Legal

Data Processing Agreement

Effective date: 15 January 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Pennrows Ltd ("Processor") for the provision of the Pennrows security platform. It applies where Processor processes personal data on behalf of Controller in connection with the services.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR. In addition: "Data Subject" means an identified or identifiable natural person; "Personal Data" means any information relating to a Data Subject; "Processing" has the meaning in Article 4(2) GDPR; "Sub-processor" means any processor engaged by Processor to process Personal Data.

2. Scope & Purpose

Processor processes Personal Data solely for the purpose of providing the Pennrows platform: AI-powered code vulnerability scanning and executive email threat monitoring. Processor acts only on documented instructions from Controller and does not determine the purposes or means of processing beyond what is necessary to perform the services.

3. Obligations of Controller

Controller warrants that it has a lawful basis for the processing and that its instructions comply with applicable data protection law. Controller shall provide Processor with necessary information to enable Processor to fulfil its obligations under this DPA and the GDPR.

4. Obligations of Processor

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure that persons authorised to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organisational measures as described in Section 7
  • Assist Controller in responding to Data Subject requests
  • Assist Controller in ensuring compliance with Articles 32–36 GDPR
  • Delete or return Personal Data upon termination, unless law requires retention

5. Sub-processors

Processor engages the following Sub-processors:

  • AWS: Infrastructure and hosting
  • Anthropic: AI analysis for code scanning
  • Resend: Email delivery for notifications
  • Stripe: Payment processing

Processor shall impose on Sub-processors data protection obligations no less protective than this DPA. Controller grants general authorisation for these Sub-processors. Processor will notify Controller of any intended changes and provide an opportunity to object. A current Sub-processor list is available upon request.

6. Data Subject Rights

Processor shall assist Controller in fulfilling requests to exercise Data Subject rights (access, rectification, erasure, restriction, portability, objection). Processor will respond to such requests within the timeframes required by applicable law. Controller remains responsible for responding to Data Subjects; Processor will not respond directly unless authorised.

7. Security Measures

Processor implements measures including:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
  • Logical separation and tenant isolation
  • Access controls and role-based permissions
  • Ephemeral processing of source code—no raw code storage
  • Read-only access for email monitoring; no modification or interception of delivery
  • Regular security assessments and penetration testing

Categories of Data Subjects: developers, executives, and end users of Controller's systems. Types of Personal Data: account information, repository metadata, email metadata and threat classifications, usage data, and IP addresses.

8. Data Breach Notification

Processor shall notify Controller without undue delay and in any event within 24 hours of becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed. Processor shall provide further information as it becomes available and cooperate with Controller in meeting any regulatory notification obligations.

9. Data Transfers

Where Personal Data is transferred outside the UK or EEA, Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the relevant authorities. Controller may request a copy of the transfer mechanisms in use.

10. Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA. Processor shall allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller, subject to reasonable notice, confidentiality obligations, and a maximum of one audit per year unless a breach or regulatory requirement requires more. Processor may satisfy audit obligations by providing relevant extracts from certifications (e.g. SOC 2 Type II) where they cover the processing in question.

11. Term & Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, Processor shall delete or return Personal Data in accordance with Controller's instructions, unless law requires retention. Processor may retain copies only to the extent required by law.

12. General

This DPA is governed by the laws of England and Wales. In the event of conflict between this DPA and the main service agreement, this DPA shall prevail with respect to data protection. Amendments to this DPA shall be made in writing. Processor may update the Sub-processor list from time to time with notice to Controller.

Contact

For DPA and data protection enquiries: legal@pennrows.com