Data Processing Agreement (DPA)¶

Pursuant to GDPR Article 28(3)

1. Parties¶

Data Controller: - Name: [CLIENT COMPANY NAME] - Address: [CLIENT ADDRESS] - Email: [CLIENT CONTACT EMAIL] - Represented by: [AUTHORIZED REPRESENTATIVE]

Data Processor: - BeDefended S.r.l. - Address: Italy - Email: privacy@bedefended.com - Data Protection Officer: privacy@bedefended.com

2. Scope of Processing¶

2.1 Subject Matter¶

BeDefended shall process personal data for the purpose of: - Automated web and mobile application security testing - Penetration testing and vulnerability assessment - Security findings documentation and reporting

2.2 Duration¶

Start Date: [ENGAGEMENT START DATE]
End Date: [ENGAGEMENT END DATE]
Data Retention: 1 year after engagement completion, then deletion

2.3 Nature of Processing¶

Collection: Not by BeDefended (Controller provides scope/targets)
Recording: Screenshot capture, evidence collection during testing
Organization: Filing and categorization in engagement database
Retrieval: Accessed by authorized pentester staff only
Disclosure: Included in final report to Controller
Alignment: Anonymization/de-identification where applicable
Deletion: Per retention schedule (Section 2.2)
Destruction: Secure deletion via NIST guidelines

2.4 Type of Personal Data¶

The engagement may incidentally capture personal data found in: - Error messages (user IDs, email addresses) - HTTP responses (PII in data fields) - Screenshots (UI text containing PII) - Cache/memory dumps (session tokens, credentials)

The Controller is responsible for: - Identifying personal data categories in scope - Providing authorization to process such data - Authorizing disclosure in the final report

2.5 Categories of Data Subjects¶

Web application end-users
Administrators
Test account users created during engagement
(Not employees of BeDefended)

3.1 Processing Instructions¶

BeDefended shall process personal data only on documented instructions from the Controller, including: - Scope of testing (URLs, domains, systems in-scope) - Testing methodology (tools, techniques, depth) - Data handling instructions (anonymization rules) - Restrictions (data not to be modified, deleted, or exfiltrated)

3.2 Confidentiality & Secrecy¶

BeDefended staff involved in processing shall: - Be subject to confidentiality obligations (contractual) - Not disclose findings except to authorized Controller representatives - Not use personal data for own purposes - Adhere to the Penetration Testing Code of Ethics (PTES)

BeDefended implements: - Encryption in transit: TLS 1.3 with certificate pinning (desktop) - Encryption at rest: AES-256-GCM for report storage - Access Control: RBAC + MFA for staff - Audit Logging: All access logged with timestamp, IP, staff ID - Network Security: Firewall, WAF, DDoS mitigation - Physical Security: ISO 27001 compliant data center access controls - Incident Response: 4-hour detection, 24-72 hour notification SLA

Annual Security Audit: BeDefended undergoes independent penetration testing.

BeDefended uses the following sub-processors for:

Sub-processor	Purpose	Data	Location	Agreement
AWS	Backup storage (optional)	Reports, logs	EU/US	DPA signed
GitHub	Source control (internal)	Code, not PII	US	DPA signed
Stripe	Payment processing	Billing only, not engagement data	US	SAC 2 certified

Changes to sub-processors: - Notified to Controller 15 days in advance - Controller may object on grounds of incompatibility with GDPR

3.5 Data Subject Rights¶

BeDefended shall: - Assist Controller in fulfilling data subject requests (access, deletion, portability) - Provide requested data within 5 working days - Support DPIA if Controller requests (Section 5) - Not prevent Controller from providing data to data subjects

3.6 Deletion & Return of Data¶

Upon engagement completion: 1. Option A: Delete all personal data in reports/logs (default) 2. Option B: Return encrypted copies to Controller for archival 3. Option C: Pseudonymize data for continuous monitoring (with explicit consent)

Deletion completed within 30 days of engagement end. Certification: Written confirmation of deletion provided to Controller.

4. Controller Rights & Audit¶

4.1 Processor Audits¶

Controller may: - Audit BeDefended: Upon 30 days' written notice, during business hours - Request evidence: Documentation of security measures, compliance certifications - Subcontractor audits: Extend audit rights to BeDefended's sub-processors

Audit Frequency: At least annually, or more often if GDPR breach suspected.

4.2 Records of Processing¶

BeDefended maintains: - Records of all data access (audit logs) - Staff authorization levels - Sub-processor contacts & agreements - Security incident history

Available to Controller upon request (within 10 working days).

If a breach occurs: 1. Detection → Notification: Within 24 hours of discovery 2. Information provided: - Nature of breach (unauthorized access, disclosure, deletion) - Categories of personal data affected - Likely consequences - Measures taken/proposed 3. Escalation: If high-risk breach, Controller must notify DPA within 72 hours

5. Data Protection Impact Assessment (DPIA)¶

5.1 When Required¶

Controller must conduct DPIA if: - Testing targets high-risk systems (healthcare, financial, government) - Personal data categories are sensitive (health, biometric, genetic) - Scope is large or high-frequency monitoring

5.2 BeDefended Support¶

BeDefended shall provide: - Description of processing activities - Purpose and legal basis - Known risks and mitigations - Security controls documentation

6. Liability & Indemnification¶

6.1 Processor Liability¶

BeDefended is liable for damages if: - Violating GDPR obligations regarding data protection - Mishandling personal data entrusted to it - Failing to follow documented instructions

Liability Limit: Capped at engagement fee (up to €100,000 for large engagements).

6.2 Controller Liability¶

Controller is liable for: - Determining lawful basis for processing - Providing accurate scope/testing instructions - Obtaining necessary authorizations from data subjects

7. International Transfers¶

7.1 Adequacy Decision¶

If data is transferred to non-EEA countries: - US: Standard Contractual Clauses (SCC) in place - Other countries: Assessed under GDPR Chapter V

7.2 Supplementary Safeguards (Schrems II)¶

For US transfers, additional measures: - Encryption end-to-end - Limited access via access logs - Ability to object to specific transfers - Right to terminate if safeguards inadequate

8. Term & Termination¶

8.1 Duration¶

Agreement effective upon signature
Continues for duration of engagement + 1 year data retention period
Either party may terminate with 15 days' written notice

8.2 Post-Termination¶

Upon termination: - All personal data deleted or returned per Section 3.6 - Staff confidentiality obligations continue indefinitely - Cooperation on audit requests continues 2 years post-termination

9. Governing Law & Disputes¶

Governing Law: Italian law, GDPR, applicable EU/national data protection regulations
Jurisdiction: Italian courts (or as specified in main services agreement)
Arbitration: Disputes may be escalated to European Data Protection Board

10. Amendments¶

This DPA may be amended: - By mutual written consent - To comply with GDPR updates or regulatory changes - To reflect new sub-processors or security measures

Changes effective 30 days after written notice unless emergency (data breach, security vulnerability).

Signature¶

For the Data Controller:

Name (Authorized Representative): _________

Title: _________

Signature: _________

Date: _________

For BeDefended (Data Processor):

Name: _________