1. Introduction & scope
This Data Processing Addendum (this “DPA”) supplements and forms part of the agreement between you (the “Customer”) and Vezraa (collectively the “Parties”) under which Customer accesses the Vezraa Service (the “Agreement”), as set out in the Vezraa Terms of Service. This DPA governs Vezraa's Processing of Customer Personal Data on Customer's behalf when Vezraa acts as a Processor (or, under the DPDP Act, a Data Processor).
In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. In the event of any conflict between the body of this DPA and the EU Standard Contractual Clauses (the “SCCs”) where they are incorporated, the SCCs control.
2. Definitions
Capitalized terms used in this DPA but not defined have the meanings given in the Agreement. The terms “Personal Data,” “Processing,” “Controller,” “Processor,” “Subprocessor,” “Data Subject,” and “Personal Data Breach” have the meanings given in the GDPR, UK GDPR, or the FADP, as applicable. “Data Principal,” “Data Fiduciary,” and “Data Processor” have the meanings given in the Digital Personal Data Protection Act, 2023 of India (the “DPDP Act”). “Personal Information,” “Business,” “Service Provider,” “Sale,” and “Sharing” have the meanings given in the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”).
“Customer Personal Data” means Personal Data Processed by Vezraa on behalf of Customer through the Service. “Data Protection Laws” means all data-protection and privacy laws applicable to a Party's Processing of Personal Data, including GDPR, UK GDPR, FADP, the DPDP Act, CCPA/CPRA, and US state privacy laws.
3. Roles of the Parties
With respect to Customer Personal Data, Customer is the Controller (or Data Fiduciary, or Business) and Vezraa is the Processor (or Data Processor, or Service Provider). Customer is responsible for the lawfulness of its Processing and for issuing instructions to Vezraa consistent with the Agreement and this DPA. Vezraa will Process Customer Personal Data only as set out in this DPA and the Agreement.
For data Vezraa Processes about its own customers, account holders, and website visitors as described in our Privacy Policy, Vezraa is the Controller. This DPA does not apply to that Processing.
4. Customer instructions
Vezraa will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which Vezraa is subject; in such a case, Vezraa will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Customer instructions are set out in the Agreement, this DPA, and any configuration choices Customer makes in the Service. Customer may issue further written instructions consistent with the Agreement.
Vezraa will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
5. Personnel & confidentiality
Vezraa will ensure that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and will receive appropriate training in the protection of Personal Data. Vezraa will limit access to Customer Personal Data to personnel who need such access to perform their duties.
6. Security measures
Vezraa will implement appropriate technical and organizational measures (the “Security Measures”) designed to ensure a level of security appropriate to the risk of the Processing, including the measures described in Annex 2. Vezraa regularly tests, assesses, and evaluates the effectiveness of the Security Measures.
Customer acknowledges that the Security Measures are subject to technical progress and development and that Vezraa may update or modify them from time to time, provided that such updates and modifications do not result in a material reduction of the security of the Service.
7. Subprocessors
Customer authorizes Vezraa to engage Subprocessors to Process Customer Personal Data to provide the Service. The current list of Subprocessors is published at vezraa.com/subprocessors and incorporated as Annex 3. Vezraa will:
- Enter into a written agreement with each Subprocessor that imposes data-protection obligations no less protective than those in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor;
- Remain responsible to Customer for the performance of each Subprocessor's obligations;
- Provide at least thirty (30) days' prior notice (by updating /subprocessors and emailing customers subscribed to change notifications) before adding a new Subprocessor that will Process Customer Personal Data of EEA, UK, Swiss, or Indian Data Subjects, except in cases where shorter notice is required for security or legal reasons.
Customer may object to a new Subprocessor on reasonable data-protection grounds within fifteen (15) days of notice by sending a written objection to udayakirantumma@gmail.com. The Parties will discuss the objection in good faith. If we cannot resolve the objection within thirty (30) days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience and we will refund any prepaid fees for the unused portion of the term.
8. International data transfers
Where Vezraa Processes Customer Personal Data of Data Subjects in the EEA, the UK, or Switzerland in a country that is not the subject of an adequacy decision under the relevant law, the Parties agree that the EU Commission Standard Contractual Clauses (the “SCCs”) of 4 June 2021 (Decision (EU) 2021/914) apply as follows:
- Module 2 (Controller-to-Processor) applies where Customer is acting as a Controller and Vezraa acts as Processor; Module 3 (Processor-to-Processor) applies where Customer is acting as a Processor on behalf of a third-party Controller.
- Clause 7 (Docking Clause) is incorporated.
- Clause 9(a) Option 2 applies; Subprocessor changes are notified at /subprocessors with the notice period in Section 7.
- Clause 11(a) — the optional independent dispute-resolution body is not selected.
- Clause 17 — Option 1; the SCCs are governed by the law of Ireland.
- Clause 18(b) — disputes will be resolved by the courts of Ireland.
- Annex I.A (Parties), I.B (Description of transfer), and II (Technical and organizational measures) of the SCCs are populated by Annex 1 and Annex 2 of this DPA. Annex III is populated by /subprocessors.
Where the UK GDPR applies, the SCCs are amended by the UK International Data Transfer Addendum issued under section 119A of the UK Data Protection Act 2018 (the “UK Addendum”), with Tables 1, 2, and 3 of the UK Addendum populated by Annex 1 through Annex 3 and Table 4 selected to allow either Party to terminate. Where the FADP applies, the SCCs are interpreted consistent with the requirements of the FADP and the supplementary guidance of the Swiss FDPIC.
Under the DPDP Act, transfers of Personal Data outside India are permitted to any country not specifically restricted by the Government of India under section 16 of the DPDP Act; Vezraa will comply with any restrictions notified under that section.
9. Data subject rights
Taking into account the nature of the Processing, Vezraa will assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
Vezraa will redirect Data Subjects who contact it directly to Customer for handling. Vezraa will not respond to a Data Subject request without Customer's prior written consent except as required by law.
10. Security-incident notification
Vezraa will notify Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware, of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the Personal Data Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address it, and the contact details of a person from whom Customer can obtain more information.
Vezraa will assist Customer in complying with Customer's notification obligations to supervisory authorities, the Data Protection Board of India, and Data Subjects under Data Protection Laws.
11. Audits
Vezraa will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR (and analogous provisions of other Data Protection Laws), and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to the conditions in this Section.
Customer may, no more than once per twelve (12) months and on at least thirty (30) days' prior written notice, request that Vezraa complete a reasonable, written audit questionnaire or provide a summary of any independent audit or certification reports we maintain. Where Customer reasonably requires further audit and the requirement cannot be satisfied through documentation, Vezraa will permit a remote, scope-limited audit by Customer or an independent third-party auditor (subject to confidentiality undertakings), conducted during business hours, in a manner that does not disrupt the Service or breach the confidentiality of other customers, and at Customer's expense. Audits triggered by a confirmed Personal Data Breach are not subject to the cap above and may be expedited.
12. Return and deletion of Customer Data
On termination or expiration of the Agreement, or at Customer's earlier written request, Vezraa will, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, except to the extent retention is required by law (in which case Vezraa will continue to protect that data in accordance with this DPA and limit further Processing to that required by law).
Backups containing Customer Personal Data will be overwritten in the ordinary course of Vezraa's rolling backup retention; deletion from production triggers deletion from backups on the next overwrite cycle.
13. CCPA / US state law terms
For Customer Personal Information that constitutes “personal information” subject to CCPA/CPRA or analogous US state laws, Vezraa is acting as a Service Provider (or, where applicable, a Contractor or Processor under those laws). Vezraa:
- Will not Sell or Share (as defined in CCPA/CPRA) Customer Personal Information;
- Will not retain, use, or disclose Customer Personal Information for any purpose other than performing the Service or as otherwise permitted by CCPA/CPRA, including outside of the direct business relationship between the Parties or for any commercial purpose other than providing the Service;
- Will not combine Customer Personal Information with personal information received from or on behalf of another person, or collected from Vezraa's own interaction with the Data Subject, except as permitted by CCPA/CPRA;
- Certifies that it understands and will comply with these restrictions.
Customer may take reasonable and appropriate steps to ensure that Vezraa Processes Customer Personal Information consistent with Customer's obligations under CCPA/CPRA, and to stop and remediate unauthorized use, by exercising the audit rights in Section 11.
14. India DPDP Act terms
Where Vezraa Processes Personal Data of Data Principals subject to the DPDP Act, Vezraa acts as a Data Processor on behalf of Customer (the Data Fiduciary). Vezraa will Process such Personal Data only on the lawful instructions of Customer and in accordance with this DPA, will implement reasonable security safeguards as required by the DPDP Act and any rules notified under it, and will assist Customer in fulfilling its obligations under the DPDP Act, including notification obligations to the Data Protection Board of India and to affected Data Principals in the event of a Personal Data Breach.
Vezraa will assist Customer with grievance redressal in accordance with section 8(10) of the DPDP Act and Customer's readily-available means of registering grievances.
15. Liability
The total liability of each Party arising out of or related to this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA excludes or limits a Party's liability where such limitation is prohibited by applicable law, including liability under Article 82 GDPR or under the SCCs.
16. General
This DPA is governed by the same governing law and dispute-resolution provisions as the Agreement, except as expressly provided in Section 8 with respect to the SCCs. If any provision of this DPA is found by a competent authority to be invalid or unenforceable, the remaining provisions remain in full force. Customer may not assign this DPA other than as permitted under the Agreement.
Vezraa may update this DPA from time to time to reflect changes in Data Protection Laws or Vezraa's operations. The current version is always available at vezraa.com/dpa with the “Last updated” date and version stamp. Material updates will be notified by email at least thirty (30) days before they take effect.
Annex 1 — Processing details
A. List of Parties
- Data Exporter (Controller / Data Fiduciary / Business): Customer, as identified in the account associated with the Service.
- Data Importer (Processor / Data Processor / Service Provider): Vezraa, India. Contact for data-protection matters: udayakirantumma@gmail.com.
B. Description of transfer
- Categories of Data Subjects: Customer's end-users and visitors of websites and applications scanned by Customer using the Service; Customer's authorized employees, contractors, and agents who interact with the Service.
- Categories of Personal Data: account identifiers, email addresses, authentication tokens, content of submitted URLs and HTTP responses (which may incidentally contain personal data of end-users), DNS and TLS metadata, scan findings and remediation prompts, IP addresses and technical telemetry.
- Special categories of data: none required or intended. Customer must not knowingly use the Service to Process special categories of data.
- Frequency of transfer: continuous, on Customer's instruction.
- Nature of the Processing: hosting, scanning, automated and AI-assisted analysis, generation of remediation prompts and reports, dashboard display, email delivery of results, optional GitHub PR generation, optional Slack/Discord notifications, integrity and security operations.
- Purpose: to provide the Vezraa Service to Customer in accordance with the Agreement.
- Retention: as set out in the “Data retention” section of the Privacy Policy and Section 12 of this DPA.
- Subprocessors: as listed at /subprocessors and incorporated as Annex 3.
C. Competent supervisory authority
For Module 2 / Module 3 SCC transfers: the supervisory authority of the EU Member State where the Customer is established or, where the Customer is not established in the EU, the Irish Data Protection Commission. For UK transfers: the UK Information Commissioner's Office (ICO). For Swiss transfers: the Federal Data Protection and Information Commissioner (FDPIC). For DPDP Act matters: the Data Protection Board of India.
Annex 2 — Technical and organizational measures
Vezraa maintains the following technical and organizational measures to protect Customer Personal Data. These measures may be updated from time to time provided no material reduction in security results.
- Encryption. TLS 1.2+ (preferring TLS 1.3) for all data in transit on public endpoints; HSTS preload submission for the public domain. Encryption at rest on the primary database (Neon Postgres) and on cached scan artifacts in cloud storage. OAuth tokens and integration credentials are stored encrypted at rest.
- Access controls. Role-based access controls; principle of least privilege for staff and machine accounts; multi-factor authentication enforced on all administrative consoles, code-hosting accounts, and infrastructure providers.
- Authentication. Customer authentication via Supabase Auth (Google / GitHub OAuth, magic-link OTP). API keys are stored only as one-way hashes; the plaintext is shown to the Customer exactly once at creation.
- Network security. Network segregation between production and non-production environments; restrictive firewall and security-group rules at the database and queue layer; secrets stored in encrypted secret managers, never in source code.
- Logging & monitoring. Audit logging on database mutations and on access to scan-related secrets; structured request and error logs; error tracking via Sentry; uptime and performance monitoring on critical endpoints; rate limiting on authentication, scan, checkout, and webhook endpoints.
- Vulnerability management. Regular dependency scanning via CI; periodic vulnerability assessment of our own platform; security review for high-risk changes.
- Software-development lifecycle. Pull-request review by another engineer on all code changes; pre-deploy CI checks (typecheck, lint, unit tests); staged rollout via Vercel preview deployments.
- Backups & resilience. Managed Postgres backups with rolling retention; documented procedures for restore and disaster recovery.
- Personnel. Confidentiality obligations on all personnel with access to Customer Personal Data; security and privacy training before granting production access; revocation of access on role change or departure.
- Vendor management. Vendor-risk review of Subprocessors before onboarding and on a recurring schedule; data-processing agreements with each Subprocessor; SCCs with Subprocessors that Process Personal Data outside the EEA, UK, or Switzerland where required.
- Incident response. Documented incident-response procedure including triage, containment, customer notification within seventy-two (72) hours of confirmed Personal Data Breach, and post-incident review.
- Data minimization & redaction. Data sent to AI providers is redacted of obvious secret-shaped values prior to transmission; raw HTML and other transient scan inputs are purged on a ninety (90) day rolling schedule.
Annex 3 — Subprocessor list
The list of authorized Subprocessors is published at vezraa.com/subprocessors and incorporated by reference. The published page identifies each Subprocessor, the purpose for which it Processes Customer Personal Data, the categories of data it receives, and its primary processing region.
Execution
This DPA takes effect upon the earlier of (a) the Customer's acceptance of the Agreement, or (b) the Customer's use of the Service to Process Customer Personal Data. No further execution is required.
Customers requiring a signed countersigned version of this DPA, or a customer-specific variant under a master services agreement, may request one from udayakirantumma@gmail.com.