Order processing

preamble

This agreement governs the rights and obligations of the parties within the scope of contract processing pursuant to Art. 28 GDPR. The processor provides the controller with a service that conducts an external vulnerability analysis of IT systems. Depending on the system configuration, this may also involve the collection and processing of personal data (e.g., IP addresses, email addresses, or publicly visible login paths).

The processing is carried out exclusively within the scope of the agreed services and on the basis of the following provisions

§1 Subject of processing

The contractor conducts automated, technical analyses of publicly accessible IT systems on behalf of the client. These analyses are based on a target address (IP address or domain) specified by the controller.

The contractor processes personal data in the form of IT systems specified by the client (e.g., IP addresses, domains). The results are made available in the form of reports. Access is granted only after successful authentication.

§2 Type of processing

The processing includes in particular:

  • Collection of publicly available information (e.g. subdomains, mail configuration)
  • Checking accessible services for vulnerabilities (e.g., through port scans, CVE detection)
  • Storage of metadata and results in report form
  • Provision of reports in the protected customer area
  • Management of user accounts (name, email address, login details, 2FA token)
  • Sending notifications to stored email addresses (optional)

§3 Purpose of processing

The processing is carried out for the purpose of:

  • Identification of technical risks and vulnerabilities,
  • Improving the security situation of the responsible party,
  • Compliance with legal and regulatory requirements (e.g. ISO 27001, NIS2),
  • Support of internal security and risk management processes,
  • Providing a secure customer area for managing analytics and access rights.

§4 Categories of data subjects

Within the scope of the commissioned services, data of the following groups of people may be affected:

  • Employees of the controller, e.g. IT administrators or users of analyzed systems
  • External contactswhose email addresses or contact details appear publicly in analyzed areas
  • Users with access to the customer area (e.g. account holder, authorized persons to view reports)

§5 Rights and obligations of the client

  • Responsibility for data processing
    The controller is responsible for the lawful processing of personal data within the meaning of the GDPR. They are responsible for ensuring that the processing by the processor is based on a valid legal basis (e.g., consent, contract, statutory obligation).
  • Right to give instructions
    The client may only provide the contractor with data for processing if such processing is lawful. The contractor processes personal data in accordance with the automated procedures on this platform. No instructions from the client are required for the processing of the data.
  • Obligations to cooperate
    The client is obliged to independently comply with his or her own legal obligations (e.g. information obligations, rights of data subjects).
  • Confidentiality obligations towards third parties
    The client undertakes to treat access data and contents of the customer account confidentially and not to grant unauthorized access to third parties.

§7 Obligations of the processor

  • confidentiality
    The contractor undertakes to treat personal data confidentially. Persons who have access to data are obliged to maintain data confidentiality in accordance with Art. 28 (3) (b) GDPR – this also applies to sole proprietors (self-binding).
  • Technical and organizational measures (TOMs)
    The contractor undertakes to implement appropriate technical and organizational measures in accordance with Art. 32 GDPR to ensure an appropriate level of protection.
    An overview of the currently valid measures can be found at the following address:
    https://threatemy.com/transparency/
  • Support with data subject rights
    The Contractor shall support the Controller – as far as possible – in fulfilling requests from data subjects (e.g. information, deletion, correction) in accordance with Articles 12–23 GDPR.
  • Reporting data protection breaches
    The Contractor shall immediately inform the Controller of any data protection breaches, in particular in the event of unauthorized access to stored data or system compromises.

§8 Use of subcontractors

  • The Contractor is entitled to engage subcontractors to process personal data. In doing so, the Contractor shall ensure that these subcontractors are contractually subject to the same data protection obligations as those set out in this Agreement.
  • A current list of subcontractors used is available at the following URL:
    https://threatemy.com/transparency/
  • The Contractor shall inform the Client of any planned changes regarding the engagement or replacement of subcontractors within a reasonable period of time. The Client may object to the change for important data protection reasons.

§9 Return and deletion of data

  • After completion of the contractually agreed data processing or upon instruction from the client, the contractor will delete all personal data in its possession, unless there is a legal obligation to retain the data.
  • Personal data will be deleted in accordance with applicable data protection regulations.

§10 Final provisions

The contract is concluded electronically. A handwritten signature is not required if consent is documented electronically.

This contract is subject to the laws of the Federal Republic of Germany.

Should any provision of this Agreement be or become invalid, the validity of the remaining provisions shall remain unaffected.