Data Processing Agreement

1. Parties

This DPA is entered into between:

2. Definitions

The following terms have the meanings set out below. Terms not defined here have the meaning given to them in the GDPR.

3. Scope & Purpose

This DPA applies to the processing of personal data by the Processor in connection with the provision of compliance monitoring services through the nabu.watch platform.

• —Purpose: To enable the Processor to provide website compliance monitoring, SSL certificate checking, legal page detection, and compliance reporting services to the Controller.
• —Duration: This DPA shall remain in effect for the duration of the service agreement between the Controller and the Processor. Upon termination of the service agreement, the provisions of Section 13 (Termination & Data Return) shall apply.

4. Details of Processing

The following details describe the processing activities carried out by the Processor on behalf of the Controller:

5. Controller Obligations

The Controller warrants and undertakes that:

• —It has a lawful basis under GDPR Article 6 for the processing of personal data and for instructing the Processor to carry out such processing.
• —It shall provide documented processing instructions to the Processor and shall not instruct the Processor to process personal data in violation of applicable data protection law.
• —It shall inform data subjects about the processing of their personal data in accordance with GDPR Articles 13 and 14, including the use of Nabu Watch as a processor.
• —It is solely responsible for the accuracy, quality, and legality of the personal data provided to the Processor.

6. Processor Obligations

The Processor warrants and undertakes that it shall:

• —Process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
• —Ensure that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• —Assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligation to respond to data subject requests (GDPR Chapter III).
• —Assist the Controller in ensuring compliance with obligations under GDPR Articles 32 to 36 (security, breach notification, impact assessments, and prior consultation).
• —At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services and delete existing copies unless EU or Member State law requires storage.
• —Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28.

7. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors. The Processor currently engages the following sub-processors:

• —Cloud hosting provider — infrastructure and database hosting (EU region). Processes account data, website URLs, and scan results.
• —Email delivery service — transactional emails for registration, notifications, and alerts. Processes email addresses and user names.

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. The Controller may object to a new sub-processor within 30 days of receiving notification. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services.

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

8. Security Measures

In accordance with GDPR Article 32, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• —Encryption in transit — all data transmitted between clients and the platform is encrypted using TLS (Transport Layer Security).
• —Encryption at rest — personal data stored in databases and file systems is encrypted at rest.
• —Access controls — role-based access control (RBAC) ensures that only authorised personnel and systems can access personal data. Authentication is enforced at every API endpoint.
• —Password security — user passwords are hashed using BCrypt with appropriate cost factors. Plain-text passwords are never stored.
• —Stateless authentication — JWT (JSON Web Token) based authentication with HS256 signing. No server-side session state reduces the attack surface.
• —Audit logging — access and processing activities are logged for security monitoring and incident investigation.

The Processor shall regularly assess the effectiveness of these measures and update them as necessary to address evolving threats and vulnerabilities.

9. Data Breach Notification

In accordance with GDPR Article 33, the Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach. The notification shall include:

• —A description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects and records concerned.
• —The name and contact details of the Processor's data protection contact point.
• —A description of the likely consequences of the personal data breach.
• —A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests exercising their rights under GDPR Chapter III, including:

Data subjects may exercise their rights through the platform dashboard or by contacting the Controller, who may then instruct the Processor accordingly. The account deletion endpoint (DELETE /users/me) permanently removes all personal data.

11. International Transfers

Personal data processed under this DPA is stored and processed within the European Union. The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) unless:

• —The European Commission has issued an adequacy decision for the recipient country.
• —Appropriate safeguards have been provided, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
• —The Controller has provided prior written consent to the transfer.

12. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

• —The Controller shall provide at least 30 days' written notice of any audit request.
• —Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• —The Controller may exercise its audit right no more than once per calendar year, unless a data breach or regulatory investigation necessitates an additional audit.
• —The Controller and any auditor shall be bound by confidentiality obligations with respect to any information obtained during the audit.

13. Termination & Data Return

Upon termination of the service agreement between the Controller and the Processor:

• —The Controller shall have 30 days from the date of termination to export all personal data using the platform's data export functionality (GET /users/me/export).
• —After the 30-day export period, the Processor shall permanently delete all personal data processed on behalf of the Controller, including all copies in production systems and backups, unless EU or Member State law requires further storage.
• —The Controller may alternatively request the return of all personal data in a structured, commonly used, machine-readable format before deletion.
• —The Processor shall provide written confirmation of deletion upon the Controller's request.

The Controller may also request deletion at any time during the term of the agreement by using the account deletion endpoint (DELETE /users/me), which permanently removes all associated personal data.

14. Liability

In accordance with GDPR Article 82, each party shall be liable for damage caused by processing that infringes the GDPR:

• —The Controller shall be liable for damage caused by processing that does not comply with the GDPR.
• —The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.
• —A party shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

The limitation of liability provisions set out in the service agreement shall apply to this DPA, except where such limitations are not permitted under applicable data protection law.

15. Contact

For any questions, concerns, or requests relating to this Data Processing Agreement or the processing of personal data, please contact our privacy team: