Data Processing Agreement (DPA)

1. Scope and Roles

This Data Processing Agreement ("DPA") forms part of the agreement between AuditWard ("we", "us", "our") and the customer accepting our Terms of Service ("you", "Customer"). It governs our processing of personal data contained in scan data, scan artifacts, and credentials or other context you supply for scans ("Customer Data") under Article 28 of the General Data Protection Regulation ("GDPR").

For Customer Data, you act as the data controller (or as a processor on behalf of your own customers) and AuditWard acts as your data processor. This DPA does not apply to data for which AuditWard is itself a controller, such as your account registration details, billing records, and scan authorization audit logs, which are governed by our Privacy Policy.

Subject Matter and Duration

The subject matter of the processing is the provision of automated QA testing and security auditing services. Processing continues for the duration of your agreement with us. The nature and purpose of the processing, the types of personal data, and the categories of data subjects are determined by the targets you submit for scanning and may include personal data appearing on scanned web applications, in scan findings and evidence, and in credentials you provide for authenticated scans.

2. Processing on Documented Instructions

We process Customer Data only on your documented instructions, including with regard to transfers of personal data to a third country, unless we are required to process it by European Union or Member State law to which we are subject. In that case, we will inform you of the legal requirement before processing, unless that law prohibits such disclosure on important grounds of public interest.

Your instructions are given through your use of the service: initiating, configuring, and cancelling scans via the dashboard, the API, or the MCP server, supplying answers and credentials when a scan requests input, and managing your account and data. The Terms of Service, the Acceptable Use Policy, and this DPA constitute your complete documented instructions. We will inform you if, in our opinion, an instruction infringes the GDPR or other applicable data protection law.

3. Confidentiality

We ensure that all persons authorized to process Customer Data, including employees and contractors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Data is limited to personnel who require it to provide, support, or secure the service.

4. Security Measures (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Customer Data in transit using TLS.
• Encryption of Customer Data at rest, including AWS S3 server-side encryption for scan artifacts (screenshots, videos, reports).
• Hosting on Amazon Web Services (AWS) infrastructure in the United States, protected by AWS physical and network security controls.
• Access controls restricting Customer Data to authorized personnel, with periodic access reviews.
• Hashed storage of account passwords and API/MCP access tokens; raw tokens are never stored.
• Logging and audit trails for scan authorizations and account activity.

We may update these measures from time to time, provided the updates do not materially reduce the overall level of protection of Customer Data.

5. Sub-Processors

You grant us general written authorization to engage sub-processors to process Customer Data on your behalf. The sub-processors we currently engage, including Amazon Web Services (cloud infrastructure, storage, and AI model inference via Amazon Bedrock for scan analysis), Mailgun (transactional email), Stripe (payment processing), and Google (analytics and abuse protection), are listed on our public Sub-Processors page.

We will provide you with written notice via email at least 30 days before a new sub-processor begins processing Customer Data. You may object to a new sub-processor on reasonable, data-protection-related grounds within 30 days of the notice. If we cannot reasonably provide the service without the sub-processor you object to, you may terminate the affected service. We impose data protection obligations on each sub-processor by way of contract that are no less protective than those set out in this DPA, and we remain fully liable to you for the performance of each sub-processor's obligations.

6. Assistance with Data-Subject Rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as this is possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including access, rectification, erasure, restriction, portability, and objection. You can delete scan sessions, findings, and artifacts directly from the dashboard; for assistance with other requests, email contact@auditward.com and we will respond within 30 days. If a data subject contacts us directly about Customer Data, we will refer the request to you and will not respond except on your documented instructions or as required by law.

7. Personal Data Breach Notification

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Taking into account the nature of the processing and the information available to us, we will assist you in meeting your obligations under Articles 33 and 34 of the GDPR. You remain responsible for notifying supervisory authorities and data subjects where required.

8. Audits and Inspections

We will make available to you all information necessary to demonstrate compliance with our obligations under Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits are subject to reasonable advance notice, must not unreasonably disrupt our operations, and may be satisfied in the first instance by written responses, documentation, and third-party audit reports or certifications covering our processing practices, where such materials reasonably demonstrate compliance. Each party bears its own costs of an audit.

9. Deletion and Return of Data

Upon termination of your agreement with us, deletion of your account, or your documented request, we will, at your choice, delete or return all Customer Data, including scan data, findings, reports, and artifacts, and delete existing copies, unless European Union or Member State law requires storage of the personal data. Deletion is completed within 30 days. Scan authorization audit logs (records of who authorized which scan and when) are retained for legal compliance purposes as permitted by Article 28(3)(g) of the GDPR, as described in our Privacy Policy.

10. No Training on Customer Data (Article 28(10))

Customer Data, including scan data, findings, evidence, artifacts, and credentials, is not used for training, fine-tuning, or benchmarking any AI or machine-learning models, and is not otherwise reused for our own purposes, without your explicit, separate, written consent. We acknowledge that any such use would, under Article 28(10) of the GDPR, make AuditWard a controller in respect of that processing and would require a separate lawful basis and a separate agreement with you. Absent such consent and agreement, no such processing takes place. Sub-processors providing AI model inference for scan analysis are contractually restricted from using Customer Data to train or improve their models.

11. International Data Transfers

Customer Data is stored and processed on AWS infrastructure in the United States. Where the GDPR applies to Customer Data, transfers to us and our sub-processors in the United States are made under the European Commission's Standard Contractual Clauses (2021) as incorporated in the AWS GDPR Data Processing Addendum and the equivalent addenda of our other sub-processors listed on the Sub-Processors page. You warrant that you have a lawful basis for transferring personal data contained in Customer Data to us for processing outside the European Economic Area, and you authorize the onward transfers described in this section.

12. Governing Law, Term, and Amendment

This DPA is governed by the laws of the State of Delaware, United States, except to the extent the GDPR or other mandatorily applicable data protection law requires otherwise. This DPA takes effect when you accept the Terms of Service at signup, which constitutes acceptance of this DPA, and remains in force for as long as we process Customer Data on your behalf. We may update this DPA from time to time; material changes will be communicated via email to registered users at least 30 days before they take effect and posted on this page with an updated revision date. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA prevails.

13. Contact

If you have questions or concerns about this DPA or our processing of Customer Data, email us at contact@auditward.com.