Data Processing Addendum
This Addendum applies whenever you (the "Controller") use pentes.io to process personal data within the meaning of the GDPR, UK GDPR, or analogous data-protection laws. It forms part of the Terms of Service. By accepting the Terms you also accept this DPA.
1. Definitions
Terms not defined here have the meaning given in the GDPR. "Customer Data" means personal data submitted to or processed via pentes.io on behalf of Controller. "Sub-processor" means any third party engaged by pentes.io to process Customer Data.
2. Roles
Controller determines the purpose and means of the processing. pentes.io acts as Processor on Controller's instructions. For pentes.io's own service-operation data (account, billing, telemetry described in the Privacy Policy), pentes.io acts as Controller separately and that processing falls outside this DPA.
3. Scope and nature of processing
- Subject matter: provision of attack-surface monitoring services.
- Duration: the term of the Terms of Service, plus the retention windows defined in the Privacy Policy.
- Nature and purpose: storing, processing, and displaying scan inputs (assets, ownership proofs) and outputs (findings, SARIF blobs, rendered reports) so Controller can monitor its own infrastructure.
- Categories of personal data: contact details for Controller's authorized users (email, name); any personal data that incidentally appears in scan findings (for example, an email address surfaced in a misconfiguration); IP addresses contained in scan targets where they relate to identifiable individuals.
- Categories of data subjects: Controller's employees and contractors authorized to use pentes.io; individuals whose data is incidentally present in scan findings.
4. Processor obligations
pentes.io will:
- Process Customer Data only on Controller's documented instructions, including for international transfers (which, today, are governed by the sub-processor list and the SCCs referenced below).
- Ensure personnel authorized to process Customer Data are under appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures (see Security) to protect Customer Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure.
- Assist Controller, where feasible, in fulfilling its obligations under Articles 32–36 GDPR (security, breach notification, data-protection impact assessments).
- Make available all information necessary to demonstrate compliance with this DPA, subject to the audit terms in section 9.
5. Sub-processors
Controller authorizes pentes.io to engage the sub-processors listed in section 4 of the Privacy Policy. pentes.io will:
- Impose data-protection obligations on each sub-processor that are no less protective than this DPA.
- Remain liable to Controller for the acts and omissions of sub-processors.
- Give Controller at least 30 days' notice before adding or replacing a sub-processor (announcement via the change log on the Privacy Policy page and an email to billing contacts). Controller may object on reasonable data-protection grounds; if pentes.io cannot resolve the objection, Controller may terminate the affected service.
6. International transfers
Where Customer Data is transferred from the EU/EEA, the UK, or Switzerland to a recipient outside those jurisdictions, the transfer is governed by the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, incorporated by reference. Executed SCCs are available on request at legal@pentes.io.
7. Data-subject rights
pentes.io will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligation to respond to data-subject requests under Chapter III of the GDPR. Where pentes.io receives a data-subject request directly, pentes.io will forward it to Controller within 5 business days and not respond except on Controller's instructions.
8. Breach notification
pentes.io will notify Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data. The notice will describe the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
9. Audit
Controller may, no more than once per 12-month period, on reasonable written notice and during business hours, request information necessary to demonstrate pentes.io's compliance with this DPA. pentes.io will respond to such requests with documentation (security policies, sub-processor list, most recent third-party attestations as they become available) and, where reasonable, host a remote walk-through with security personnel. On-site audits are not contemplated at pentes.io's current scale; this section will be revisited once SOC 2 attestation is available.
10. Return and deletion of data
On termination of the Terms or on Controller's written instruction, pentes.io will delete or return Customer Data within the retention windows described in section 5 of the Privacy Policy. The audit-log retention carve-out (life of account plus 7 years) applies to records of authorization for security testing and survives termination as required by section 3.2 of the Terms.
11. Liability
Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability where such limitation is prohibited by applicable data-protection law.
12. Term
This DPA takes effect on Controller's acceptance of the Terms of Service and continues for as long as pentes.io processes Customer Data on Controller's behalf. Sections 8, 10, and 11 survive termination.