SPNT
Book a Demo
Back to Trust Center

Data Processing Agreement

Last updated: January 2025

1. Parties

This Data Processing Agreement ("DPA") is entered into between SPNT DOO ("Processor") and the entity agreeing to these terms ("Controller").

2. Scope and Purpose

This DPA applies to the processing of personal data by Processor on behalf of Controller in connection with SPNT's Serpentine security services, as required by the General Data Protection Regulation (GDPR).

3. Data Processing Details

Categories of Data Subjects

  • Controller's employees and contractors
  • Controller's customers (where applicable)
  • End users of Controller's systems

Categories of Personal Data

  • Contact information (names, email addresses)
  • System access logs and authentication data
  • Technical data from security scans
  • IP addresses and device identifiers

Processing Activities

  • Security scanning and vulnerability assessment
  • Log analysis and threat detection
  • Compliance evidence collection
  • Report generation and delivery

4. Processor Obligations

Processor shall:

  • Process personal data only on documented instructions from Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to data subject requests
  • Assist Controller with data protection impact assessments
  • Delete or return all personal data upon termination
  • Make available information necessary to demonstrate compliance

5. Security Measures

Processor implements the following measures:

  • Encryption of data at rest (AES-256)
  • Encryption of data in transit (TLS 1.3)
  • Access control and authentication mechanisms
  • Audit logging of all data access
  • Regular security assessments and penetration testing
  • Incident response procedures
  • Business continuity and disaster recovery

6. Sub-processors

Processor may engage sub-processors with Controller's general authorization. Processor maintains a current list of sub-processors at /legal/subprocessors.

Controller may object to new sub-processors within 14 days of notification. Processor will impose equivalent data protection obligations on all sub-processors.

7. International Transfers

Processor does not transfer personal data outside the European Economic Area. All processing occurs within EU data centers.

8. Data Breach Notification

Processor shall notify Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach. Notification shall include:

  • Nature of the breach including categories and number of data subjects
  • Name and contact details of data protection officer
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. Audit Rights

Controller may audit Processor's compliance with this DPA. Processor shall contribute to audits conducted by Controller or an auditor mandated by Controller. Audits shall be conducted with reasonable notice and during normal business hours.

10. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, Processor shall, at Controller's choice, delete or return all personal data within 30 days.

11. Contact

For DPA-related inquiries, contact: dpa@spnt.io