ConformScan
LoginStart Free
TermsPrivacyDPAImpressumSecurity

Data Processing Agreement

Standard Data Processing Agreement (Auftragsverarbeitungsvertrag) pursuant to GDPR Article 28.

Last updated: March 11, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and ConformScan ("Processor") for the use of the ConformScan platform.

1. Subject Matter and Duration

The Processor provides cloud infrastructure compliance scanning services as described in the Terms of Service. This DPA applies for the duration of the service agreement between Controller and Processor.

2. Nature and Purpose of Processing

The Processor processes personal data on behalf of the Controller for the following purposes:

  • Scanning cloud infrastructure configurations (AWS, Azure) for compliance with regulatory frameworks
  • Generating compliance reports and findings
  • Tracking compliance status over time (drift detection)
  • Sending notifications and alerts related to scan results

3. Types of Personal Data

The following categories of personal data may be processed:

  • Cloud account identifiers (AWS Account IDs, Azure Subscription IDs)
  • Cloud resource ARNs and identifiers
  • IAM user and role names (as part of compliance checks)
  • IP addresses and email addresses of Controller's users
  • Compliance scan results and scores
Note: ConformScan uses read-only access and does NOT process the contents of databases, storage objects, secrets, or any end-user data within the Controller's cloud infrastructure.

4. Categories of Data Subjects

  • Controller's employees and contractors with cloud access
  • Controller's users of the ConformScan platform

5. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller (Art. 28(3)(a))
  • Ensure that persons authorized to process personal data have committed to confidentiality (Art. 28(3)(b))
  • Implement appropriate technical and organizational measures to ensure security (Art. 28(3)(c), Art. 32)
  • Not engage another processor without prior written authorization of the Controller (Art. 28(2))
  • Assist the Controller in responding to data subject requests (Art. 28(3)(e))
  • Assist the Controller in ensuring compliance with obligations under Art. 32-36 GDPR
  • Delete or return all personal data upon termination of the service (Art. 28(3)(g))
  • Make available all information necessary to demonstrate compliance (Art. 28(3)(h))

6. Technical and Organizational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR:

6.1 Encryption

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 for all data in transit
  • Passwords hashed with bcrypt (cost factor 12)
  • API keys hashed before storage (SHA-256)

6.2 Access Control

  • Role-based access control in the application
  • SSH key-based server access (no password authentication)
  • Read-only cloud access for scanning (no write permissions)

6.3 Infrastructure

  • All servers located in Germany (Netcup GmbH, Karlsruhe)
  • Containerized application architecture (Docker)
  • Regular security updates and patching
  • Automated daily database backups (encrypted)

6.4 Data Separation

  • Each scan runs in an isolated container
  • Customer data logically separated by user ID in the database
  • Temporary scan credentials discarded after each scan

7. Subprocessors

The Controller grants general authorization for the use of the following subprocessors:

SubprocessorPurposeLocationSafeguards
Netcup GmbHServer hostingGermanyGDPR (EU)
Cloudflare, Inc.DNS resolutionEUEU infrastructure
Stripe, Inc.Payment processingIreland (EU)GDPR, PCI DSS

Email delivery is handled by a self-hosted mail server (Poste.io) on the same infrastructure in Germany — no external email subprocessor.

The Processor will inform the Controller of any intended changes to subprocessors, giving the Controller the opportunity to object.

8. Data Transfers

No personal data is transferred outside the European Economic Area (EEA). All infrastructure is located in Germany. No US-based subprocessors are used for data processing or storage.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, likely consequences, and mitigation measures.

10. Audit Rights

The Controller has the right to conduct audits or inspections to verify compliance with this DPA. The Processor shall cooperate with such audits and make available all necessary information.

11. Return and Deletion of Data

Upon termination of the service agreement, the Processor shall, at the Controller's choice:

  • Return all personal data in a machine-readable format (JSON export), or
  • Delete all personal data within 24 hours

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

13. Governing Law

This DPA is governed by French law. It is supplemented by the provisions of the GDPR, which shall prevail in the event of conflict.

Acceptance: By using the ConformScan platform, the Controller accepts this DPA. For a signed PDF version, contact [email protected].