Data processing agreement

The DPA we execute with every customer processing personal data through NoDowntimeShield.

Data processing agreement

Last updated: 2026-04-22

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and NoDowntimeShield ("Processor"). It sets out how we process personal data on your behalf in accordance with GDPR, UK GDPR, and equivalent legislation.

1. Subject matter and duration

  • Subject matter: processing of personal data necessary to deliver the NoDowntimeShield service.
  • Duration: for the duration of the subscription, plus retention periods set out in the Privacy Policy.
  • Nature and purpose: security scanning, alerting, reporting, and associated operational logging.

2. Types of personal data

  • Names, email addresses, and account metadata of users you invite into your organisation.
  • Domain names and subdomains you add as scannable assets.
  • Technical findings produced by the scanners, which may incidentally reference personal data (e.g. exposed staff email addresses in public web pages).
  • IP addresses and user-agent metadata captured by access logs.

3. Categories of data subjects

  • Your employees, contractors, and customers whose personal data may appear in scan output.

4. Sub-processors

Current sub-processors are listed in our Privacy Policy under "Who we share with" and on our Trust Centre page. We give at least 30 days' prior written notice of any new sub-processor, during which you may object in writing.

5. Security measures

  • TLS 1.2+ in transit; AES-256 at rest.
  • Least-privilege access; all production access is audit-logged.
  • Passwords bcrypt-hashed; third-party credentials AES-256 encrypted per tenant.
  • Annual third-party penetration test.
  • Documented incident response; notification to Controller within 72 hours of a reportable breach.

6. International transfers

Where personal data is transferred outside the EEA or UK, we rely on the EU Standard Contractual Clauses (SCCs, Module 2 or 3 as applicable) or the UK International Data Transfer Addendum. Copies are available on request.

7. Data subject rights

We assist the Controller in responding to data-subject requests (access, rectification, erasure, portability). Self-service tools for account and domain deletion are available in the dashboard.

8. Return or deletion

On termination, data is returned in a machine-readable export on request and deleted within 90 days. Backups are purged on a rolling 30-day cycle.

9. Audit rights

The Controller may, once per year with 30 days' written notice, audit our compliance through a mutually agreed third-party assessor. We otherwise make current third-party audit reports (SOC 2 Type II when available) available under NDA.

10. Download

A countersigned PDF version of this DPA is available on request from [email protected].