Data Processing Agreement

Effective: March 2026

1. Definitions

  • Controller: The organization (Tenant) that uploads personal data to VPC for breach validation.
  • Processor: ValidatePIIClasses.com ("VPC"), which processes personal data on behalf of the Controller.
  • Data Subject: An individual whose personal data is included in the Controller's uploaded dataset.
  • Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
  • Sub-processor: A third-party service provider engaged by VPC to assist in processing personal data.
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.

2. Scope and Purpose

VPC processes personal data solely for the purpose of breach validation on the Controller's instructions. The Processor will:

  • Process personal data only as instructed by the Controller and as necessary to provide the breach validation service
  • Not process personal data for any other purpose, including marketing, profiling, or resale
  • Process data in accordance with applicable data protection laws, including GDPR and CCPA where applicable

3. Data Processing Details

Categories of Data Subjects: Individuals whose personal data is included in datasets uploaded by the Controller for breach validation.

Types of Personal Data: Email addresses, names, phone numbers, physical addresses, Social Security Numbers, and other PII fields as determined by the Controller's upload.

Processing Activities:

  • Importing and parsing uploaded CSV/XLSX files
  • Expanding multi-value records into individual entities
  • Querying breach databases to determine exposure status
  • Generating boolean breach match results and aggregated summaries
  • Producing downloadable reports for the Controller

Duration: Personal data is processed transiently during the breach validation workflow. Active processing typically completes within minutes. PII is cleared from processing tables immediately after results are generated.

4. Data Retention and Deletion

  • Uploaded Files: Encrypted with AES-256-GCM using per-tenant keys immediately upon upload. Files are automatically deleted when processing begins (within 15 minutes of upload). If a file expires before processing, it is purged automatically.
  • PII in Processing Tables: Personal data fields (names, emails, phone numbers, etc.) are cleared from processing tables immediately after breach results are generated.
  • Retained Data: Only boolean breach match flags (yes/no) and aggregated summaries are retained for reporting. These are keyed by anonymous system-generated identifiers (e.g., ENT-00001), not by personal data.
  • Account Deletion: Upon termination of the Controller's account, all associated tenant data (schemas, tables, encryption keys) will be deleted within 30 days.

5. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption in Transit: TLS 1.2+ for all connections (HTTPS, database, API, cache)
  • Encryption at Rest: AES-256-GCM authenticated encryption for uploaded files with per-tenant encryption keys
  • Access Control: Multi-factor authentication (TOTP, WebAuthn/Passkeys), MFA enforced for staff, role-based permissions
  • Tenant Isolation: Per-tenant database schemas, per-project tables, per-tenant encryption keys
  • Network Security: Private subnets, WAF IP allowlist, CloudFront with origin secret, security groups
  • Application Security: Nonce-based CSP, HSTS preload, Argon2 password hashing, brute-force lockout
  • Monitoring: Structured audit trail (9+ sensitive operations), failed login tracking, infrastructure monitoring
  • Container Security: Amazon Inspector scanning with CRITICAL CVE deploy gating on every release

6. Sub-processors

The Processor engages the following sub-processors:

Sub-processor Purpose Location
Amazon Web Services (AWS) Compute, database, storage, CDN, and caching infrastructure US East (Ohio)
Have I Been Pwned (HIBP) Email breach lookup Australia
DataBreach Inc. (via RapidAPI) Email breach lookup United States
District 4 Labs Multi-field breach search United States

The Processor will provide the Controller with at least 30 days' advance notice before engaging a new sub-processor or replacing an existing one. The Controller has 14 days from receipt of notice to object. If the Controller objects on reasonable data protection grounds, the parties will work in good faith to resolve the concern.

7. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject rights requests, including:

  • Right of access — providing copies of personal data processed
  • Right to rectification — correcting inaccurate data
  • Right to erasure — deleting personal data upon request
  • Right to data portability — exporting data in a structured format

The Processor will respond to Controller requests related to data subject rights within 72 hours.

8. Breach Notification

In the event of a personal data breach, the Processor will:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide details including: the nature and scope of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
  • Cooperate with the Controller in investigating and remediating the breach
  • Assist the Controller in meeting its own notification obligations to supervisory authorities and data subjects

9. Data Transfers

All primary processing occurs in AWS US East regions (United States). Where a sub-processor processes data outside the Controller's jurisdiction, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by applicable law.

10. Audit Rights

The Controller may:

  • Request evidence of the Processor's compliance with this Agreement and applicable data protection laws
  • Conduct or commission audits of the Processor's data processing activities, with reasonable advance notice

The Processor will contribute to and cooperate with such audits, providing access to relevant documentation, systems, and personnel as reasonably required.

11. Term and Termination

This Agreement is effective for the duration of the Controller's use of the Service. Upon termination:

  • The Processor will cease all processing of the Controller's personal data
  • All tenant data (schemas, tables, encryption keys) will be deleted within 30 days
  • The Controller may request a data export prior to termination
  • The Processor will provide written confirmation of deletion upon request

12. Liability

The Processor's liability under this Agreement is subject to the limitations set forth in the Terms of Service. Nothing in this Agreement limits either party's liability for breaches of data protection law that cannot be limited under applicable law.

13. Governing Law

This Agreement is governed by the laws of the State of Florida, United States, consistent with the Terms of Service. Where EU/EEA data protection law applies, the relevant provisions of the GDPR shall take precedence over conflicting terms.

14. Contact

For questions about this Data Processing Agreement or to exercise any rights under it:

Privacy: privacy@validatepiiclasses.com

Security: security@validatepiiclasses.com

This Data Processing Agreement forms part of the Terms of Service between the Controller and ValidatePIIClasses.com.