Legal · version 2026-01 · effective 2026-01-01

Data Processing Agreement

Draft for review. This DPA is a scaffold meant to be tightened by counsel before signature. The substantive clauses below track GDPR Article 28 and the standard EDPB / ICO templates, but specific terms (term length, indemnity caps, return-vs-deletion choice) need to be confirmed for each customer.

This Data Processing Agreement (the "DPA") supplements the engagement agreement between Cyber Protocol ("Processor"), Rue du Trône 100, 1050 Brussels, Belgium, and the customer named in that engagement ("Controller"). It governs all processing of Personal Data by Processor on behalf of Controller in connection with the cybersecurity services Processor provides.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Controller", and "Processor" have the meanings given in the GDPR. "Customer Data" means any data Controller provides to Processor or to which Processor is granted access for the purpose of the engagement.

2. Subject-matter, duration & nature of processing

Subject-matter: performance of cybersecurity testing services as described in the engagement agreement.
Duration: from the engagement kickoff date until report delivery, plus the agreed report-retention window (PLACEHOLDER: typically 90 days, see customer's selected retention policy).
Nature & purpose: collection, examination, transmission, and (where strictly necessary) limited retention of Customer Data to identify and document security vulnerabilities.
Categories of data subjects: Controller's employees and customers whose accounts are made available as test fixtures.
Categories of Personal Data: account identifiers, authentication tokens, role/permission metadata; and PLACEHOLDER: any additional categories the engagement scope explicitly includes.

3. Processor obligations

Processor will:

Process Customer Data only on Controller's documented instructions, including with regard to international transfers, unless required to do so by EU or Member-State law;
Ensure that personnel authorised to process Customer Data are subject to a duty of confidentiality;
Implement the technical and organisational measures described in Schedule A (Security Measures);
Not engage another processor (sub-processor) without Controller's prior written authorisation; Processor's current sub-processors are listed in Schedule B;
Assist Controller, taking into account the nature of the processing, in responding to data-subject requests;
Assist Controller in ensuring compliance with Articles 32 to 36 GDPR;
At Controller's choice, delete or return all Customer Data after the end of the provision of services, and delete existing copies unless EU or Member-State law requires storage; Controller's choice is recorded in the engagement letter (default: delete after report-retention window);
Make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, subject to reasonable confidentiality undertakings;
Immediately inform Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4. Personal Data breach

Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach affecting Customer Data. The notification will include the information required by Article 33(3) GDPR to the extent then available.

5. International transfers

Where Processor transfers Customer Data outside the European Economic Area, the transfer will rely on (i) an adequacy decision of the European Commission, (ii) the Standard Contractual Clauses adopted by Commission Decision 2021/914, or (iii) another lawful transfer mechanism under Chapter V GDPR. The list of sub-processors below identifies the regions in which each sub-processor operates.

6. Term & termination

This DPA takes effect on the date of the engagement agreement and remains in force for as long as Processor processes Customer Data on behalf of Controller. Sections 3 (end-of-services obligation), 4 (breach notification cooperation), and 7 (governing law) survive termination.

7. Governing law & jurisdiction

This DPA is governed by the laws of Belgium. The courts of Brussels have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

Schedule A — Security measures

Processor maintains the following technical and organisational measures to protect Customer Data:

Access control: principle of least privilege, MFA enforced on every privileged account, time-bound access reviews quarterly;
Encryption: TLS 1.2+ in transit; at-rest encryption on all managed databases and object storage;
Network segmentation: control plane and data plane separated; egress controlled to approved subprocessors only;
Logging: centralised, append-only audit log of privileged actions; PLACEHOLDER: retention period (default 12 months);
Backup: PLACEHOLDER: backup frequency and retention as configured for the managed database provider;
Vulnerability management: dependency scanning on every deploy; quarterly third-party review of the production environment;
Personnel: confidentiality clauses in every engagement contract; security-awareness training annually.

Schedule B — Sub-processors

Sub-processor	Purpose	Region
Stripe ↗	Payment processing	EU + US (with adequacy)
Resend ↗	Transactional email delivery	EU + US
Vercel ↗	Hosting + edge runtime	EU + US
Neon ↗	Managed PostgreSQL	EU (eu-west-2)
Scaleway ↗	Container runtime + IAM (sslyze workers)	EU (FR)

Processor will give Controller at least 30 days' notice before adding or replacing a sub-processor that processes Customer Data, via the email address on file with the engagement agreement. Controller may object on reasonable grounds and the parties will cooperate to find a workable alternative.

For questions, contact legal@cyber-protocol.org. See also our Responsible Disclosure Policy and Privacy Policy.