Data Processing Agreement

1. Subject Matter and Duration

Subject matter: processing of personal data for the purpose of providing the Service.

Duration: this DPA remains in force for as long as Sycrion processes personal data on behalf of the Customer under the Terms of Service.

2. Nature and Purpose of Processing

• Performing public-source monitoring scans on domains specified by the Customer
• Storing scan results and findings for retrieval by the Customer
• Generating reports and email alerts
• Providing user authentication and account management
• Customer support and billing administration

3. Type of Personal Data

• User identification: name, business email, organization name, role
• Account credentials: hashed password, session tokens
• Service inputs: domains, email patterns, project identifiers submitted for monitoring
• Communications: support tickets, contact form submissions
• Technical metadata: IP address, browser, device identifiers, timestamps

4. Categories of Data Subjects

• Customer's employees and authorized users of the Service
• Customer's organizational contacts referenced in scan configuration
• Individuals identifiable through publicly available information indexed by the Service (e.g. emails appearing in public leaks)

5. Processor Obligations

Sycrion shall:

• Process personal data only on documented instructions from the Customer, including this DPA
• Ensure persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational measures (see Annex II)
• Assist the Customer in responding to data subject requests
• Assist the Customer with data protection impact assessments and prior consultations
• Notify the Customer without undue delay (within 72 hours) upon becoming aware of a personal data breach
• Make available all information necessary to demonstrate compliance with Article 28

6. Subprocessors

The Customer authorizes Sycrion to engage the subprocessors listed in Annex III. Sycrion will notify the Customer at least 30 days in advance of any intended changes; the Customer may object on reasonable data protection grounds.

7. International Transfers

Where personal data is transferred outside the EEA, transfers rely on Standard Contractual Clauses (Commission Decision 2021/914) and applicable supplementary safeguards.

8. Audit

Sycrion will, upon reasonable written request and no more than once per calendar year (or when required by a supervisory authority), make available information necessary to demonstrate compliance with this DPA. The Customer bears the cost of any on-site audit unless material non-compliance is found.

9. Return or Deletion

Upon termination of the Service, Sycrion will, at the Customer's choice, return or delete personal data within 90 days, unless retention is required by applicable law.

10. Liability

Liability under this DPA is governed by the limitation of liability clause in the Terms of Service, except where applicable law does not allow such limitation.

Annex I — Description of Processing

As described in sections 2–4 above.

Annex II — Technical and Organizational Measures

• TLS 1.2+ for all data in transit
• AES-256 encryption at rest for stored scan data
• Role-based access control with least-privilege principle
• Audit logging of all administrative actions
• Multi-factor authentication for administrative accounts
• Regular vulnerability scanning of own infrastructure
• Documented incident response procedure
• Annual employee security training
• EU-region hosting (Vercel + Neon)

Annex III — Approved Subprocessors

• Vercel Inc. — application hosting
• Neon, Inc. — managed PostgreSQL database
• Resend — transactional email delivery
• [Payment processor]
• [Customer support tool]