Data Processing Agreement

Effective: 2026-04-21 · Version 1.0

This Data Processing Agreement ("DPA") supplements the Securie Terms of Service between Securie ("Processor") and the Customer ("Controller") and is effective on the date Customer clicks "Accept" or signs an Order Form referencing this DPA.

1. Definitions

Terms not defined here have the meanings in Regulation (EU) 2016/679 ("GDPR") and, where applicable, the California Consumer Privacy Act 2018 ("CCPA").

2. Scope

Securie processes Personal Data on behalf of Customer solely to provide the Securie services: scanning authorized repositories, generating findings + attestations, producing suggested fixes, and operating billing. Categories and retention are set out in Annex I.

3. Processor obligations (GDPR Art. 28)

  • Process Personal Data only on documented instructions from Customer.
  • Ensure persons authorized to process are bound by confidentiality.
  • Assist Customer with Data Subject requests (Art. 15–22) within 10 business days.
  • Assist with DPIAs and breach notifications (Art. 33–34).
  • Delete or return Personal Data at termination per Customer's election.
  • Maintain records of processing (Art. 30) and make them available on request.

4. Sub-processors

The list of sub-processors is published at /legal/privacy §5 and updated at least 14 days before a new sub-processor is engaged. Customer may object in writing within 14 days; if the objection cannot be resolved, Customer may terminate the affected services pro-rata.

5. International transfers

Transfers to countries without an adequacy decision are governed by the Standard Contractual Clauses 2021 (Modules 2 & 3), incorporated by reference. The SCCs prevail in case of conflict with these Terms.

6. Security measures (Annex II)

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Access control with MFA for all operator accounts.
  • SOC 2 Type II audit in progress; controls mapped to ISO 27001 Annex A.
  • Least-privilege service accounts; rotation at least quarterly.
  • Tenant isolation at application + database layer; single-tenant deployment option available at Enterprise.
  • Sub-processor AI endpoints contractually zero-data-retention.

7. Breach notification

Securie notifies Customer without undue delay (target: 24 hours) of any confirmed Personal Data breach affecting Customer Personal Data, together with remedial steps taken or proposed.

8. Audit rights

Customer may audit Securie's compliance with this DPA once per year on 30 days' notice, or sooner on a confirmed incident. SOC 2 and ISO 27001 reports (when available) satisfy this audit right absent specific cause.

Annex I — Processing Details

  • Subject matter: Securie security scanning services.
  • Duration: Term of the Terms of Service.
  • Nature: Analysis of source code & configuration; generation of findings, fixes, and signed attestations.
  • Purpose: Detection and remediation of security defects at Customer's direction.
  • Data subjects: Customer personnel with repository access.
  • Categories: Email, OAuth identity, IP, user-agent, per §2 of Privacy Policy.