Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Dynamgenix IT Corp, operating Vuln Pro Scan (“Processor” / “we”), and the customer organisation accessing the Vuln Pro Scan platform (“Controller” / “you”).

This DPA forms part of, and is incorporated into, the Terms of Service and applies wherever the Processor processes Personal Data on behalf of the Controller in connection with the Vuln Pro Scan service.

Where the Controller is located in the European Union, European Economic Area, or United Kingdom, this DPA and the Standard Contractual Clauses incorporated herein provide the legal framework for the transfer and processing of Personal Data in accordance with Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the UK GDPR.

1. Definitions

The following terms have the meanings set out below:

• Personal Data — any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
• Processing — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion (Art. 4(2) GDPR).
• Controller — the entity that determines the purposes and means of Processing.
• Processor — Dynamgenix IT Corp, which processes Personal Data on behalf of the Controller.
• Sub-processor — a third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
• Data Subject — the natural person to whom Personal Data relates.
• Supervisory Authority — the relevant national data protection authority in the Controller’s jurisdiction.
• SCCs — the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries (Decision 2021/914, June 2021).

2. Subject Matter & Duration

The Processor shall process Personal Data solely to provide the Vuln Pro Scan vulnerability scanning and security testing services described in the Terms of Service. The subject matter covers:

• Account management and authentication data (email addresses, session tokens).
• Scan target data provided by the Controller (URLs, IP addresses, hostnames).
• Scan output data — HTTP responses, vulnerability indicators, and security findings — which may incidentally contain Personal Data from scanned systems.
• Billing and transactional records (managed via our payment sub-processor).

This DPA remains in effect for the duration of the agreement between the parties and terminates automatically upon deletion or expiry of the Controller’s account, subject to any legally required retention obligations.

3. Processor Obligations

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries (Art. 28(3)(a) GDPR).
• Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
• Implement appropriate technical and organisational security measures in accordance with Art. 32 GDPR, including AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls, and audit logging.
• Not engage a Sub-processor without prior specific or general written authorisation of the Controller. Where general authorisation is granted, the Processor shall inform the Controller of intended Sub-processor changes, giving the Controller the opportunity to object (Art. 28(2) GDPR).
• Assist the Controller in responding to Data Subject requests to exercise rights under GDPR Chapter III, taking into account the nature of the processing (Art. 28(3)(e) GDPR).
• Assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIAs) given the nature of Processing and information available to the Processor (Art. 28(3)(f) GDPR).
• At the Controller’s choice, delete or return all Personal Data upon termination of services, and delete existing copies unless applicable law requires storage (Art. 28(3)(g) GDPR).
• Make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits and inspections conducted by the Controller or its mandated auditor (Art. 28(3)(h) GDPR).

4. Controller Obligations

The Controller warrants and agrees to:

• Provide lawful instructions to the Processor and ensure a valid legal basis exists for all processing operations it instructs.
• Only instruct the Processor to scan systems the Controller owns or has explicit written authorisation to test, in accordance with the Terms of Service.
• Notify affected Data Subjects and Supervisory Authorities of any personal data breach in accordance with GDPR Arts. 33–34, based on information provided by the Processor.
• Ensure that where Scan Data may contain Personal Data relating to third-party individuals, the Controller has a lawful basis for collecting and processing such data.

5. Technical & Organisational Security Measures

The Processor maintains the following measures (Art. 32 GDPR) as of the last update date of this DPA:

• Encryption at rest: AES-256-GCM for API keys, scan credentials, and integration tokens.
• Encryption in transit: TLS 1.2 or higher on all endpoints.
• Access control: Role-based access (USER / SECURITY_OPERATOR / PEN_TEST_ADMIN) enforced at API and database layers.
• Authentication: Multi-factor authentication available; invite-code or bcrypt password flows.
• Audit logging: Immutable append-only audit trail for security-sensitive operations with 24-month retention.
• Rate limiting: Per-IP rate limiting on authentication and scan endpoints.
• Vulnerability management: Regular penetration testing of the platform itself.
• Incident response: Formal programme with 72-hour supervisory authority notification commitment.

6. Sub-processors

The Controller grants general authorisation for the Processor to engage Sub-processors. A current list of Sub-processors is published at /sub-processors. The Processor shall notify the Controller of any intended changes to Sub-processors (additions or replacements) by updating the Sub-processor list with at least 14 days’ notice where practicable, giving the Controller the opportunity to object.

All Sub-processors are bound by data protection obligations at least equivalent to those in this DPA. The Processor remains liable to the Controller for the performance of Sub-processors’ obligations (Art. 28(4) GDPR).

7. International Data Transfers

The Vuln Pro Scan platform is hosted on cloud infrastructure in the United States. Transfers of Personal Data from the EU/EEA or UK to the US are governed by the EU Standard Contractual Clauses (Module 2 — Controller to Processor) as adopted by the European Commission in Decision 2021/914 of 4 June 2021, and where applicable, the UK International Data Transfer Addendum.

By using the service, the Controller agrees that this DPA, together with the applicable SCC module, constitutes the complete transfer mechanism. The SCCs are incorporated herein by reference. If you require EU-region data residency or a separately countersigned SCC document, please contact dpa@vulnproscan.com.

8. Assistance with Data Subject Rights

The Processor provides the following self-service mechanisms to assist Controllers in responding to Data Subject requests:

• Access & Portability: Users may export all personal data held about their account via Settings → Account → Export Data.
• Erasure: Users may delete their account and all associated data via Settings → Legal → Delete Account.
• Restriction & Objection: Users may restrict processing or object to legitimate-interest processing via Settings or by contacting dpa@vulnproscan.com.

The Processor shall notify the Controller within 5 business days of receiving a Data Subject request that appears to relate to data processed on behalf of the Controller.

9. Personal Data Breach Notification

In the event of a personal data breach affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Art. 33(2) GDPR). The notification shall include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected.
• The name and contact details of the data protection contact point.
• A description of likely consequences of the breach.
• A description of measures taken or proposed to address the breach.

Breach notifications should be directed to the Controller’s primary account email. Report security incidents to security@vulnproscan.com.

10. Retention & Return of Data

Upon termination of the agreement or at the Controller’s request, the Processor shall:

• Delete all Scan Data and account data within 30 days.
• Retain billing records for 7 years as required by applicable tax and accounting law (Art. 17(3)(b) GDPR exemption), after which they are permanently deleted.
• Retain security audit logs for 24 months for security monitoring purposes, after which they are automatically purged.
• Upon request, provide written confirmation that deletion has been completed within 14 days of the deletion being carried out.

11. Audit Rights

The Controller may, upon 30 days’ written notice and no more than once per 12-month period, conduct an audit of the Processor’s compliance with this DPA, either directly or through a mandated auditor subject to appropriate confidentiality obligations. The Processor will cooperate with reasonable audit requests and may provide third-party audit reports (e.g., SOC 2) in lieu of a direct audit where applicable.

12. Governing Law & Jurisdiction

This DPA is governed by the laws of the State of Delaware, United States, except that the Standard Contractual Clauses are governed by the law of the EU member state in which the Controller is established, in accordance with Clause 17 of the SCCs.