Data Processing Agreement

This DPA forms part of the agreement between you (the "Controller") and Tripline (the "Processor") where we process personal data on your behalf.

1. Roles & scope

Where Tripline processes personal data on your behalf, you are the Controller and Tripline is the Processor. This DPA applies to that processing and incorporates the GDPR Article 28 obligations where applicable.

2. Subject matter & duration

Subject matter: provision of external attack-surface scanning and reporting. Duration: for the term of your use of Tripline. Nature & purpose: scanning submitted domains and delivering reports. Data subjects: your personnel and account users. Categories: contact identifiers (email), account and usage data, and any personal data incidentally surfaced in publicly observable scan results.

3. Our obligations

• Process personal data only on your documented instructions.
• Ensure persons authorised to process are bound by confidentiality.
• Apply appropriate technical and organisational security measures (see Security).
• Assist you with data-subject requests and with your security, breach-notification, and DPIA obligations.
• Notify you without undue delay after becoming aware of a personal-data breach.
• Delete or return personal data at the end of the service, subject to legal retention.
• Make available information needed to demonstrate compliance and allow for audits per Article 28(3)(h).

4. Sub-processors

You authorise Tripline to engage sub-processors. Current sub-processors include [hosting provider], [Stripe — payments], [email provider], and [analytics provider]. We will inform you of changes and give you the opportunity to object.

5. International transfers

Where personal data is transferred outside the EEA/UK, the transfer is governed by an approved mechanism such as the Standard Contractual Clauses. [Update to reflect your actual transfers.]

6. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.