• Billing contact and Stripe customer identifiers

7. Categories of data subjects

• Controller's employees and authorised users of the service
• Controller's customers, to the extent their data is incidentally surfaced by a scan
• Visitors to the Controller's public web surfaces that are in scope of a scan

8. Processor obligations

• Process Personal Data only on the Controller's documented instructions, including those set out in this DPA.
• Ensure that personnel authorised to process Personal Data are under confidentiality obligations.
• Implement appropriate technical and organisational measures as described in Section 11.
• Use Sub-processors only subject to the terms of Section 9 and impose equivalent data-protection obligations on them.
• Assist the Controller with responding to data-subject requests (access, rectification, erasure, portability) within 30 days of a verified request.
• Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data breach affecting the Controller's data.

9. Sub-processors

The Controller gives general authorisation for the following Sub-processors. The Processor will notify the Controller of any intended additions or replacements with at least 30 days' notice, and the Controller may object on reasonable data-protection grounds.

• Supabase — managed database and authentication (hosted on AWS us-east-1)
• Vercel — application hosting and edge compute (global edge; primary region US)
• Stripe — billing and subscription management (US and EU processing regions)
• Resend — transactional email delivery (US)
• Cloudflare — bot-defence, DNS, Turnstile, and egress proxy (global edge network)
• Sentry — error and performance telemetry (US)

10. International data transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum. These are incorporated by reference into this DPA.

11. Technical and organisational measures

• Encryption in transit (TLS 1.2 or higher) and at rest
• Role-based access control with least-privilege defaults
• Row-Level Security on all customer-facing database tables
• SSRF and egress controls on scan workloads
• Segregated production and non-production environments
• Logging, monitoring, and alerting on security-relevant events
• Regular backups with tested restoration procedures
• Periodic review of Sub-processor security posture

12. Audit rights

On written request, and no more than once per twelve-month period, the Controller may request documentary evidence of the Processor's compliance with this DPA (such as SOC 2 or ISO 27001 reports, where available, or responses to a security questionnaire). On-site audits are available for Enterprise customers subject to a separate engagement letter.

13. Data return and deletion

Within 30 days of termination, the Processor will, at the Controller's choice, return or delete all Personal Data processed on the Controller's behalf, except where retention is required by applicable law. Backups are overwritten on their normal rotation schedule.

14. Liability

Each party's aggregate liability arising out of or in connection with this DPA is limited to the total fees paid by the Controller to the Processor in the twelve months preceding the event giving rise to the liability. Nothing in this DPA excludes liability that cannot be limited under applicable law.

15. Signature block

This DPA is effective as of the date of signature below.