← DeepSight

Data Processing Agreement

Effective date: May 2, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between DeepSight Security ("Processor", "we", "us") and the client entity ("Controller", "you") that has registered for and uses the DeepSight platform. This DPA governs the processing of personal data carried out by DeepSight on behalf of the Controller in connection with the services described at deepsightsecurity.com.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR.
  • "Processing" means any operation or set of operations performed on personal data, including collection, storage, use, disclosure, or deletion.
  • "Controller" means the client who determines the purposes and means of processing personal data.
  • "Processor" means DeepSight Security, which processes personal data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by DeepSight to assist in processing personal data.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and, where applicable, its national implementing legislation.

2. Scope and Purpose of Processing

DeepSight processes personal data solely for the purpose of delivering the contracted services, which include:

  • Account provisioning and authentication.
  • AI-driven attack simulations, vulnerability assessments, and security intelligence analysis conducted against domains the Controller has verified ownership of.
  • Generation and delivery of security reports.
  • Platform operation, maintenance, and support.

Processing is carried out only on documented instructions from the Controller, unless required by applicable law, in which case DeepSight will inform the Controller of that legal requirement before processing, unless prohibited from doing so.

3. Categories of Personal Data Processed

The categories of personal data processed under this DPA include:

  • Identity data: full name, job title.
  • Contact data: work email address, phone number.
  • Organisation data: company name, registered domain, business address.
  • Technical data: IP addresses, browser metadata, authentication tokens, and access logs.
  • Security intelligence data: findings and results generated against the Controller's registered infrastructure.

DeepSight does not process special categories of personal data (as defined in Article 9 GDPR) unless explicitly agreed in writing.

4. Obligations of DeepSight as Processor

DeepSight agrees to:

  • Process personal data solely to deliver the contracted services to the Controller, and for no other purpose.
  • Ensure that any personnel with access to personal data are bound by confidentiality obligations.
  • Maintain the security measures described in Section 6 of this Agreement to protect personal data against unauthorised access, loss, or disclosure.
  • If a person whose data DeepSight holds contacts us directly to request access, correction, or deletion of their data, we will promptly forward that request to the Controller so they can handle it. We will not ignore such requests.
  • If DeepSight becomes aware of a breach affecting the Controller's data, we will notify the Controller promptly — within 72 hours where possible — so they can take appropriate action and meet any regulatory reporting obligations. This is covered in full in Section 7.
  • If the Controller requests supporting documentation to conduct their own internal data protection assessments (for example, as required by their legal or compliance team), DeepSight will provide reasonable assistance.
  • At the choice of the Controller, delete or return all personal data upon termination of services, and delete existing copies unless retention is required by law.
  • Make available all information necessary to demonstrate compliance with this DPA and permit audits by the Controller or their representatives upon reasonable notice.

5. Sub-processors

The Controller grants DeepSight general written authorisation to engage sub-processors. DeepSight will inform the Controller of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object. DeepSight ensures that all sub-processors are bound by data protection obligations at least as protective as those set out in this DPA.

Current sub-processors

Vercel Inc.

Cloud hosting and deployment infrastructure

  • Purpose: Hosting the DeepSight platform and serving application content to users.
  • Data processed: IP addresses, request metadata, application logs.
  • Location: United States (with edge network globally).
  • Safeguards: Standard Contractual Clauses (SCCs) under GDPR Article 46. Vercel DPA available at vercel.com/legal/dpa.

Google LLC — Firebase

Authentication and database storage

  • Purpose: Storing user accounts, company data, scan results, and reports. Handling authenticated sessions.
  • Data processed: Account data, security findings, report content, authentication tokens.
  • Location: United States and EU regions depending on configuration.
  • Safeguards: Google Cloud Data Processing Addendum incorporating SCCs. Details at firebase.google.com/support/privacy.

Anthropic PBC — Claude AI

AI-powered security analysis and report generation

  • Purpose: Processing security intelligence data to generate attack analysis, vulnerability assessments, and structured reports.
  • Data processed: Domain names, infrastructure findings, security metadata submitted for analysis. No personal data beyond what is technically necessary is submitted.
  • Location: United States.
  • Safeguards: Anthropic API usage policy and data processing terms. Prompt data is not used to train models under API usage. Details at anthropic.com/privacy.

OpenAI LLC

AI-powered security analysis and report generation

  • Purpose: Supplementary AI processing for security intelligence and report generation workflows.
  • Data processed: Domain names, infrastructure findings, and security metadata. Minimised to what is technically necessary.
  • Location: United States.
  • Safeguards: OpenAI Data Processing Addendum incorporating SCCs. API data is not used to train models. Details at openai.com/policies/privacy-policy.

Google LLC — reCAPTCHA

Spam and bot prevention

  • Purpose: Preventing automated abuse on registration and contact forms.
  • Data processed: IP address, browser fingerprint metadata.
  • Location: United States.
  • Safeguards: Google reCAPTCHA terms and privacy policy at policies.google.com/privacy.

6. Security Measures

DeepSight takes the security of client data seriously. The following measures are in place:

  • Encrypted connections: All traffic between users and the DeepSight platform is encrypted in transit using TLS, the same standard used by banks. Data cannot be intercepted in transit.
  • Encrypted storage: All data stored in Firebase (accounts, reports, findings) is encrypted at rest by Google by default. Vercel infrastructure applies the same standard to application data.
  • Account isolation: Each user can only access their own data. When a logged-in user requests their reports, our server verifies their identity using a secure token issued by Firebase Auth, then fetches only the records belonging to that specific account. It is not possible for one user to view another user's reports or company data through the platform.
  • Superadmin separation: Access to all client accounts for operational purposes (such as creating reports) is restricted to a single designated superadmin account, separately authenticated and enforced server-side on every relevant API request.
  • No hardcoded secrets: API keys, database credentials, and service tokens are stored as server-side environment variables and are never exposed in the application code or to the browser.
  • Domain verification before scanning: DeepSight requires clients to verify ownership of their domain via a DNS record before any scanning or attack simulation is initiated against it. No scanning is performed against unverified domains.

7. Data Breach Notification

In the event of a personal data breach affecting the Controller's data, DeepSight will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include, to the extent available: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

8. Individual Data Requests

Under GDPR, individuals have rights over their personal data — including the right to access it, correct it, or have it deleted. The Controller (the client company) is responsible for handling these requests from their own users or employees. DeepSight's role is to assist where our systems are involved.

In practice this means: if someone contacts DeepSight directly asking to see or delete their data, we will forward that request to the relevant Controller promptly and not later than five business days. We will not handle or dismiss such requests unilaterally. Where the data is held solely within DeepSight's systems and no Controller involvement is required, we will act on the request directly.

9. International Data Transfers

Some sub-processors listed in Section 5 operate in the United States. Where personal data is transferred outside the European Economic Area (EEA), DeepSight ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission under Article 46(2)(c) GDPR, or other valid transfer mechanisms. The Controller's acceptance of this DPA constitutes acceptance of such transfers where they are necessary for service delivery.

10. Retention and Deletion

DeepSight retains personal data only for as long as necessary to deliver the contracted services or as required by applicable law. Upon termination of the service agreement, DeepSight will, at the Controller's written request, securely delete or return all personal data within 30 days, and confirm deletion in writing. Anonymised or aggregated data not attributable to any individual may be retained for operational and statistical purposes.

11. Audit Rights

The Controller may, upon at least 30 days' written notice and no more than once per calendar year, audit or inspect DeepSight's processing activities to verify compliance with this DPA, at the Controller's own cost. DeepSight may satisfy this requirement by providing relevant certifications, third-party audit reports, or written attestations in lieu of an on-site audit.

12. Governing Law

This DPA is governed by the laws applicable to the main services agreement between the parties. Where the Controller is established within the EU/EEA, GDPR shall apply and take precedence over any conflicting provision of this DPA.

13. Contact and Data Controller Inquiries

For questions relating to this DPA, data subject requests, or to exercise your rights as a Controller, contact:

DeepSight Security

Data Protection Contact

deepsightsecurity.com

Privacy PolicyTerms of Service← Back to DeepSight