Data Processing Agreement

Filed 2026-05-30 · Revision 1.0 · Vornin (Processor) — Customer (Controller)

1. Parties, subject matter, definitions

This Data Processing Agreement forms part of the Terms of Service between Vornin (Processor) and the Customer (Controller) and applies whenever Vornin processes personal data on behalf of Customer while providing the Services. Capitalised terms have the meaning given in the GDPR (EU 2016/679).

2. Scope of processing

Subject matter: provision of a multi-tenant vulnerability management platform.
Duration: for the term of the subscription plus 30 days for data return/deletion.
Nature and purpose: vulnerability scanning, finding storage, notification dispatch, reporting, authentication.
Types of personal data: user email addresses, display names, IP addresses, authentication tokens, audit log entries, and any personal data incidentally contained in scan results.
Categories of data subjects: Customer's employees, contractors, and third parties whose data appears in scanned systems.

3. Processor obligations

1. Process personal data only on documented instructions from Controller.
2. Ensure authorised persons are bound by confidentiality.
3. Take appropriate technical and organisational measures per Article 32 (Annex A).
4. Assist Controller in responding to data-subject requests, DPIAs, and prior consultations.
5. Notify Controller of a personal data breach within 72 hours.
6. At end of term, delete or return all personal data at Controller's choice.
7. Make available information necessary to demonstrate compliance and permit audits.

4. Sub-processors

Customer provides general authorisation for sub-processors listed at vornin.com/sub-processors. Vornin will notify Customer of additions with at least 30 days' notice and opportunity to object.

5. International transfers

Primary processing occurs within the EU. Any non-EU/EEA sub-processor is covered by an Adequacy Decision, Standard Contractual Clauses, or equivalent safeguards.

6. Security — Annex A

• Access control: passwordless auth, optional TOTP, SAML SSO, role-based access.
• Encryption: TLS 1.2+ in transit; AES-256-GCM at rest for sensitive fields; disk-level encryption on DB storage.
• Tenant isolation: row-level via EF Core global query filters.
• Audit logging: immutable log of auth, privilege, export, and admin actions.
• Backups: encrypted nightly Postgres dumps, EU storage, 30-day retention, passphrase off-server.
• Incident response: documented runbook; 72-hour breach notification.
• Availability: uptime monitoring with SMS + chat alerts.
• Personnel: written confidentiality obligations; need-to-know access.

7. Audit rights

Customer may, once per calendar year and on reasonable notice, audit compliance. Obligation may be satisfied by a then-current SOC 2 Type II or equivalent report. Costs of on-site audits beyond this are borne by Customer.

8. Data-subject requests

Customer handles requests directly via the platform. Vornin assists where self-service is not possible.

9. Liability

Subject to the limitations in the Terms. Nothing excludes liability that cannot be excluded by applicable law.

10. Governing law

Denmark. Exclusive jurisdiction in Copenhagen, without prejudice to mandatory data-protection jurisdiction.