Data Processing Agreement

In this DPA the following terms have the meanings set out below:

• “Controller” — the customer who determines the purposes and means of personal data processing.
• “Processor” — Swavvy AB, which processes personal data on behalf of the Controller.
• “Data Subject” — any identified or identifiable natural person whose personal data is processed.
• “Personal Data” — any information relating to an identified or identifiable natural person.
• “Processing” — any operation performed on personal data, as defined in the GDPR.
• “Sub-processor” — any third party engaged by the Processor to process personal data on behalf of the Controller.

The Processor processes personal data solely to provide the Perimeter external attack surface management service, including: conducting external scans of registered assets, storing and displaying scan results and findings, sending notifications and reports, and managing account and billing records.

The categories of personal data processed may include: email addresses, names, IP addresses in the context of asset data, and any personal data incidentally contained in scan results (such as email addresses discovered in public DNS records or certificate data).

The categories of data subjects include: the Controller's employees and authorised users of the platform, and individuals whose data may appear in publicly accessible infrastructure associated with the Controller's registered assets.

Processing is carried out for the duration of the agreement between the parties.

The Processor shall:

• Process personal data only on documented instructions from the Controller (which includes the purposes described in the Terms of Service and this DPA), unless required by applicable EU or Swedish law to do otherwise.
• Ensure that persons authorised to process personal data are under appropriate obligations of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Article 32 GDPR.
• Assist the Controller in responding to Data Subject rights requests, taking into account the nature of the processing.
• Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation.
• At the choice of the Controller, delete or return all personal data upon termination of the agreement, and delete existing copies unless storage is required by applicable law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or a mandated auditor, subject to reasonable notice and confidentiality obligations.

The Controller provides general authorisation for the Processor to engage sub-processors to assist in providing the Service. Current sub-processors include:

• Google Cloud (EU regions) — hosting and infrastructure

The Processor will notify the Controller of any intended changes to sub-processors (additions or replacements) with at least 14 days' notice, giving the Controller the opportunity to object. All sub-processors are contractually required to provide at least the same level of data protection as required of the Processor under this DPA.

The Processor implements and maintains appropriate technical and organisational measures including:

• Encryption of personal data in transit (TLS 1.2 or higher) and at rest.
• Access controls and multi-factor authentication for platform and infrastructure access.
• Regular review of access rights and application of least-privilege principles.
• Procedures for regularly testing, assessing, and evaluating the effectiveness of security measures.
• Incident detection and response procedures.