Data Processing Agreement (DPA)

1. Definitions

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

"Sub-processor" means any Processor engaged by the Processor to Process Personal Data on behalf of the Controller.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.

2. Subject Matter and Duration

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service.

The duration of this DPA shall correspond to the duration of the Agreement. Upon termination or expiration of the Agreement, this DPA shall automatically terminate, subject to the data deletion and return obligations set forth herein.

The Processor shall Process Personal Data only for the duration necessary to fulfill the purposes described in this DPA and the Agreement.

3. Nature and Purpose of Processing

The Processor provides an infrastructure monitoring and version tracking service that enables the Controller to:

• Monitor and inventory software versions across the Controller's infrastructure
• Track host information and system configurations
• Receive notifications about version updates and security vulnerabilities
• Manage user access to the Service

The nature of Processing includes:

• Collection and storage of infrastructure data submitted by the Controller
• Processing of user account information for authentication and authorization
• Analysis of version data for vulnerability detection and upgrade recommendations
• Transmission of notifications and alerts to designated recipients
• Generation of reports and analytics based on the Controller's data

Processing is carried out through automated means using secure cloud infrastructure.

4. Categories of Data Subjects

The Personal Data Processed under this DPA may relate to the following categories of Data Subjects:

• Controller's Employees: Authorized users of the Service, including system administrators, DevOps engineers, and other personnel with access to the Service
• Controller's Contractors: Third-party contractors or consultants granted access to the Service by the Controller
• Controller's End Users: Where applicable, individuals whose data may be incidentally captured in system configurations or logs submitted to the Service

5. Categories of Personal Data

Technical Identifiers

• Hostnames and server names
• IP addresses (internal and external)
• MAC addresses
• System identifiers and configuration data

User Account Data

• Full names
• Email addresses
• Job titles and roles
• Authentication credentials (stored in hashed form)
• Organization name and membership

Usage Data

• Login timestamps and session information
• Actions performed within the Service
• Notification preferences and delivery records
• API access logs

The Processor does not intentionally collect or Process special categories of Personal Data (sensitive data) as defined in Article 9 of the GDPR.

6. Processor Obligations

6.1 Documented Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions

6.2 Confidentiality

The Processor shall:

• Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Limit access to Personal Data to those employees, contractors, and agents who require such access to perform the Service

6.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex II, including:

• The pseudonymization and encryption of Personal Data
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

6.4 Sub-processor Engagement

The Processor shall:

• Not engage another Processor (Sub-processor) without prior specific or general written authorization of the Controller
• Where general written authorization is given, inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes
• Ensure that any Sub-processor is bound by data protection obligations equivalent to those set out in this DPA

6.5 Data Subject Rights Assistance

The Processor shall:

• Assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights
• Notify the Controller without undue delay upon receiving any request from a Data Subject

6.6 Breach Notification

The Processor shall:

• Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach
• Provide sufficient information to enable the Controller to meet any obligations to report a Data Breach to supervisory authorities or Data Subjects

6.7 Data Protection Impact Assessments

The Processor shall assist the Controller in ensuring compliance with obligations relating to data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to the Processor.

6.8 Deletion and Return of Data

Upon termination of the Agreement, the Processor shall, at the Controller's choice:

• Delete all Personal Data and certify such deletion in writing, or
• Return all Personal Data to the Controller in a commonly used, machine-readable format

The Processor shall complete such deletion or return within 30 days of termination, unless Union or Member State law requires storage of the Personal Data.

6.9 Audit and Inspection

The Processor shall:

• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR
• Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller

7. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors listed in Annex III.

The Processor shall notify the Controller of any intended changes to the Sub-processor list at least 30 days prior to engaging a new Sub-processor. The Controller may object to such changes within 14 days of notification.

Current Sub-processors

The Processor shall ensure that each Sub-processor is bound by written contractual obligations that provide at least the same level of data protection as this DPA.

The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations.

8. International Data Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area (EEA) only where:

• The European Commission has issued an adequacy decision for the destination country
• Appropriate safeguards are in place, including the Standard Contractual Clauses
• A derogation applies under Article 49 of the GDPR

EU-US Data Privacy Framework

For transfers to the United States, the Processor and its US-based Sub-processors rely on:

• The EU-US Data Privacy Framework, where applicable
• Standard Contractual Clauses (Module 2: Controller to Processor, and Module 3: Processor to Processor)

Standard Contractual Clauses

Where required, the Standard Contractual Clauses adopted by the European Commission Decision 2021/914 are incorporated into this DPA by reference and shall apply to transfers of Personal Data to third countries not covered by an adequacy decision.

Upon request, the Processor shall provide the Controller with copies of the Standard Contractual Clauses executed with Sub-processors.

9. Security Measures (Technical and Organizational)

The Processor implements and maintains appropriate technical and organizational security measures, including:

Encryption

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Secure key management using industry-standard practices

Access Controls

• Role-based access control (RBAC) for all systems
• Multi-factor authentication for administrative access
• Principle of least privilege for employee access
• Regular access reviews and prompt revocation upon termination

Network Security

• Firewalls and network segmentation
• Intrusion detection and prevention systems
• DDoS protection
• Regular vulnerability scanning and penetration testing

Audit Logging

• Comprehensive logging of system access and changes
• Centralized log management and monitoring
• Log retention for a minimum of 12 months

Incident Response

• Documented incident response procedures
• 24/7 monitoring and alerting
• Regular incident response drills

Business Continuity

• Regular backups with geographic redundancy
• Disaster recovery procedures with defined RTOs and RPOs
• Annual business continuity testing

The Processor shall regularly test and evaluate the effectiveness of these measures and update them as necessary to address evolving risks and threats.

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA.

Third-Party Audit Reports

The Processor shall make available upon request:

• SOC 2 Type II reports (or equivalent)
• Penetration test summaries
• Compliance certifications

On-Site Audits

The Controller may conduct or commission an on-site audit, subject to:

• Providing at least 30 days' written notice
• Conducting the audit during normal business hours
• Ensuring auditors are bound by confidentiality obligations
• Not unreasonably interfering with the Processor's business operations
• Bearing the costs of the audit unless a material breach is discovered

On-site audits shall not occur more than once per year, unless required due to a Data Breach or regulatory investigation.

11. Data Subject Rights Assistance

The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under the GDPR, including:

Right of Access (Article 15)

The Processor shall provide mechanisms for the Controller to export all Personal Data relating to a Data Subject.

Right to Rectification (Article 16)

The Processor shall enable the Controller to correct inaccurate Personal Data through the Service interface or upon written request.

Right to Erasure (Article 17)

The Processor shall delete Personal Data relating to a Data Subject upon the Controller's written request, subject to legal retention requirements.

Right to Restriction of Processing (Article 18)

The Processor shall implement technical measures to restrict Processing of specific Personal Data upon the Controller's instruction.

Right to Data Portability (Article 20)

The Processor shall provide Personal Data in a structured, commonly used, machine-readable format (JSON, CSV) upon request.

Right to Object (Article 21)

The Controller may instruct the Processor to cease Processing Personal Data for specific purposes.

The Processor shall respond to the Controller's requests regarding Data Subject rights within 5 business days.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the European Union and the Member State of the Controller's establishment.

Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of the Controller's Member State of establishment.

Annex I: Details of Processing

Annex II: Technical and Organizational Security Measures

1. Encryption

2. Access Controls

3. Network Security

4. Data Protection

5. Organizational Measures

Annex III: List of Sub-processors

The Controller will be notified of any changes to this list at least 30 days in advance.

Contact Information

For questions or requests regarding this DPA, please contact:

VersionOps Data Protection Contact

Email: [email protected]