Data Processing Agreement
This DPA forms part of the agreement between you (the "Controller") and Thiron (the "Processor") where we process personal data on your behalf.
1. Roles & scope
Where Thiron processes personal data on your behalf, you are the Controller and Thiron is the Processor. This DPA applies to that processing and incorporates the GDPR Article 28 obligations where applicable.
2. Subject matter & duration
Subject matter: provision of external attack-surface scanning and reporting. Duration: for the term of your use of Thiron. Nature & purpose: scanning submitted domains and delivering reports. Data subjects: your personnel and account users. Categories: contact identifiers (email), account and usage data, and any personal data incidentally surfaced in publicly observable scan results.
3. Our obligations
- Process personal data only on your documented instructions.
- Ensure persons authorised to process are bound by confidentiality.
- Apply appropriate technical and organisational security measures (see Security).
- Assist you with data-subject requests and with your security, breach-notification, and DPIA obligations.
- Notify you without undue delay after becoming aware of a personal-data breach.
- Delete or return personal data at the end of the service, subject to legal retention.
- Make available information needed to demonstrate compliance and allow for audits per Article 28(3)(h).
4. Sub-processors
You authorise Thiron to engage sub-processors. Current sub-processors include our web hosting provider (United States), Stripe, Inc. (payments), Google Workspace (Gmail email), and Google Analytics. We will inform you of changes and give you the opportunity to object.
5. International transfers
Where personal data is transferred outside the EEA/UK, the transfer is governed by an approved mechanism such as the Standard Contractual Clauses.
6. Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service.