Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between the Customer ("Controller") and Zevlat Intelligence ("Processor", operating middleBrick) for the provision of the middleBrick API security scanning service.
1. Definitions
"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Supervisory Authority" have the meanings given in the GDPR (Regulation (EU) 2016/679).
2. Scope of Processing
| Element | Detail |
|---|---|
| Subject matter | API security scanning and risk scoring |
| Duration | Term of the service agreement |
| Nature and purpose | Automated analysis of API endpoints for security vulnerabilities |
| Categories of data subjects | Customer employees (account holders), API end-users (only if personal data appears in API responses scanned) |
| Types of personal data | Email addresses (account), IP addresses (audit log), API response content (transient, not stored beyond scan duration) |
3. Processor Obligations
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage another processor without prior written authorization
- Assist the Controller in responding to data subject requests
- Delete or return all Personal Data at end of service, at Controller's choice
- Make available all information necessary to demonstrate compliance
4. Security Measures
- Encryption at rest: AES-256-GCM
- Encryption in transit: TLS 1.3
- Access control: RBAC with SAML SSO and MFA enforcement
- Audit logging: HMAC-watermarked, tamper-evident
- Data isolation: org-scoped queries, no cross-tenant access
- Infrastructure: Cloudflare edge network (ISO 27001, SOC 2 Type II certified)
5. Sub-Processors
The Processor uses the sub-processors listed at /sub-processors. The Controller may subscribe to changes via the RSS feed at /sub-processors.rss. The Processor will notify the Controller at least 30 days before engaging a new sub-processor.
6. International Transfers
Data is processed on Cloudflare's global edge network. Where data is transferred outside the EEA, Cloudflare's Standard Contractual Clauses (Module 3: processor-to-processor) apply. See Cloudflare's DPA at cloudflare.com/trust-hub/gdpr/.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) within 72 hours of notification.
8. Data Breach Notification
The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
9. Data Retention and Deletion
- Scan results: retained for the subscription term, deleted 30 days after account closure
- Audit logs: retained per plan tier (30/90/365 days), then permanently deleted
- Account data: deleted within 30 days of erasure request
10. Governing Law
This DPA is governed by the laws of the jurisdiction specified in the main service agreement. For GDPR matters, the competent supervisory authority is determined by the Controller's establishment.
This DPA is effective upon the Customer's acceptance of the middleBrick Terms of Service or execution of an Enterprise agreement.
Zevlat Intelligence
Operating as middleBrick
[email protected]