Data Processing Agreement (DPA)
Data Processing Agreement
Effective May 14, 2026 · Sodasoft LLC (30 N Gould St, Sheridan, Wyoming 82801, United States)
This Data Processing Agreement (the “DPA”) supplements the NANOTESTING Terms of Service(the “Agreement”) and governs the processing of personal data by Sodasoft LLC(the “Processor”) on behalf of the Customer (the “Controller”) when the Customer uses the NANOTESTING Service.
This DPA is automatically incorporated into the Agreement when the Service processes personal data covered by the EU General Data Protection Regulation (Regulation 2016/679, “EU GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection (the “FADP”), or any successor or analogous law. In case of conflict between this DPA and the Agreement, this DPA prevails for personal data processing matters.
1. Definitions
Capitalised terms not defined in this DPA have the meaning given in the Agreement. The terms “controller”, “processor”, “data subject”, “personal data”, “processing”, and “supervisory authority” have the meanings given in the EU GDPR.
2. Subject-matter, duration, nature, purpose
- Subject-matter. The processing of personal data by the Processor to provide the Service to the Controller as set out in the Agreement.
- Duration. For as long as the Agreement is in force, plus any post-termination retention required by law or set out in the Privacy Policy.
- Nature and purpose.Hosted security- assessment SaaS. The Service ingests publicly observable information from Targets the Controller authorises, plus credentials and metadata the Controller deliberately supplies (auth tokens, GitHub PATs, cloud-IAM keys, mobile binaries). Processing activities include collection, storage, retrieval, analysis, transmission to the Controller's authorised recipients (Slack, Jira, webhooks), and deletion on retention expiry.
- Categories of personal data. Account email addresses, names, IP-address hashes, user-agent hints, audit- log actor identifiers. Customer Content may incidentally contain personal data (e.g. usernames in error messages, email addresses leaked in source code); we do not target, enrich, or profile that data.
- Categories of data subjects.The Controller's authorised users; the Controller's end users, customers, and employees whose data appears incidentally in scanned Targets.
3. Processor obligations
3.1 Documented instructions
The Processor processes personal data only on documented instructions from the Controller. The Agreement, this DPA, the Controller's configuration in the dashboard (target verification, plan choice, integration setup), and any documented support ticket constitute “documented instructions”. If law requires the Processor to process outside those instructions the Processor will inform the Controller before processing unless the law prohibits such information on important grounds of public interest.
3.2 Confidentiality
The Processor ensures persons authorised to process personal data are under a written confidentiality obligation no less protective than this DPA.
3.3 Security (Article 32)
The Processor implements appropriate technical and organisational measures (the “TOMs”) to ensure a level of security appropriate to the risk. The current TOMs are described in Schedule 2 below. The Processor reviews the TOMs at least annually and whenever there is a material change to the Service.
3.4 Subprocessors
The Controller authorises the Processor to engage the subprocessors listed at /legal/subprocessors. The Processor will:
- give the Controller at least 30 days' prior notice of new or replacement subprocessors by updating the public list and emailing the account's billing contact;
- flow down written obligations on the subprocessor that are no less protective than this DPA; and
- remain liable to the Controller for the subprocessor's performance.
The Controller may object in writing to a new subprocessor on reasonable data-protection grounds within 30 days. If objection cannot be resolved the Controller may terminate the relevant portion of the Service for a pro-rata refund of pre-paid fees.
3.5 Assistance to the Controller
Taking into account the nature of the processing, the Processor provides reasonable assistance to the Controller in fulfilling its obligations to (a) respond to data-subject requests (GDPR Articles 12-22), (b) ensure security of processing (Article 32), (c) notify breaches (Articles 33-34), (d) carry out data- protection impact assessments (Article 35), and (e) consult the supervisory authority (Article 36). Self-service controls are exposed in the dashboard at /settings/privacy; non-routine requests may incur reasonable cost.
3.6 Breach notification
The Processor notifies the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach. The notice includes (i) the nature of the breach, including categories and approximate number of data subjects and records concerned, (ii) the likely consequences, (iii) the measures taken or proposed, and (iv) a point of contact.
3.7 Deletion or return on termination
On termination of the Agreement and at the Controller's option the Processor will delete or return all personal data, and delete existing copies, unless EU or Member State law requires storage of the data. The default schedule is described in the Privacy Policy. Backup snapshots cycle out within 35 days of deletion.
3.8 Audit
The Processor makes available all information necessary to demonstrate compliance with this DPA and contributes to audits, including inspections, conducted by the Controller or an auditor the Controller mandates. The Processor publishes its current TOMs and SOC 2 readiness statement; on-site audits are limited to once per 12 months unless triggered by an actual incident and require 30 days' written notice plus a reasonable confidentiality agreement.
4. International transfers
Where the Processor or any subprocessor transfers personal data from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the transfer is governed by the European Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, “EU SCCs”), specifically:
- Module Two (controller-to-processor) for transfers from the Controller to NANOTESTING;
- Module Three (processor-to-processor) for onward transfers to NANOTESTING's subprocessors.
For UK personal data the UK Information Commissioner's Office International Data Transfer Addendum to the EU SCCs (B1.0) applies. For Switzerland the SCCs apply with the FADP- required modifications.
The supplementary measures we apply (Schedule 2) include AES-256-GCM encryption of customer-supplied secrets at rest, TLS 1.2+ in transit, row-level security in the managed database, least-privilege access for the engineering team, and a documented transparency-report process.
5. Liability
The parties' liability under this DPA is subject to the limitation of liability in the Agreement. Liability allocation between parties under Article 82 of the GDPR is unaffected.
6. Order of precedence
In case of conflict the following order of precedence applies: (i) the EU SCCs (where they apply), (ii) this DPA, (iii) the Privacy Policy, (iv) the Agreement. Schedule 1 + Schedule 2 below are part of this DPA.
Schedule 1 - Subject-matter summary
| Categories of data subjects | Controller's authorised users; end users / customers / employees whose data appears incidentally in scanned Targets. |
| Categories of personal data | Account email, name, role; IP-address hash; user-agent hint; audit-log actor id; incidental personal data in scan output. |
| Sensitive data | The Service is not designed for sensitive personal data under GDPR Article 9. Controllers should not upload special-category data deliberately. |
| Frequency of processing | Continuous for the duration of the Agreement. |
| Nature of processing | Hosted security-assessment SaaS - collection, storage, analysis, transmission to the Controller's authorised recipients, and deletion on retention expiry. |
| Purpose of processing | Provide the Service as described in the Agreement and Documentation. |
| Duration of processing | For the term of the Agreement plus the retention periods in the Privacy Policy. |
| Permitted transfers | US and EU primary hosting. Onward transfers governed by the EU SCCs / UK IDTA Addendum / Swiss SCCs as applicable. |
Schedule 2 - Technical and Organisational Measures (TOMs)
2.1 Access control to systems
- Multi-factor authentication on every administrative account.
- Magic-link only for the customer-facing dashboard (no passwords stored).
- Time-bounded access reviews; offboarding within 24 hours of role change.
2.2 Access control to data
- Postgres row-level security on every customer table; queries run as authenticated user role with explicit policy enforcement.
- Secrets columns (auth tokens, IDOR pair, webhook secret, cloud-audit credential, mobile binary bytes) revoked from the customer-facing role; only the service role can read.
- Signed download URLs with short TTL for PDF reports and raw scan output.
2.3 Encryption
- TLS 1.2+ for all transport. HSTS preload on production.
- Customer-supplied secrets sealed with AES-256-GCM using a dedicated key separated from the database.
- Database at-rest encryption by the managed Postgres provider.
2.4 Pseudonymisation
- Public visitor IPs are salted-hashed before persistence.
- User-agent fingerprints are truncated to a short hint (browser family, OS family) and hashed for the rest.
2.5 Resilience and recovery
- Managed-Postgres point-in-time recovery with retention of at least seven days.
- Daily snapshot to an isolated region.
- Documented disaster-recovery runbook with annual tabletop exercise.
2.6 Logging and monitoring
- Audit logs of every state-changing user action retained for 24 months.
- Application logs with PII scrubbed; raw IPs in transient logs deleted within 24 hours.
- Anomaly alerts on auth-event spikes and on background-job failure rates.
2.7 Software-development lifecycle
- Code review on every change; required passing CI before merge.
- Dependency CVE monitoring via osv-scanner + Trivy on the worker image.
- Automated regression tests + e2e smoke against production per release.
2.8 Personnel
- Background checks where permitted by law.
- Security and privacy training on hire and annually thereafter.
- Written confidentiality agreement with every contractor.
2.9 Subprocessor governance
- Up-to-date subprocessor inventory at /legal/subprocessors.
- Vendor-security review on engagement and at least annually.
- SCC-based data-transfer paperwork on file with each subprocessor.
Contact
Privacy contact: privacy@nanotesting.com. DPA contact: legal@nanotesting.com.