Data Processing Agreement

Need a counter-signed copy?

The PDF above is already signed on our side. If your procurement process requires a counter-signed copy, download it, complete and sign the Controller block, and keep it for your records; it is then fully executed without any action on our part. If you must have us sign your own paper template instead, email contact@leakradar.io.

Key terms at a glance

• Roles. You are the controller; we are your processor for account and monitoring data. Separately, we are an independent controller for the breach datasets we index from public sources, which fall outside this DPA.
• Sub-processors. Listed in Annex 2. We give at least 30 days’ notice before adding or replacing one, and you may object on reasonable data-protection grounds.
• International transfers. Core account and monitoring data is hosted in the EU/EEA (France and Finland). For sub-processors outside the EEA, an adequacy decision (including the EU-U.S. Data Privacy Framework) or Standard Contractual Clauses apply.
• Breach notification. We notify you of a personal data breach affecting your data within 24 hours of becoming aware, with a substantive Article 33(3) update within a further 48 hours.
• Return and deletion. On termination we delete or anonymise your account and monitoring data within 90 days and provide a written deletion certificate, except for records we must keep by law (such as billing).
• Audit. You may audit compliance once per twelve-month period (and after a breach) on reasonable notice; we may satisfy requests with existing documentation where available.
• Security. Our technical and organisational measures are set out in Annex 3 and summarised on the Security page.

Related documents

• DPA (PDF, pre-signed)
• Sub-processors (Annex 2)
• Security and technical measures (Annex 3)
• Privacy Policy
• Terms of Service