WASViking

Terms of Service

Data Processing Agreement (DPA)

Effective Date: July 19, 2025

1.Parties & Roles

This Data Processing Agreement (“DPA”) is entered into between:

  • Customer, acting as the Data Controller under applicable law (LGPD, GDPR, CCPA).
  • WASViking LLC, acting as the Data Processor (Processor or Operador), processing personal data only per Customer’s instructions.
2. Definitions
  • Controller, Processor, Personal Data, Processing per LGPD/GDPR/CCPA.
  • Subprocessor: third party authorized by WASViking to process data (e.g., AWS, Cloudflare, MongoDB).
  • Applicable Data Protection Law includes LGPD, GDPR, CCPA, and relevant privacy laws.
3. Scope & Purpose

WASViking will process Personal Data only to provide the services as described in the Terms of Service and Privacy Policy, including technical analysis of systems, domains, headers, certificates, and related assets.

4. Processor Obligations

WASViking commits to:

  • Process data only on Controller’s instructions.
  • Implement technical & organizational measures (see section 8).
  • Maintain confidentiality of data and authorize only trained personnel.
  • Assist the Controller with data subject requests (access, deletion, portability).
  • Notify of data breaches without undue delay.
  • Provide audit documents, logs, or evidence upon request.
5. Subprocessors
  • WASViking may appoint subprocessors (e.g., AWS, Cloudflare, MongoDB, OpenAI).
  • Must sign a written agreement ensuring at least equivalent data protection.

    • WASViking maintains an up-to-date list of subprocessors, available at https://wasviking.com/legal/subprocessors or upon request.

  • Customer is notified 30 days before any new subprocessor is added and may object within 10 days on reasonable grounds.
6. International Data Transfers
  • Transfers across borders (e.g., from Brazil/EU to US) are allowed only with adequate safeguards:
    • Standard Contractual Clauses (SCC),
    • EU-US/Swiss-US Data Privacy Framework,
    • or other lawful mechanisms.

No sensitive personal data is transferred or stored as part of WASViking's services.

7. Security Measures

WASViking will maintain robust security, including:

  • Infrastructure: AWS / Cloudflare, TLS 1.2+, WAF, DNS protection.
  • Encryption: Both in transit and at rest (AES-256).
  • Access Controls: MFA, RBAC, JWT authentication.
  • Network Security: SIEM, threat detection, audit logs.
  • DevSecOps: Git versioning, CI/CD, code-review, staging/no-production data.
  • Backups & disaster recovery (RTO/RPO defined).
  • Incident response protocols and routine testing.
8. Data Retention & Deletion

Upon termination or request, WASViking will delete or return all personal data processed, within 10 business days-unless retention is legally required. Any retained data will be securely isolated and protected.

9. Audit Rights
  • Controller may review compliance by requesting logs, documentation, or evidence.
  • Audits must be reasonable, on-site only if essential and after prior notice.
  • Processor remains responsible for subcontractors and their compliance.
10. Data Subject Rights

WASViking will:

  • Notify Controller of any data subject request received.
  • Assist with requests (access, correction, deletion, portability).
  • Act only per Controller’s instruction.
11. Breach Notification

Processor must notify Controller without undue delay upon detection of any incident potentially affecting personal data, including details and remediation plans.

12. Liability & Responsibility
  • WASViking remains responsible for its actions and those of its subprocessors.
  • Controller is responsible for ensuring lawfulness and scope of data processing.
  • Processor will not use data for its own purposes nor retain it after termination.
13. Term & Termination
  • This DPA remains in effect while WASViking processes data for Customer.
  • Confidentiality and data protection obligations survive the DPA termination.
14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Florida, USA, excluding its conflict of laws provisions. This is without prejudice to any mandatory data protection rights under LGPD, GDPR, or other applicable legislation.

15. Contact Information

For DPA requests, subprocessors, logs, audits, or privacy matters:
WASViking LLC
Orlando, FL, USA
[email protected]

Up

2025 © WASViking LLC

Florida, United States