Skip to main content

Data Processing Addendum

Last updated: April 2026 · Version 1.0

This page publishes the baseline terms on which AccessiProof acts as a processor of personal data under GDPR Article 28 on behalf of its customers. The terms below apply automatically to every paid audit and monthly-monitoring subscription and are incorporated by reference into our Terms of Service. A countersigned copy for customers that require one for their internal records is available on request to office@accessiproof.com.

1. Parties and scope

This Addendum is entered into between AccessiProof ("Processor") and the customer identified in the applicable order ("Controller"). It governs all processing of personal data carried out by Processor on behalf of Controller in connection with the accessibility auditing, scanning, and monitoring services described at /pricing and /agencies (the "Services").

2. Definitions

"GDPR" means Regulation (EU) 2016/679; "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data Breach" and "Supervisory Authority" have the meanings given to them in the GDPR. "Customer Personal Data" means Personal Data that Controller submits to, or that Processor collects on behalf of Controller through, the Services.

3. Roles of the parties

The parties acknowledge that Controller is the controller of Customer Personal Data and Processor is the processor of such data. Where Controller is itself a processor for a third-party controller (for example, an agency scanning a client site on behalf of that client), Processor acts as a sub-processor to that third-party controller and the terms of this Addendum apply accordingly.

4. Subject-matter, duration, nature and purpose of processing

Subject-matter: Automated accessibility scanning of URLs submitted by Controller, generation of audit and monitoring reports, and related operational communications.
Duration: For the term of the applicable subscription plus any retention period set out in our Privacy Policy.
Nature and purpose: Collection, storage, structuring, analysis, and display of accessibility findings and evidence, plus transmission of reports to Controller-designated recipients.
Types of Personal Data: Contact data (name, email) of Controller's users and, where Controller scans sites that render user-supplied content, incidental personal data that may appear in captured HTML fragments.
Categories of data subjects: Controller's employees, contractors, and, indirectly, visitors of websites Controller submits for scanning.

5. Processor obligations

In accordance with GDPR Art. 28(3), Processor shall:

  • process Customer Personal Data only on documented instructions from Controller, including with regard to transfers to a third country, unless required to do so by EU or Member State law (in which case Processor shall inform Controller unless the law prohibits such notice);
  • ensure that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  • implement the technical and organisational measures set out in Annex A below;
  • respect the conditions for engaging sub-processors set out in Section 7;
  • taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR;
  • assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Processor;
  • at Controller's choice, delete or return all Customer Personal Data to Controller at the end of the provision of the Services, and delete existing copies unless EU or Member State law requires storage;
  • make available to Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller.

6. Security and personal data breach notification

Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex A. Processor shall notify Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information required under Article 33(3) GDPR to the extent known.

7. Sub-processors

Controller grants Processor a general written authorisation under Article 28(2) GDPR to engage the sub-processors listed at /legal/subprocessors. Processor shall notify Controller of any intended change concerning the addition or replacement of sub-processors at least 30 days in advance, giving Controller the opportunity to object on reasonable data-protection grounds. If the objection cannot be resolved, Controller may terminate the affected Services for the unused portion of the current billing period. Processor shall impose on any sub-processor the same data-protection obligations as set out in this Addendum by written contract.

8. International data transfers

Where transfers of Customer Personal Data to countries outside the EEA take place, such transfers are protected by the European Commission's Standard Contractual Clauses (Decision 2021/914), incorporated by reference. The relevant Module depends on the parties' roles under this Addendum (Module 2: Controller-to-Processor; Module 3: Processor-to- Sub-processor). Processor will implement supplementary measures where required by applicable transfer-impact assessments, including encryption in transit and at rest.

9. Data subject requests

Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to requests for exercising the data subject's rights (access, rectification, erasure, restriction, portability, objection) under Chapter III of the GDPR. Processor will forward any data-subject request it receives directly and relating to Customer Personal Data to Controller within 5 business days.

10. Audits and information requests

Processor makes available to Controller the information necessary to demonstrate compliance with Article 28 GDPR. Upon reasonable request and no more than once per calendar year, Controller may audit Processor's compliance with this Addendum. Such audits shall be conducted on reasonable advance written notice, during business hours, in a manner that minimises disruption to Processor's operations, and subject to confidentiality obligations. Where an independent third-party audit report (for example, SOC 2 or ISO 27001) is available and reasonably covers the matter under audit, Processor may satisfy its audit obligations by providing that report.

11. Deletion and return of data

At the end of the provision of the Services, and at the choice of Controller, Processor shall delete or return all Customer Personal Data to Controller and delete existing copies, unless EU or Member State law requires continued storage. Standard retention periods are set out in the Privacy Policy.

12. Order of precedence and term

In the event of a conflict between this Addendum and the Terms of Service, this Addendum shall prevail with respect to the parties' data-protection obligations. This Addendum is effective from the start of the Services and remains in force for as long as Processor processes Customer Personal Data on behalf of Controller.

13. Governing law

This Addendum is governed by the law applicable to the Terms of Service, without prejudice to the mandatory rules of GDPR and any applicable national data-protection law.

Annex A — Technical and organisational measures

Processor implements, at minimum, the following measures (Article 32 GDPR):

  • Encryption in transit: TLS 1.2 or higher for all connections to application and database endpoints.
  • Encryption at rest: Managed database encryption provided by the sub-processor hosting the Neon Postgres cluster; disk-level encryption on the Hetzner scanner worker.
  • Access control: Role-based access to the operator dashboard, password protection with salted hashing, session tokens with reasonable expiry, and principle-of-least-privilege for database credentials.
  • Network security: Hardened TLS-only ingress, IP allowlisting for administrative interfaces where supported, and no direct public exposure of the database.
  • Logging and monitoring: Structured audit logs for scans, report generation, and authentication events.
  • Tokenised report sharing: Report links use unguessable random tokens; Controllers may revoke a report link at any time.
  • Data minimisation: Scan evidence is limited to what is necessary to demonstrate a WCAG finding; AccessiProof does not require the submission of end-user personal data.
  • AI processing: Where Claude (Anthropic) is used to accelerate report production, only aggregated accessibility findings are sent; no account data or end-user personal data is submitted to the model.
  • Vendor due diligence: All sub-processors are subject to a written data-protection agreement and a review of their certifications and published security posture.
  • Business continuity: Automated database backups with point-in-time recovery provided by Neon.
Need a countersigned copy or a red-line? Email office@accessiproof.com with your legal entity name and the ticket reference from your procurement review.