Data Processing Agreement

1. Scope and Application

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Safeliant (“Processor”, “we”, “us”) and the Customer (“Controller”, “you”) and governs the processing of personal data by Safeliant on behalf of the Customer in connection with the Evidence Guard service.

This DPA applies to the extent that Safeliant processes personal data on behalf of the Customer as a data processor under Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the UK GDPR as retained by the Data Protection Act 2018.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

2. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Safeliant on behalf of the Customer through the Service.
“Processing” means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
“Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
“Sub-processor” means any third party engaged by Safeliant to process Personal Data on behalf of the Customer.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Roles and Responsibilities

The Customer is the data controller and determines the purposes and means of processing Personal Data. Safeliant acts as a data processor, processing Personal Data only on the Customer's documented instructions as described in this DPA and the Terms of Service.

Safeliant shall not process Personal Data for any purpose other than as specified in this DPA unless required to do so by applicable law, in which case Safeliant shall inform the Customer of that legal requirement before processing (unless prohibited by law from doing so).

4. Categories of Data Processed

In the course of providing the Evidence Guard service, Safeliant may process the following categories of Personal Data on behalf of the Customer:

4.1 Data Categories

Website visitor data — IP addresses, user agent strings, and timestamps captured during consent evidence scans of the Customer's websites.
Consent records — Consent text, consent method identifiers, opt-in timestamps, and associated metadata submitted by the Customer or captured from the Customer's web properties.
Page content — HTML snapshots, screenshots, and form elements captured from publicly accessible pages of the Customer's websites during compliance scans.
Account data — Email addresses, names, and organisational information of the Customer's authorised users.

4.2 Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

Visitors to the Customer's websites whose consent events are captured.
The Customer's employees and authorised users of the Service.
Individuals whose personal data appears on publicly accessible pages submitted for scanning.

4.3 Processing Activities

Safeliant performs the following processing activities:

Collection and storage of consent evidence records.
Automated scanning and capture of publicly accessible web page content.
Deterministic scoring of consent compliance indicators.
Generation of evidence packs and audit-ready PDF reports.
Secure storage and retrieval of evidence data.
Providing the Customer with data export functionality.

5. Customer Obligations

The Customer shall:

Ensure that there is a lawful basis for the processing of Personal Data and that all necessary consents or authorisations have been obtained.
Only submit URLs and data for scanning that the Customer owns or has explicit authorisation to monitor, in accordance with the Acceptable Use Policy.
Provide documented instructions for the processing of Personal Data.
Promptly notify Safeliant of any changes to applicable data protection laws that may affect Safeliant's processing obligations.
Ensure that any Personal Data provided to Safeliant is accurate, complete, and up to date.

6. Security Measures

Safeliant implements appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

Encryption — All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption.
Access controls — Role-based access controls with the principle of least privilege. Multi-factor authentication for all administrative access.
Infrastructure security — Hosted on SOC 2 Type II certified infrastructure with automated vulnerability scanning and patch management.
Audit logging — Comprehensive audit trails of all access to and modifications of Personal Data.
Data isolation — Customer data is logically separated using row-level security policies.
Backup and recovery — Regular automated backups with tested recovery procedures.

For a detailed overview of our security practices, see our Security page.

7. Sub-processors

The Customer authorises Safeliant to engage Sub-processors to assist in providing the Service, subject to the following conditions:

A current list of Sub-processors is maintained on our Subprocessors page.
Safeliant will notify the Customer of any intended changes to Sub-processors by updating the Subprocessors page and, where the Customer has subscribed to notifications, by email at least 14 days before the change takes effect.
The Customer may object to a new Sub-processor by notifying Safeliant within 14 days of receiving notice. If the objection cannot be reasonably resolved, the Customer may terminate the affected Service.
Safeliant imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA.
Safeliant remains fully liable to the Customer for the performance of each Sub-processor's obligations.

8. Data Subject Rights

Safeliant will assist the Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under GDPR Articles 15–22, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (“right to be forgotten”) (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)

Safeliant will promptly notify the Customer if it receives a request from a Data Subject directly and will not respond to such requests without the Customer's prior instruction, unless required by applicable law.

Safeliant provides data export functionality within the Service to facilitate the Customer's response to access and portability requests.

9. Data Breach Notification

In the event of a Data Breach affecting the Customer's Personal Data, Safeliant shall:

Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach.
Provide the Customer with sufficient information to enable the Customer to meet its obligations under Article 33 of the GDPR, including:
- The nature of the breach, including the categories and approximate number of Data Subjects and records affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
- The name and contact details of Safeliant's point of contact for the breach.
Take immediate steps to contain the breach and minimise any ongoing risk to Data Subjects.
Cooperate with the Customer and provide reasonable assistance in investigating and remediating the breach.
Maintain a record of all Data Breaches, including facts, effects, and remedial actions taken.

10. Data Protection Impact Assessments

Safeliant will provide reasonable assistance to the Customer in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35 and 36 of the GDPR, to the extent that such assessments relate to Safeliant's processing activities.

11. International Data Transfers

Safeliant shall not transfer Personal Data to a country or territory outside the European Economic Area (EEA) or the United Kingdom unless appropriate safeguards are in place, including:

An adequacy decision by the European Commission or UK Secretary of State.
Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where necessary based on a transfer impact assessment.
The recipient's certification under an approved certification mechanism.

Details of any international transfers and the applicable safeguards are documented on our Subprocessors page.

12. Data Retention and Deletion

Safeliant will process Personal Data for the duration of the Customer's subscription. Upon termination or expiry of the agreement:

Safeliant will make the Customer's data available for export for a period of 30 days.
After the 30-day export period, Safeliant will delete all Personal Data in its possession, including all copies and backups, within 90 days unless retention is required by applicable law.
Safeliant will provide written confirmation of deletion upon the Customer's request.

During the subscription period, the Customer may request deletion of specific data through the Service or by contacting Safeliant. Deletion requests will be processed within 30 days.

13. Audit Rights

The Customer has the right to audit Safeliant's compliance with this DPA, subject to the following:

The Customer shall provide at least 30 days' written notice of any audit request.
Audits shall be conducted during normal business hours and shall not unreasonably interfere with Safeliant's operations.
Safeliant will make available all information necessary to demonstrate compliance with its obligations under this DPA.
Where appropriate, Safeliant may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2), or the results of third-party assessments.
The Customer shall bear its own costs in conducting audits.
Audit findings shall be treated as confidential information of Safeliant.

14. Confidentiality

Safeliant ensures that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty. Safeliant restricts access to Personal Data to those employees, contractors, and agents who need access to perform their duties and who have been trained on data protection requirements.

15. Term and Termination

This DPA shall remain in effect for the duration of the Customer's use of the Service and shall automatically terminate upon the expiry or termination of the Terms of Service, subject to the data retention and deletion provisions in Section 12.

Obligations under this DPA that by their nature should survive termination (including confidentiality, data deletion, and audit rights) shall continue in force after termination.

16. Governing Law

This DPA is governed by and construed in accordance with the same governing law as the Terms of Service, except where otherwise required by applicable data protection legislation. To the extent required by the GDPR, the provisions of this DPA shall be interpreted in accordance with EU data protection law.

17. Contact

To execute a DPA, request a signed copy, or for questions about data processing, please contact us:

Data protection enquiries: privacy@safeliant.com
DPA execution requests: legal@safeliant.com
General support: support@safeliant.com