Governing our processing of personal data on your behalf under GDPR Article 28.
This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service between you ("Controller", "Client", "you") and NIS2Engine ("Processor", "we", "us"). This DPA applies where we process personal data on your behalf in the course of providing the Platform.
"Controller" means the Client — the organization that determines the purposes and means of processing personal data.
"Processor" means NIS2Engine — the organization that processes personal data on behalf of the Controller.
"Personal Data" has the meaning given in Article 4(1) GDPR — any information relating to an identified or identifiable natural person.
"Processing" has the meaning given in Article 4(2) GDPR.
"Data Subject" means the natural person to whom personal data relates.
"Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
"Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
For the purposes of GDPR:
Where we process data for our own purposes (such as account management and billing), we act as a Data Controller in our own right. This is governed by our Privacy Policy at /privacy.
Subject matter: Processing of personal data necessary to provide the NIS2Engine Platform, including automated vendor security scanning, report generation, and compliance documentation.
Duration: This DPA remains in force for the duration of your subscription and for as long as we retain your data in accordance with our retention schedules, unless terminated earlier in accordance with these terms.
We process personal data for the following purposes:
| Category | Examples |
|---|---|
| Account identifiers | Email address, company name |
| Authentication data | Hashed passwords, session tokens |
| Billing data | Name, billing address, VAT number |
| Vendor data | Domain names, vendor company names, notes |
| Scan results | Security scores, PDF reports, threat intelligence findings |
| Usage data | IP addresses, browser type, platform activity logs |
| Communication data | Support messages, contact form submissions |
We do not process special categories of personal data as defined in Article 9 GDPR.
We as Processor agree to:
Process personal data only on your documented instructions. These Terms of Service and this DPA constitute your instructions. If we are required by EU or Member State law to process data beyond your instructions, we will inform you unless prohibited by law.
Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Not engage sub-processors without your prior written authorization. Your acceptance of these Terms constitutes general authorization for the sub-processors listed in Section 10. We will notify you at least 30 days before adding or replacing any sub-processor.
Assist you in responding to data subject rights requests by providing appropriate technical and organizational measures.
Assist you in ensuring compliance with your obligations under Articles 32-36 GDPR (security, breach notification, DPIA, prior consultation).
At your choice, delete or return all personal data upon termination of services, and delete existing copies unless EU or Member State law requires retention.
Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by you or your appointed auditor. Audit requests must be submitted via /contact with reasonable notice.
Inform you immediately if any instruction infringes GDPR or other applicable EU data protection law.
You as Controller agree to:
We will notify you without undue delay and within 72 hours of becoming aware of a Security Incident affecting your personal data. Notification will be made via the email address registered to your account.
We will provide, to the extent available:
You are responsible for notifying your supervisory authority and affected data subjects where required under Articles 33 and 34 GDPR. We will assist you in fulfilling these obligations upon request.
You grant general authorization for the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (AWS Frankfurt) |
| Lemon Squeezy | Payment processing | US |
| Mailgun | Email delivery | EU |
| Google (Safe Browsing API) | Threat intelligence | US |
| IPInfo | IP address intelligence | US |
| URLScan.io | Domain intelligence | EU |
| AbuseIPDB | IP reputation | US |
| AlienVault OTX | Threat intelligence | US |
| Shodan | Vulnerability data | US |
| Vercel | Frontend hosting | US/EU |
| DigitalOcean | Backend hosting | EU (Amsterdam) |
All sub-processors are bound by data protection obligations equivalent to those in this DPA. We remain fully liable to you for the performance of sub-processors' obligations.
Adding sub-processors: We will provide at least 30 days notice before adding a new sub-processor. If you object to a new sub-processor you may terminate the agreement within the notice period without penalty.
Where sub-processors are located outside the EEA, transfers are governed by:
We will not transfer personal data to a country or international organization outside the EEA unless appropriate safeguards are in place.
| Data Type | Retention | Deletion Method |
|---|---|---|
| Account data | Until deletion + 30 days | Secure deletion from all systems |
| Scan results | 24 months from scan date | Automated deletion |
| Usage logs | 90 days | Automated deletion |
| Billing records | 7 years (legal requirement) | Secure archival then deletion |
| Backup copies | 30 days after primary deletion | Automated backup expiry |
Upon termination of your subscription you may request immediate deletion of all non-legally-required data via /contact.
Where your use of the Platform is likely to result in a high risk to data subjects requiring a Data Protection Impact Assessment (DPIA) under Article 35 GDPR, we will provide reasonable assistance including:
Contact us via /contact to request DPIA support documentation.
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where both parties are responsible for damage caused by processing, liability will be apportioned according to the degree of responsibility of each party.
This DPA remains in force as long as we process personal data on your behalf. It terminates automatically upon termination of the Terms of Service. Obligations regarding data already processed survive termination.
This DPA is governed by the laws of the European Union and applicable Member State law. Disputes are subject to the jurisdiction specified in the Terms of Service.
For all DPA enquiries and data subject rights requests use the contact form at /contact.