Data Processing Agreement (DPA)
Last updated: July 7, 2026
Concluded between:
SYSDEVOPS.EU Jarosław Karsznia, ul. Zbożowa 5/34, 81-020 Gdynia, Poland, Tax ID (NIP): 5871592779 — the “Processor”,
and
the Controller — the entity identified in the Account data (company name and Tax ID provided at registration), who has accepted the Terms of Service, of which this Agreement forms an integral part —
together the “Parties”.
This Agreement becomes binding upon acceptance of the Terms of Service when creating an Account.
This Agreement implements the obligation under Art. 28(3) of Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and sets out the rules for entrusting the processing of personal data in connection with the provision of the Secvalis service (a vulnerability management platform — the “Service”), under the Terms of Service concluded between the Parties.
§ 1. Subject and nature of processing
- The Controller entrusts the Processor with processing of personal data solely for the purpose and to the extent necessary to provide the Service.
- The subject, nature, purpose of processing, type of personal data and categories of data subjects are set out in Annex 1.
- The duration of processing corresponds to the term of the Terms of Service, subject to § 8 (deletion of data after termination).
- The Processor processes data solely on the documented instructions of the Controller — such instruction also includes using the Service in accordance with its functionality and documentation, and the Controller's configuration of the scanner (agent), including the data-minimisation parameters described in Annex 1.
§ 2. Processor obligations (Art. 28(3) GDPR)
The Processor undertakes to:
- (a) process personal data solely on the documented instructions of the Controller, including as regards transfers to a third country — unless required to do so by Union or Member State law, in which case the Processor informs the Controller before processing (unless the law prohibits it);
- (b) ensure that persons authorised to process the data have committed to confidentiality or are under a statutory obligation of secrecy;
- (c) take the technical and organisational security measures required under Art. 32 GDPR — detailed in Annex 2;
- (d) comply with the conditions for engaging another processor (sub-processing) — § 3;
- (e) assist the Controller, as far as possible and through appropriate technical and organisational measures, in fulfilling the obligation to respond to data subjects' requests to exercise their rights (Art. 15–22 GDPR);
- (f) assist the Controller in fulfilling the obligations under Art. 32–36 GDPR (security, breach notification, data protection impact assessment — DPIA, prior consultation), taking into account the nature of processing and the information available to it;
- (g) after the provision of the Service ends, delete or return to the Controller all personal data and delete existing copies — in accordance with § 8;
- (h) make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits (including inspections) — in accordance with § 6;
- immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.
§ 3. Sub-processing (further processors)
- The Controller grants a general written authorisation to engage the further processors (sub-processors) listed in Annex 3.
- The Processor imposes on each sub-processor — by contract — data protection obligations equivalent to those under this Agreement, in particular the obligation to provide sufficient guarantees under Art. 28(4) GDPR. The Processor remains liable to the Controller for the sub-processor's performance of its obligations.
- The Processor informs the Controller of an intended change of sub-processors (addition or replacement) at least 14 days in advance, electronically to the Controller's contact address. The Controller may raise a reasoned objection within 14 days; if the objection cannot be resolved, the Controller may terminate the Terms of Service with respect to the services affected by the change.
§ 4. Transfers to third countries
- Data is, as a rule, processed within the European Economic Area (hosting infrastructure: OVHcloud, Warsaw — Annex 3).
- The only transfer outside the EEA concerns Resend (Resend, Inc., USA), used to send email (email addresses of the Controller's users). The transfer takes place on the basis of a European Commission adequacy decision (the EU–US Data Privacy Framework, under which Resend, Inc. is certified) or, in the alternative, on the basis of the Standard Contractual Clauses adopted by the European Commission. To the extent the SCCs apply, Module 3 (processor-to-processor transfer) applies, since the Processor acts as a processor and Resend as its sub-processor.
§ 5. Personal data breach notification
- The Processor notifies the Controller of any personal data breach without undue delay, no later than within 48 hours of becoming aware of it, to enable the Controller to meet the 72-hour deadline under Art. 33(1) GDPR.
- The notification contains at least the information indicated in Art. 33(3) GDPR, to the extent available to the Processor: the nature of the breach, the categories and approximate number of data subjects and records, the likely consequences and the measures taken or proposed.
- The Processor documents breaches in its event log (the Service's audit trail) and makes it available to the Controller on request.
§ 6. Right to audit
- The Processor makes available to the Controller the information necessary to demonstrate compliance with Art. 28 GDPR and allows for audits, including inspections, by the Controller or an auditor authorised by it.
- An audit takes place after reasonable prior notice of at least 14 days, during business hours, no more than once a year (except for an audit following a confirmed breach), in a manner minimising disruption to the Service and respecting the confidentiality of other clients' data and trade secrets.
- In the first instance, the Processor fulfils the information obligation by providing available documentation, certificates or audit reports (e.g. a penetration test summary — where available).
- All costs of an audit or inspection are borne solely by the Controller. Where an audit requires the involvement of the Processor's personnel, the Processor reserves the right to charge the Controller for that involvement at its standard hourly rates, subject to prior agreement on the budget.
§ 7. Security measures
The Processor applies the technical and organisational measures described in Annex 2, appropriate to the risk in accordance with Art. 32 GDPR. The Controller declares that it considers these measures appropriate to the nature of the entrusted data.
§ 8. Termination of processing
- After the Service ends, the Processor — at the Controller's choice expressed before termination — returns the personal data or deletes it together with existing copies, within 30 days of termination, unless further storage is required by Union or Member State law.
- Until deletion, the data remains secured in accordance with § 7.
- Deletion also covers backups within their rotation cycle. Backups are encrypted (restic) and subject to a retention policy of 7 daily, 4 weekly and 6 monthly copies. Consequently, a given backup is retained for no longer than approximately 6 months, after which it is permanently removed by automatic pruning (restic forget --prune). Until overwritten, backups remain encrypted and inaccessible in plaintext.
§ 9. Liability and final provisions
- The Parties' liability is governed by the Terms of Service. Each Party's liability under the GDPR towards data subjects is determined by Art. 82 GDPR.
- Matters not regulated herein are governed by the GDPR, the Polish Personal Data Protection Act and Polish law.
- The governing law is Polish law; the competent court is the court for the Processor's registered seat.
- The Agreement enters into force upon acceptance of the Terms of Service and remains in force for the duration of the Service.
- Form of conclusion. The Agreement forms an integral part of the Terms of Service and is concluded electronically — by acceptance of the Terms of Service (which include this Agreement) at registration or in the course of using the Service; the current text is available at /dpa. At the Controller's request, the Processor makes the Agreement available for download in PDF and allows it to be concluded in documentary form or with a qualified electronic signature (an option for higher subscription plans / clients requiring a signed copy).
- Language version. The Agreement is drawn up in Polish and English. In the event of any discrepancy between the versions, the Polish version prevails.
Annex 1 — Scope and nature of processing
- Purpose of processing
- Provision of the Secvalis Service: registration and maintenance of user accounts, collecting and presenting vulnerability scan results for entrusted machines, generating reports and compliance evidence, notifications.
- Nature of processing
- Storage, organisation, presentation in the panel, report generation, sending email notifications. Automated processing.
- Duration of processing
- The term of the Terms of Service; deletion in accordance with § 8.
- Categories of data subjects
- Users of the Controller's account (the Controller's employees / associates authorised to use the Service).
- Categories of personal data
- Account users' email addresses; authentication data (password as a hash; API keys as a SHA-256 hash); registration IP address (anti-abuse); event metadata in the audit trail (e.g. actor's email, time, action type).
- Technical scan data
- Hostname, distribution and its version, names and versions of installed packages, detected vulnerabilities (CVE), host time zone, agent version, scan status. Such data generally does not constitute personal data, except where a hostname assigned by the Controller would contain personal data.
- Data minimisation
- By default the scanner transmits the hostname. The Controller may disable its transmission with the --no-hostname flag (the agent then sends only the label assigned by the Controller via --label, and the actual hostname does not leave the Controller's server). This implements the data-minimisation principle — Art. 5(1)(c) GDPR.
- Special categories of data
- The Service is not intended for processing special categories of data (Art. 9 GDPR). The Controller undertakes not to entrust such data.
Annex 2 — Technical and organisational measures (Art. 32 GDPR)
The Processor applies, in particular, the following measures:
- Encryption in transit — communication with the Service and its API only over HTTPS/TLS; the agent (scanner) enforces HTTPS for the API endpoint.
- Backup encryption — backups are encrypted (restic) before being sent to OVHcloud storage; the infrastructure provider has no access to the data in plaintext.
- Multi-factor authentication (MFA/TOTP) — available to users, with the option to enforce it at the account level (the account administrator may require all users to enrol a second factor).
- Credential protection — passwords stored only as hashes (bcrypt); API keys as SHA-256 hashes, with the key shown once on generation.
- Access control and isolation — roles with differentiated permissions (including a read-only role and an auditor role); isolation of data between different clients' accounts (organisations).
- Anti-abuse — rate-limiting (registration and scans) and anti-enumeration (equalised response time at login and registration).
- Data minimisation — the --no-hostname mechanism (Annex 1); the agent's slim payload limits transmitted data to the necessary scope.
- Audit trail — logging of significant events (who, when, what action), written transactionally together with the operation.
- Error monitoring — self-hosted (GlitchTip) on the Processor's own server in Poland; no diagnostic data is passed to an external provider.
- Backups and recovery — regular, encrypted backups; a tested recovery procedure (a recovery test — DR drill — has been performed).
Annex 3 — List of further processors (sub-processors)
- OVHcloud (OVH SAS)
- Hosting infrastructure and storage of encrypted backups. Location: Warsaw, Poland (EEA). Entrusted data: all Service data (including restic-encrypted backups).
- Resend (Resend, Inc.)
- Sending email (account verification, notifications). Location: USA (transfer per § 4). Entrusted data: users' email addresses.
GlitchTip (error reporting) is hosted on the Processor's own server in Poland — it is not a separate external sub-processor.
Payments and invoicing (outside the scope of this entrustment). Payments and invoicing for the Controller's account are handled by Stripe Payments Europe, Limited (Ireland, EEA). This concerns only the Controller's own billing data as a contracting party (company data, Tax ID, payment data — card data is processed solely by Stripe under PCI-DSS; the Processor does not store card data). In this respect the Processor acts as a separate controller (fulfilling its own accounting and tax obligations), and Stripe is its processor. This relationship does not constitute entrustment within the meaning of this Agreement — it does not cover the data of persons whose data the Controller entrusts when using the Service. These rules are described in the Terms of Service and the Privacy Policy.

