Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between you (the “Controller”) and VulnVerify (the “Processor”) and governs the processing of personal data carried out by VulnVerify on the Controller's behalf as part of providing the VulnVerify vulnerability-intelligence service (the “Service”).

For the avoidance of doubt: when VulnVerify acts as a data controller in its own right (e.g. processing the Controller's billing data, threat-intelligence research data, or running the cold-outreach pipeline), this DPA does not apply — that processing is governed by our Privacy Policy.

Subject matter: Provision of the VulnVerify service to the Controller, including authentication, search, alerting, and reporting on vulnerabilities affecting the Controller's domain(s).

Duration:The term of the Controller's subscription, plus up to 30 days following termination for orderly deletion of personal data.

Nature and purpose: Storing user account data (name, work email, hashed password) and authenticating users; logging usage activity for security and product purposes; sending transactional emails relating to the service.

Categories of data: Identification data (name, email), authentication credentials (hashed), professional context (job title, employer domain), usage data (search queries, watchlist, alerts), technical data (IP address, user-agent, approximate region).

Categories of data subjects: Employees of the Controller who use the service. We do not knowingly process data of children under 16.

VulnVerify agrees to:

• Process personal data only on documented written instructions from the Controller (the Terms of Service and configurations in the application count as such instructions).
• Ensure that personnel authorized to process the personal data are bound by confidentiality obligations.
• Take all measures required pursuant to Article 32 GDPR (security of processing) — see Annex II.
• Assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligations to respond to data-subject requests and data-breach notifications.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (no more than once per 12-month period, with 30 days' written notice, at the Controller's expense).
• Promptly inform the Controller if an instruction infringes the GDPR or other applicable data-protection provisions.

The Controller authorises VulnVerify to engage sub-processors under the conditions set out in this DPA. The current list of sub-processors is:

• Vercel Inc. (USA) — application hosting and CDN.
• Supabase Inc. (USA, EU regions available) — managed Postgres database.
• Resend Inc. (USA) — transactional email delivery.
• Stripe (USA) — subscription payment processing.
• PostHog Inc. (USA / EU available) — product analytics.
• Apollo.io (USA) — used only for VulnVerify's outbound cold outreach (NOT for any Controller data; Controller users are never enriched).

VulnVerify will notify the Controller of any intended changes concerning the addition or replacement of sub-processors (30 days in advance) and give the Controller an opportunity to object. If the Controller objects and the parties cannot reach agreement, the Controller may terminate the affected Service with pro-rata refund.

Where VulnVerify transfers personal data outside the European Economic Area, the United Kingdom, or any other jurisdiction with adequate data-protection laws, the transfer is governed by the EU Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 (controller-to-processor), which are incorporated into this DPA by reference. For UK transfers, the UK International Data Transfer Addendum applies in addition.

Annex I (parties and processing), Annex II (technical and organisational measures), and Annex III (sub-processors) of the SCCs are deemed completed by the corresponding sections of this DPA and our Privacy Policy.

VulnVerify implements the following measures to ensure a level of security appropriate to the risk:

• Encryption: TLS 1.2+ for all data in transit; AES-256 for data at rest in the managed database.
• Authentication: bcrypt password hashing with cost factor 12; account lockout after repeated failed attempts; optional Google OAuth and (planned) SSO.
• Access control: Multi-tenant data segregation via mandatorycompanyDomainfiltering in every query. Admin access is restricted to named individuals.
• Monitoring: Audit logging for security-sensitive events (12-month retention). Uptime monitoring of the production application and webhook endpoints.
• Backups: Daily encrypted backups of the production database with a 30-day retention window.
• Patching: Dependencies monitored via automated CVE feed checks; critical patches applied within 72 hours of disclosure.
• Incident response: Documented incident-response procedure; personal-data breach notification to affected Controllers within 72 hours of awareness.

The Service provides self-service mechanisms for end-users to exercise their data-subject rights (export, delete, update). Where the Controller receives a request that cannot be fulfilled through these mechanisms, VulnVerify will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible.

VulnVerify will not respond directly to data-subject requests regarding Controller data without the Controller's prior instruction (other than to acknowledge receipt and redirect the requester to the Controller).

VulnVerify will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, and in any event within 48 hours. The notification will include: nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.

At the choice of the Controller, VulnVerify will return all personal data to the Controller or delete it (and delete existing copies) at the end of the provision of services relating to processing, unless retention is required by applicable law. The Controller may export its data via the Service's built-in export tools at any time during the term.

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service. To the maximum extent permitted by law, each party indemnifies the other for any damages, claims, or liabilities arising out of its own breach of this DPA.

This DPA is deemed accepted upon the Controller's acceptance of the Terms of Service. For customers requiring a counter-signed copy, email legal@vulnverify.com with your legal-entity name and address and we will return a signed PDF within 5 business days.

Disclaimer: This page is a standard-form starting point. For high-value contracts or regulated industries, your in-house counsel should review and negotiate specific terms; VulnVerify is happy to engage on edits.