Data Processing Agreement (DPA)

Last updated: 2026-04-19. Template pursuant to Art. 28 GDPR.

For Starter and Pro tiers this web DPA constitutes the contractual framework. For Enterprise tier we sign a counter-signed PDF adapted to your security questionnaire. Request the editable version at legal@eleion.io.

1. Parties and scope

This DPA is entered between the Customer (Data Controller) and the Eleion Operator (Data Processor). The legal identity of the Processor (Italian corporate entity, VAT ID, legal seat) is disclosed on request to legal@eleion.io and will be named in the counter-signed Enterprise version. It governs the processing of Personal Data performed by Eleion Scanner on behalf of the Customer under the Terms of Service.

2. Subject-matter, duration, nature and purposes

Aspect	Specification
Subject-matter	Provision of authorized vulnerability scanning Service
Duration	Equal to the term of the Service Agreement, plus retention period per Section 7
Nature of processing	Collection, storage, analysis, reporting, deletion
Purpose	Run scans against Customer-owned web assets, deliver findings, invoice
Types of data	Account identifiers, scan metadata, technical findings, billing data
Categories of data subjects	Customer's authorized employees / API users

3. Obligations of the Processor (Art. 28.3 GDPR)

Process only on documented instructions from the Controller;
Ensure personnel are bound to confidentiality;
Implement appropriate technical and organizational measures (Art. 32) — see Section 6;
Respect conditions for engaging sub-processors — see Section 4;
Assist the Controller in responding to data-subject rights requests;
Assist the Controller in compliance with Art. 32–36 (security, breach, impact assessment);
Return or delete all Personal Data after the end of Services, per Controller instruction;
Make available all information necessary to demonstrate compliance, and allow for audits (reasonable cost, confidential, with 30 days' notice).

4. Sub-processors

Eleion uses the sub-processors listed at /sub-processors. Customer consents to current sub-processors by signing the Service Agreement. Eleion will notify the Customer at least 30 days before any new sub-processor is engaged; Customer may object, in which case parties will cooperate in good faith to find a reasonable resolution.

5. International transfers

Customer data is stored exclusively in AWS eu-central-1 (Frankfurt, Germany). Control-plane metadata that may transit non-EEA infrastructure is covered by Standard Contractual Clauses (Decision 2021/914 Module 2 Controller-to-Processor, updated as amended). Supplementary measures: encryption at rest via AWS KMS, encryption in transit (TLS 1.2+), log minimization.

6. Security measures (Art. 32)

Pseudonymisation of scan ownership proofs (hashed);
Encryption of Personal Data at rest and in transit;
Ability to ensure ongoing confidentiality, integrity, availability — SLA targets published at status-scanner.eleion.io;
Ability to restore availability timely — backup RPO 6 hours, RTO 10 minutes;
Process for regularly testing the effectiveness of measures — quarterly review + annual external penetration test;
Access control — MFA enforced on all administrative accounts, Row-Level Security on tenant data;
Incident response — breach runbook + dedicated security@eleion.io inbox.

7. Data retention and return

On termination of the Service Agreement: account data deleted within 90 days; scan findings deleted within 12 months of their creation; audit logs retained 12 months (abuse investigation); payment records retained 10 years (IT fiscal obligations). Customer may request an accelerated deletion; we comply except for records subject to legal retention.

8. Data-subject rights assistance

Upon written request, Eleion provides Customer with copies of Personal Data relating to a specific data subject, and executes deletion, rectification, or portability as instructed within 72 hours of the Controller's validated request.

9. Breach notification to Controller

Eleion notifies the Customer of any Personal Data breach without undue delay and in any case within 24 hours of becoming aware, providing the information set out in Art. 33.3 as available.

10. Audit rights

Customer may, upon reasonable notice (30 business days) and at its cost, audit Eleion's compliance with this DPA once per calendar year. Audits must respect the security and confidentiality of other customers' data. Eleion may satisfy audit requests by providing certificates (ISO 27001 / SOC 2 when available) and recent penetration-test executive summaries.

11. Liability

Liability under this DPA is subject to the limitations set out in the main Service Agreement. Nothing limits liability of either party for willful misconduct or gross negligence.

12. Governing law

Italian law. Courts of Milan, exclusive jurisdiction.

13. Signatures

By signing up for the paid Service, the Customer accepts this DPA. For Enterprise deals we counter-sign a PDF. Request at legal@eleion.io.