Data Processing Agreement

Find The Breach shall process personal data only for the following purposes and strictly in accordance with the Controller's documented instructions:

• Performing vulnerability scans and penetration tests on targets designated by the Controller
• Generating, storing, and delivering scan reports and security assessments
• Providing account management, billing, and customer support services
• Maintaining system logs necessary for security monitoring and incident investigation
• Fulfilling legal obligations imposed on the Processor by applicable law

The categories of data subjects include the Controller's employees, contractors, customers, and any individuals whose personal data may be incidentally discovered during authorized scanning activities. The types of personal data processed may include names, email addresses, IP addresses, domain information, network configuration data, and any personal data present on scanned systems.

Special Category Data (Article 9 GDPR): The Processor does not intentionally process special category data as defined in GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If such data is incidentally encountered during authorized vulnerability scanning of the Controller's systems, it shall be subject to heightened safeguards including immediate encryption, minimized retention (deleted within the applicable scan data retention period), and access restricted to essential personnel only. The Processor shall promptly notify the Controller if a significant volume of special category data is detected during scanning operations.

Find The Breach shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case Find The Breach shall inform the Controller of that legal requirement before processing (unless prohibited by law)
• Ensure that all personnel authorized to process personal data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller
• Assist the Controller, taking into account the nature of the processing, in responding to requests for exercising data subject rights
• Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities
• At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data
• Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable data protection law

Find The Breach shall assist the Controller in fulfilling its obligations to respond to data subject requests under applicable data protection law. This includes requests relating to:

• Access to personal data
• Rectification of inaccurate personal data
• Erasure of personal data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

If Find The Breach receives a request directly from a data subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's prior written authorization, unless required by applicable law.

The Controller provides general authorization for Find The Breach to engage sub-processors, subject to the following conditions:

• Find The Breach shall maintain a current list of sub-processors, available at findthebreach.com/subprocessors.
• Find The Breach shall notify the Controller at least thirty (30) days before adding or replacing any sub-processor, providing the Controller an opportunity to object to such changes.
• If the Controller objects to a new sub-processor on reasonable grounds related to data protection, the parties shall negotiate in good faith to resolve the objection. If no resolution is reached within thirty (30) days, the Controller may terminate the affected services without penalty.
• Find The Breach shall impose data protection obligations on each sub-processor by way of a written contract that provides at least the same level of protection as this DPA.
• Find The Breach shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

Find The Breach implements and maintains the following technical and organizational security measures:

• Encryption: All personal data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Role-based access controls, multi-factor authentication, and the principle of least privilege are enforced for all systems containing personal data.
• Network Security: Firewalls, intrusion detection and prevention systems, and network segmentation are deployed to protect processing environments.
• Monitoring: Continuous monitoring, logging, and alerting of access to personal data and security events.
• Business Continuity: Regular backups, disaster recovery procedures, and redundant infrastructure to ensure availability and resilience.
• Personnel: Background checks for employees with access to personal data, mandatory security awareness training, and binding confidentiality agreements.
• Testing: Regular vulnerability assessments and penetration testing of our own infrastructure.

Data Location. Customer Personal Data is processed and stored in data centers operated by Hetzner Online GmbH, located in Falkenstein and Nuremberg, Germany (European Union). Technical infrastructure metadata (e.g., CDN cache, DNS resolution) may be processed by Cloudflare, Inc. in edge locations worldwide, but does not include Customer scan data or personally identifiable vulnerability findings.

Data Residency Election. Enterprise customers may request data residency in a specific geographic region subject to availability. Find The Breach will not transfer scan data outside the designated region without Customer's prior written consent, except as required by applicable law (in which case Find The Breach will provide advance notice where legally permitted). Data residency preferences can be configured in Account Settings or by contacting support@findthebreach.com.

Multi-Tenant Architecture. Find The Breach operates a multi-tenant architecture with logical data isolation. Customer data is segregated using unique tenant identifiers at the application and database layers. Scan results, vulnerability data, and reports are stored in per-customer partitioned tables with row-level access controls. Cross-tenant data access is prevented by application-layer access controls and database-level constraints. Enterprise customers may request a dedicated database instance for physical data isolation (subject to Enterprise plan terms).

A current list of data center locations is maintained at findthebreach.com/subprocessors.

In the event of a personal data breach, Find The Breach shall:

• Notify the Controller without undue delay and in any event within forty-eight (48) hours of becoming aware of the breach (exceeding the GDPR 72-hour requirement to the Controller, providing additional response time).
• Provide initial breach details within the notification including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
• Provide the Controller with sufficient information to enable the Controller to meet its obligations to notify the supervisory authority and affected data subjects.
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• Document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken.
• Not notify any third party of a data breach without the Controller's prior written authorization, unless required by applicable law.
• For financial sector customers subject to DORA (Regulation (EU) 2022/2554): Provide initial incident classification within four (4) hours of detection, with ongoing updates as required under DORA Article 19.

Notification timelines: 48 hours (FindTheBreach → Customer), 72 hours (Customer → Supervisory Authority per GDPR Art. 33), 4 hours initial classification (DORA-regulated entities).

Find The Breach shall not transfer personal data to a country outside the European Economic Area ("EEA") or the United Kingdom unless one of the following safeguards is in place:

• The destination country has been deemed to provide an adequate level of data protection by the European Commission or the UK Secretary of State, as applicable.
• The transfer is made pursuant to the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or the UK International Data Transfer Agreement / Addendum, as applicable.
• The transfer is subject to Binding Corporate Rules approved by the competent supervisory authority.
• The data subject has explicitly consented to the transfer after being informed of the risks.

Find The Breach's primary data processing facilities are located in the United States. For transfers from the EEA or UK to the United States, Find The Breach relies on the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework, as well as the EU Standard Contractual Clauses as a supplementary transfer mechanism.

SCC Module Specification

Where the transfer of personal data from the EEA to the United States is not covered by the EU-U.S. Data Privacy Framework adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), specifically Module 2 (Transfer Controller to Processor), shall apply. The relevant Annex information is as follows:

• Annex I.A (List of Parties): As identified in the DPA header — Controller (Customer) and Processor (Find The Breach).
• Annex I.B (Description of Transfer): As described in Section 2 (Processing Purposes and Scope) of this DPA.
• Annex I.C (Competent Supervisory Authority): The supervisory authority of the EU Member State in which the Controller is established, or the Irish Data Protection Commission for non-EU/EEA Controllers.
• Annex II (Technical and Organisational Measures): As described in Section 5 (Security Measures) of this DPA.

Transfer Impact Assessments

Find The Breach conducts Transfer Impact Assessments (TIAs) for all international data transfers from the EEA/UK to third countries, in accordance with EDPB Recommendations 01/2020 on supplementary measures. Our TIA process evaluates:

• The laws and practices of the destination country regarding government access to data
• The effectiveness of the chosen transfer mechanism (DPF, SCCs) in light of those laws
• Any supplementary technical, contractual, or organizational measures needed
• Whether the combined safeguards ensure an essentially equivalent level of protection

TIA documentation is available to Enterprise customers upon request.

Find The Breach shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide at least thirty (30) days' written notice prior to any audit.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with Find The Breach's operations.
• The Controller shall bear the cost of audits unless the audit reveals a material breach of this DPA by Find The Breach.
• Any third-party auditor must execute a confidentiality agreement acceptable to Find The Breach before accessing any information.
• Find The Breach may satisfy audit requests by providing the Controller with current third-party audit reports (such as SOC 2 Type II) or certifications (such as ISO 27001) where available.
• Audits shall be limited to once per calendar year, unless required by a supervisory authority or following a data breach.
• Extraordinary audit requests beyond the annual allowance may be subject to reasonable cost recovery at Find The Breach’s then-current professional services rates.
• Audits shall be conducted during regular business hours (9:00 AM – 5:00 PM Pacific Time) and the Controller shall include a proposed audit plan and scope with their written notice.
• Find The Breach may satisfy audit requests by providing: (a) SOC 2 audit reports; (b) ISO 27001 certification (when obtained); (c) penetration test summaries; or (d) written responses to audit questionnaires, in lieu of on-site inspection where such documentation adequately addresses the Controller’s concerns.

This DPA shall remain in effect for the duration of the Controller's use of the Service and shall automatically terminate upon the termination or expiration of the underlying service agreement.

• Upon termination, Find The Breach shall, at the Controller's election, return all personal data to the Controller in a commonly used, machine-readable format or securely delete all personal data within thirty (30) days, unless retention is required by applicable law.
• Find The Breach shall provide written certification of data deletion upon the Controller's request.
• Obligations relating to confidentiality, data security, and liability shall survive the termination of this DPA.
• Where retention of personal data is required by applicable law, Find The Breach shall isolate the data, limit processing to only what is required by law, and protect the data in accordance with the security measures described in this DPA.

Data Destruction Methods. Upon termination, expiry, or deletion request, Personal Data shall be destroyed using one or more of the following methods:

• (a) Cryptographic erasure: Destruction of encryption keys rendering encrypted data permanently unrecoverable.
• (b) Database-level deletion: Permanent deletion from PostgreSQL databases with write-over verification and WAL log clearing.
• (c) Secure deletion: Overwriting using NIST SP 800-88 Rev. 1 compliant methods for any data stored on physical media.

A certificate of destruction shall be provided to Enterprise customers upon written request. Destruction shall be completed within thirty (30) days of the triggering event, except where retention is required by applicable law.

For questions about this Data Processing Agreement or to exercise any rights under this DPA, please contact: