Data processing agreement

This DPA applies to customers on the Business and Enterprise plans whose use of Brektra involves the processing of personal data within the meaning of the GDPR, the UK GDPR, or comparable laws. Customers on Free, Starter, and Pro plans are covered by our Privacy Policy and Terms of Service.

For personal data processed by Brektra on your behalf in the course of providing the service (request and response bodies captured during scans, audit logs, member metadata you upload), you are the controller and Brektra is the processor.

The subject matter is the provision of the Brektra service. The duration is the term of your subscription plus the data retention windows in our Privacy Policy.

Categories of data: account identifiers, scan configurations, captured request and response bodies, finding artifacts, audit logs.

Categories of data subjects: your employees, your contractors, and any individuals whose data appears in the targets you scan.

We maintain appropriate technical and organizational measures described in our security page: TLS in transit, AES-256 at rest, application-layer encryption for customer-supplied secrets, row-level security isolation, audit logging, scope-guard enforcement on every outbound request.

The current list of sub-processors is in our Privacy Policy under the Sub-processors section. We give you 30 days' notice via email before adding or removing a sub-processor that materially affects you. You may object during that window; your remedy is to terminate your subscription with a pro-rata refund.

Where transfers leave the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (Module 2: controller to processor) and the UK International Data Transfer Addendum, incorporated into this DPA by reference.

We assist you in responding to data-subject access, deletion, correction, restriction, portability, and objection requests, taking into account the nature of processing. Requests to Brektra directly should go to privacy@brektra.com; we forward customer-routed requests to the customer.

We notify you without undue delay (and in any event within 72 hours) of becoming aware of a personal-data breach affecting your data. The notice includes the nature of the breach, the likely categories and number of data subjects, the consequences, and the measures we have taken or propose.

You may audit our compliance with this DPA at most once per year, on at least 30 days' written notice, during business hours, at your expense. We will satisfy reasonable audit requests by providing third-party audit reports (when available) and our internal security posture documentation.

On termination of your subscription, we delete or return your data per the retention windows in our Privacy Policy. Your right to request earlier deletion is preserved.

For Business and Enterprise customers, this DPA is incorporated into your Brektra Terms of Service automatically and binds both parties from the date you accept the Terms. If you require a countersigned copy for your records, email legal@brektra.com with your workspace name and we will send a PDF copy through your preferred signing flow.

This DPA is governed by the laws referenced in our Terms of Service.