Data Processing Agreement

1. Definitions

“Personal Data”, “Controller”, “Processor”, “Processing”, and “Data Subject” have the meanings given in applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.

2. Subject matter and nature of processing

Anydefect processes data on behalf of the customer solely for the purpose of delivering the security scanning service. Processing activities include: ingesting cloud configuration metadata and security findings, storing scan artifacts, generating compliance reports, and providing the customer access to results through the Anydefect platform.

3. Categories of data processed

• Cloud resource identifiers, configuration metadata, and policy states
• IP addresses, domain names, and hostnames from connected environments
• Security findings and vulnerability details returned by scan engines
• User account information (name, email, role) for platform access
• Audit logs of user actions within the Anydefect platform

Anydefect does not intentionally collect sensitive personal data (e.g. health data, payment card numbers). The customer is responsible for ensuring that targets connected to Anydefect do not expose sensitive personal data to the scan pipeline.

4. Controller obligations

The customer (Controller) agrees to: (a) provide Anydefect with documented instructions for processing; (b) ensure it has a lawful basis for any personal data submitted to the service; (c) obtain any required consents from Data Subjects; and (d) comply with all applicable data protection laws with respect to data submitted to the service.

5. Processor obligations (GDPR Article 28)

Anydefect, as Processor, will:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorised to process the data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Assist the Controller in responding to Data Subject rights requests
• Delete or return all personal data to the Controller upon termination
• Make available all information necessary to demonstrate compliance
• Notify the Controller without undue delay of any personal data breach

6. Sub-processors

Anydefect uses the following sub-processors to deliver the service:

• Microsoft Azure — cloud infrastructure, compute, and Azure Blob Storage for scan artifacts
• Redis / Azure Cache for Redis — job queue state
• MongoDB Atlas — primary database for findings and workspace data
• Stripe — payment processing (billing data only)

Anydefect will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

7. International transfers

Where personal data is transferred outside the European Economic Area or United Kingdom, Anydefect will ensure an adequate transfer mechanism is in place (such as Standard Contractual Clauses) with each sub-processor receiving such data.

8. Data retention and deletion

Scan findings and artifacts are retained for the period configured in the customer's workspace settings (default: 12 months). Upon account termination, all customer data is deleted within 30 days unless a shorter period is agreed in writing. Backup copies are purged within 90 days.

9. Security measures

Anydefect implements appropriate technical and organisational measures including: encryption of data in transit (TLS 1.2+) and at rest, role-based access controls, multi-tenant data isolation, audit logging, and regular security reviews. Details are available on our Security overview page.

10. Contact

For data protection enquiries or to request a countersigned DPA, contact legal@anydefect.com.