VERSION 1.0 • LAST UPDATED: JUNE 2026

Data Processing Agreement

Governing our processing of personal data on your behalf under GDPR Article 28.

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service between you ("Controller", "Client", "you") and NIS2Engine ("Processor", "we", "us"). This DPA applies where we process personal data on your behalf in the course of providing the Platform.

This DPA is entered into under Article 28 of the General Data Protection Regulation (GDPR — EU Regulation 2016/679).

1. Definitions

"Controller" means the Client — the organization that determines the purposes and means of processing personal data.

"Processor" means NIS2Engine — the organization that processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in Article 4(1) GDPR — any information relating to an identified or identifiable natural person.

"Processing" has the meaning given in Article 4(2) GDPR.

"Data Subject" means the natural person to whom personal data relates.

"Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.

"Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

2. Roles of the Parties

For the purposes of GDPR:

  • The Client is the Data Controller — you determine what vendor domains are submitted, for what purpose, and retain control over your compliance program
  • NIS2Engine is the Data Processor — we process data only to provide you with the Platform services you have contracted for

Where we process data for our own purposes (such as account management and billing), we act as a Data Controller in our own right. This is governed by our Privacy Policy at /privacy.

3. Subject Matter and Duration

Subject matter: Processing of personal data necessary to provide the NIS2Engine Platform, including automated vendor security scanning, report generation, and compliance documentation.

Duration: This DPA remains in force for the duration of your subscription and for as long as we retain your data in accordance with our retention schedules, unless terminated earlier in accordance with these terms.

4. Nature and Purpose of Processing

We process personal data for the following purposes:

  • Creating and managing your user account
  • Authenticating your access to the Platform
  • Storing vendor domain data you submit
  • Running automated security scans
  • Generating PDF security scorecard reports
  • Generating remediation letters
  • Sending monthly scan result notifications
  • Maintaining your compliance audit trail
  • Processing subscription payments
  • Providing customer support

5. Categories of Personal Data Processed

CategoryExamples
Account identifiersEmail address, company name
Authentication dataHashed passwords, session tokens
Billing dataName, billing address, VAT number
Vendor dataDomain names, vendor company names, notes
Scan resultsSecurity scores, PDF reports, threat intelligence findings
Usage dataIP addresses, browser type, platform activity logs
Communication dataSupport messages, contact form submissions

We do not process special categories of personal data as defined in Article 9 GDPR.

6. Categories of Data Subjects

  • Your employees and authorized users who access the Platform
  • Billing contacts at your organization
  • No personal data about your vendors' employees or end users is intentionally collected

7. Obligations of the Processor

We as Processor agree to:

7.1 Instructions

Process personal data only on your documented instructions. These Terms of Service and this DPA constitute your instructions. If we are required by EU or Member State law to process data beyond your instructions, we will inform you unless prohibited by law.

7.2 Confidentiality

Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.

7.3 Security

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
  • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore availability and access to personal data in a timely manner following an incident
  • Regular testing and evaluation of security measures

7.4 Sub-processors

Not engage sub-processors without your prior written authorization. Your acceptance of these Terms constitutes general authorization for the sub-processors listed in Section 10. We will notify you at least 30 days before adding or replacing any sub-processor.

7.5 Data subject rights

Assist you in responding to data subject rights requests by providing appropriate technical and organizational measures.

7.6 Security assistance

Assist you in ensuring compliance with your obligations under Articles 32-36 GDPR (security, breach notification, DPIA, prior consultation).

7.7 Deletion or return

At your choice, delete or return all personal data upon termination of services, and delete existing copies unless EU or Member State law requires retention.

7.8 Audit

Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by you or your appointed auditor. Audit requests must be submitted via /contact with reasonable notice.

7.9 Notification

Inform you immediately if any instruction infringes GDPR or other applicable EU data protection law.

8. Obligations of the Controller

You as Controller agree to:

  • Ensure you have a lawful basis for processing personal data before submitting it to the Platform
  • Ensure data subjects have been informed about the processing in accordance with Articles 13 and 14 GDPR
  • Ensure that any personal data submitted to the Platform is accurate and relevant
  • Comply with all applicable data protection laws in your jurisdiction
  • Not instruct us to process personal data in a way that would violate applicable law
  • Obtain all necessary authorizations before submitting vendor domains for scanning
  • Notify us promptly if you become aware of any Security Incident involving data processed through the Platform

9. Security Incidents

9.1 Notification

We will notify you without undue delay and within 72 hours of becoming aware of a Security Incident affecting your personal data. Notification will be made via the email address registered to your account.

9.2 Content of notification

We will provide, to the extent available:

  • Description of the nature of the Security Incident
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of personal data records affected
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the Security Incident

9.3 Your obligations

You are responsible for notifying your supervisory authority and affected data subjects where required under Articles 33 and 34 GDPR. We will assist you in fulfilling these obligations upon request.

10. Sub-processors

You grant general authorization for the following sub-processors:

Sub-processorPurposeLocation
SupabaseDatabase, authentication, file storageEU (AWS Frankfurt)
Lemon SqueezyPayment processingUS
MailgunEmail deliveryEU
Google (Safe Browsing API)Threat intelligenceUS
IPInfoIP address intelligenceUS
URLScan.ioDomain intelligenceEU
AbuseIPDBIP reputationUS
AlienVault OTXThreat intelligenceUS
ShodanVulnerability dataUS
VercelFrontend hostingUS/EU
DigitalOceanBackend hostingEU (Amsterdam)

All sub-processors are bound by data protection obligations equivalent to those in this DPA. We remain fully liable to you for the performance of sub-processors' obligations.

Adding sub-processors: We will provide at least 30 days notice before adding a new sub-processor. If you object to a new sub-processor you may terminate the agreement within the notice period without penalty.

11. International Transfers

Where sub-processors are located outside the EEA, transfers are governed by:

  • Standard Contractual Clauses approved by the European Commission under Article 46(2)(c) GDPR, incorporated into our agreements with each sub-processor
  • Adequacy decisions where applicable

We will not transfer personal data to a country or international organization outside the EEA unless appropriate safeguards are in place.

12. Data Retention and Deletion

Data TypeRetentionDeletion Method
Account dataUntil deletion + 30 daysSecure deletion from all systems
Scan results24 months from scan dateAutomated deletion
Usage logs90 daysAutomated deletion
Billing records7 years (legal requirement)Secure archival then deletion
Backup copies30 days after primary deletionAutomated backup expiry

Upon termination of your subscription you may request immediate deletion of all non-legally-required data via /contact.

13. Data Protection Impact Assessments

Where your use of the Platform is likely to result in a high risk to data subjects requiring a Data Protection Impact Assessment (DPIA) under Article 35 GDPR, we will provide reasonable assistance including:

  • Description of our processing operations and their purposes
  • Description of technical and organizational security measures implemented
  • Any other information reasonably required for your DPIA

Contact us via /contact to request DPIA support documentation.

14. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where both parties are responsible for damage caused by processing, liability will be apportioned according to the degree of responsibility of each party.

15. Term and Termination

This DPA remains in force as long as we process personal data on your behalf. It terminates automatically upon termination of the Terms of Service. Obligations regarding data already processed survive termination.

16. Governing Law

This DPA is governed by the laws of the European Union and applicable Member State law. Disputes are subject to the jurisdiction specified in the Terms of Service.

17. Contact

For all DPA enquiries and data subject rights requests use the contact form at /contact.