Data Processing Agreement (Auftragsverarbeitungsvertrag)
Last updated: June 2, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller," "you") and Secureless UG (haftungsbeschränkt), Kollwitzstraße 76, 10435 Berlin ("Processor," "we," "us"), and applies where we process personal data on your behalf in the course of providing the Service. It is concluded under Art. 28 GDPR. By using the Service, you accept this DPA. Where you require a separately signed copy, contact support@secureless.ai.
Capitalised terms not defined here have the meaning given in the Terms of Service.
1. Subject matter and roles
We process personal data on your behalf as a processor under Art. 28 GDPR solely to provide the Service as described in the Terms. You are the controller for that data and are responsible for the lawfulness of the instructions you give us.
This DPA applies only to data we process on your behalf as a processor. Where we determine the purposes and means of processing (for example, our own account administration, billing, security, and aggregated benchmarking as described in our Privacy Policy), we act as controller and that processing is governed by our Privacy Policy, not this DPA.
2. Scope of processing
Nature and purpose. Processing to operate the Service: running scans, generating and storing assessment reports, maintaining the customer account, and supporting the customer.
Duration. For the term of the subscription and the retention periods set out in the Privacy Policy.
Categories of data subjects. The Controller's authorised users (account holders and team members), and any individuals whose personal data is incidentally contained in publicly observable domain data.
Categories of personal data. Account and contact data of the Controller's users (name, email, authentication identifiers); usage data; and any personal data incidentally captured within otherwise technical scan data (for example, an email address appearing in a DNS record or HTTP header). The Service does not target or process special categories of personal data under Art. 9 GDPR.
3. Instructions
We process personal data only on the Controller's documented instructions, including as set out in this DPA and the Terms, unless required otherwise by EU or member-state law, in which case we will inform you unless that law prohibits it. We will inform you if, in our opinion, an instruction infringes the GDPR.
4. Confidentiality
We ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality.
5. Security
We implement appropriate technical and organisational measures under Art. 32 GDPR, including encryption in transit (TLS), encryption at rest for databases, access controls, processing of scan data in isolated environments, and separation so that one customer's results are not accessible to another. A current description of measures is available on request.
6. Subprocessors
You give general authorisation for us to engage subprocessors. We impose data-protection obligations on each subprocessor equivalent to those in this DPA, and remain responsible for their performance. Our current subprocessors are:
| Subprocessor | Purpose | Location |
|---|---|---|
| Clerk | Authentication | United States (EU-U.S. Data Privacy Framework) |
| Stripe | Payment processing | United States / EU |
| Railway | Application hosting and database | European Union (europe-west4) |
| Hetzner | Scanner processing | Frankfurt, Germany |
| Resend | Transactional email | Ireland, EU |
| Cloudflare | CDN, DDoS protection, bot management | United States (DPF) |
| Fastly | CDN, edge caching | United States (DPF) |
| PostHog | Product analytics (consent-gated) | European Union (Frankfurt) |
| Stakkd GmbH | Operations, design, partnerships, and customer support (processing of scan and account data on our behalf) | Berlin, Germany (EU) |
| Anthropic | AI analysis of scan data | United States (Standard Contractual Clauses; 30-day retention; no model training on Customer Content) |
We will notify you of any intended change to subprocessors with reasonable notice, giving you the opportunity to object on reasonable data-protection grounds.
7. International transfers
Where a subprocessor processes personal data outside the EU/EEA, the transfer is safeguarded by an adequacy decision (including the EU-U.S. Data Privacy Framework) or by Standard Contractual Clauses. Scan data is stored and primarily processed within the European Union (Hetzner Frankfurt and Railway EU). The AI analysis step is performed by Anthropic in the United States under Standard Contractual Clauses (controller-to-processor); Anthropic does not train its models on this data and retains it for no longer than 30 days.
8. Assistance to the Controller
Taking into account the nature of processing, we assist you by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests under Chapter III GDPR, and we assist you in ensuring compliance with Art. 32 to 36 GDPR (security, breach notification, data protection impact assessments), taking into account the information available to us.
9. Personal data breaches
We notify you without undue delay after becoming aware of a personal data breach affecting personal data processed on your behalf, and provide the information reasonably available to help you meet your own notification obligations.
10. Return or deletion
On termination of the Service, we delete or return personal data processed on your behalf in line with the retention periods in the Privacy Policy, unless EU or member-state law requires continued storage (including German commercial and tax retention obligations).
11. Audits
We make available information reasonably necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and no more than once per year unless a breach or supervisory authority requires otherwise. Providing our current security documentation satisfies a routine audit request where reasonable.
12. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms on data-protection matters, this DPA prevails.
13. Governing law
This DPA is governed by German law. Jurisdiction is Berlin, to the extent permitted by law.
14. Contact
Secureless UG (haftungsbeschränkt), Kollwitzstraße 76, 10435 Berlin. support@secureless.ai