← Back to Legal

Data Processing Agreement

GDPR-compliant DPA for enterprise customers with EU Standard Contractual Clauses

Last updated: January 2025

This Data Processing Agreement ("DPA") supplements our Terms of Service and applies to customers who are data controllers under GDPR.

1. Definitions

  • "Controller": You, the customer
  • "Processor": PXL Security LTD (Buglify.ai)
  • "Personal Data": Any data processed through our platform
  • "Data Subject": Individuals whose data is processed

2. Scope and Duration

We process personal data on your behalf solely to provide penetration testing services. This DPA remains in effect for the duration of our service agreement.

3. Processor Obligations

We will:

  • Process data only on your documented instructions
  • Ensure confidentiality of processing personnel
  • Implement appropriate technical and organizational measures
  • Assist with data subject requests
  • Delete or return data upon termination
  • Make available information necessary to demonstrate compliance

4. Sub-processors

We use the following sub-processors (see full list in Subprocessors page). We will provide 30 days notice before adding new sub-processors.

5. Security Measures

We implement industry-standard security measures including encryption, access controls, and regular audits. See our Security Page for details.

6. Data Breach Notification

We will notify you within 48 hours of becoming aware of a personal data breach affecting your data.

7. Standard Contractual Clauses

For data transfers outside the EU, we incorporate the EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by European Commission Decision 2021/914.

8. Data Processing Details

8.1 Subject Matter

Processing of personal data necessary to provide automated penetration testing and security scanning services.

8.2 Duration

The duration of processing is for the term of the service agreement and data retention period specified in our Privacy Policy.

8.3 Nature and Purpose

Processing includes collection, storage, analysis, and transmission of data for:

  • Performing security scans and penetration tests
  • Generating vulnerability reports
  • Account management and authentication
  • Payment processing
  • Service improvement and support

8.4 Types of Personal Data

  • Contact information (name, email, company)
  • Account credentials
  • Payment information
  • Target URLs and domains
  • Scan results and vulnerability data
  • Usage and log data

8.5 Categories of Data Subjects

  • Account owners and administrators
  • Team members and users
  • Technical contacts

9. Audit Rights

You have the right to audit our compliance with this DPA. We will:

  • Provide documentation of our security measures upon request
  • Allow annual audits with 30 days advance notice
  • Make available third-party security certifications and reports
  • Respond to audit findings within reasonable timeframes

10. Data Return and Deletion

Upon termination or expiration of services:

  • We will return or delete all personal data within 30 days
  • You may request data export before termination
  • We will certify deletion upon request
  • Data required for legal compliance may be retained for the required period

11. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. We will indemnify you against claims arising from our breach of this DPA, subject to:

  • Prompt notification of claims
  • Reasonable cooperation in defense
  • Our sole control of defense and settlement

12. Amendments

We may update this DPA to reflect changes in data protection laws or our practices. Material changes will be communicated 30 days in advance. If you object to changes, you may terminate services without penalty.

13. Contact for DPA Matters

PXL Security LTD
blvd Vasil Levski 12
Sofia, Bulgaria
Email: dpa@buglify.ai
Data Protection Officer: dpo@buglify.ai