Vornin
Start Free
Legal

Data Processing Agreement

Updated · 2026.05.30 · Revision 1.0 · Governs processing on behalf of Customer

Open print-friendly version → Use your browser's "Save as PDF" from the print view.

1. Parties, subject matter, and definitions

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Vornin (“Processor”) and the Customer (“Controller”) and applies whenever Vornin processes personal data on behalf of Customer while providing the Services. Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679).

2. Scope and nature of processing

Subject matter: provision of a multi-tenant vulnerability management platform.
Duration: for the term of the Customer’s subscription plus 30 days for data return/deletion.
Nature and purpose: vulnerability scanning, finding storage, notification dispatch, reporting, and user authentication.
Types of personal data: user email addresses, display names, IP addresses, authentication tokens, audit log entries, and any personal data incidentally contained in scan results (e.g., administrator email addresses appearing in exposed web content).
Categories of data subjects: Customer’s employees, contractors, and any third parties whose data appears in scanned systems.

3. Processor obligations

  1. Process personal data only on documented instructions from the Controller (the Terms and platform configuration).
  2. Ensure persons authorised to process the data are bound by confidentiality.
  3. Take appropriate technical and organisational measures per Article 32 (see Annex A).
  4. Assist the Controller in responding to data-subject requests, impact assessments, and prior consultations.
  5. Notify the Controller of a personal data breach without undue delay and in any case within 72 hours.
  6. At end of term, delete or return all personal data at Controller’s choice.
  7. Make available all information necessary to demonstrate compliance and allow audits (see Section 7).

4. Sub-processors

Customer provides general authorisation for the use of sub-processors listed at /sub-processors. Processor will notify Controller of any intended additions or replacements of sub-processors with at least 30 days’ notice, giving Controller the opportunity to object.

5. International transfers

All primary data processing occurs within the European Union. If any sub-processor is located outside the EU/EEA, Vornin ensures an adequate level of protection via (a) an Adequacy Decision, (b) Standard Contractual Clauses, or (c) equivalent safeguards.

6. Security

See Annex A — Technical and Organisational Measures below.

7. Audit rights

Controller may, no more than once per calendar year and on reasonable notice, audit Processor’s compliance with this DPA. At Processor’s discretion, audit obligations may be satisfied by provision of a then-current SOC 2 Type II report or equivalent third-party attestation. Costs of on-site audits beyond this are borne by Controller.

8. Data subject rights and requests

Controller handles data-subject requests directly via the platform’s export and deletion tooling. Processor will assist Controller within reasonable time and scope when direct self-service is not possible.

9. Liability

Liability under this DPA is subject to the limitations in the Terms of Service. Nothing here excludes liability that cannot be excluded by applicable law.

10. Governing law and jurisdiction

This DPA is governed by the laws of Denmark. The courts of Copenhagen have exclusive jurisdiction, without prejudice to mandatory data-protection jurisdiction.

Annex A — Technical and Organisational Measures (Article 32)

  • Access control: passwordless auth (magic link), optional TOTP, per-tenant SAML SSO, role-based access in-tenant, separate platform-admin accounts.
  • Encryption: TLS 1.2+ in transit (Let’s Encrypt, auto-renewed). Sensitive fields (TOTP secrets, stored PATs) encrypted at rest with AES-256-GCM. Disk-level encryption on database storage.
  • Tenant isolation: row-level isolation via EF Core global query filters; no cross-tenant queries possible without explicit platform-admin context.
  • Audit logging: immutable audit log of authentication, privilege changes, data exports, and administrative actions.
  • Backups: encrypted nightly Postgres dumps to EU-based object storage, 30-day retention, passphrase held off-server.
  • Incident response: documented runbook; breach notification within 72 hours per Article 33.
  • Availability: uptime monitoring with SMS + chat alerts; DR plan documented.
  • Staff: all personnel under written confidentiality obligations; access on a need-to-know basis.

Annex B — Sub-processors

The current, authoritative list of sub-processors — including the purpose, data categories, and processing location of each — is published at vornin.com/sub-processors and is incorporated by reference into this DPA. That list is the canonical register for the purposes of Article 28(2) GDPR.

Changes (additions, removals, or material purpose changes) are notified to tenant Owners by email at least 30 days before they take effect, with a reply path to object. Static enumeration here is intentionally omitted to prevent drift between the signed copy of this DPA and the live register; consult /sub-processors for the current set.

Signature

Countersign by email to legal@vornin.com. Acceptance of the Terms of Service constitutes acceptance of this DPA for the duration of the subscription; a formal countersigned copy is available on request.