Know what apps to scan? We do. Launching Asset Classification and Scan Recommendations.

Watch a 5-min product walkthrough Log in
Customer log in

Access Detectify tool

Crowdsource log in

Access Crowdsource platform

Detectify logo
Products & Solutions Resources Crowdsource Alfred AI Pricing About us
Start a trial Book a demo
Detectify AppSec platform
  • Platform overview

    A platform that provides evolving coverage across all your exposed assets

  • Surface Monitoring

    Discovery and vulnerability testing across the entire attack surface

  • Application Scanning

    Automatic scanning of web apps for business-critical vulnerabilities

  • Integrations

    Integrate Detectify with your security workflow

Solutions by use case
  • Attack surface protection

    Determine what actions to take for complete attack surface protection

  • Prevent subdomain takeover

    Find and manage subdomains to prevent hostile takeover

  • Scaling organizations

    EASM that scales alongside rapidly growing attack surfaces

  • Know what apps to scan

    9 out of 10 hackable apps are missed - cover what matters

Solutions by industry
  • Technology

    Solve common challenges faced by technology organizations

  • Consumer packaged goods

    Get more visibility and control over your digital products

  • Media & Gaming

    Manage digital transformation and secure what you're hosting in the cloud

  • Public Sector

    For agencies, higher education, and European governments

Start 2-week free trial Start 2-week free trial
Watch a demo Talk to sales
Detectify Crowdsource
  • What is Crowdsource?

    How Detectify customers benefit from our community of elite ethical hackers

  • Meet the community

    Meet some of our ethical hackers who come from all corners of the globe

  • Leaderboard

    See which ethical hackers are leading for the quarter, year, and all time

FOR ETHICAL HACKERS
  • Ethical hacking with us

    Learn what Crowdsource is and how we're not your average bug bounty platform

  • How Crowdsource works

    How to join, submission types, 0-day rewards, and payment information

  • Detectify Labs

    Technical and security research blog featuring write-ups and how to guides

  • Join Crowdsource

    Ready to join? Solve our Crowdsource Challenge and become part of our community

Start 2-week free trial
Watch a demo Talk to sales
Resource Center
  • All resources

    Explore case studies, webinars, e-books, whitepapers and videos

  • Case studies

    Learn how Detectify is an essential tool in these customer stories

  • Webinars

    Webinars and recordings to level up your AppSec knowledge

  • E-books & Whitepapers

    Browse and download e-books and whitepapers on AppSec and related topics

  • Events

    Register and browse for both online and in person events and webinars

  • Detectify Blog

    Read the latest product updates, news, industry insights and best practices

  • E-books & Whitepapers

    Browse and download e-books and whitepapers on AppSec and related topics

  • Events

    Register and browse for both online and in person events and webinars

  • Detectify Blog

    Read the latest product updates, news, industry insights and best practices

Trending Topics
  • External Attack Surface Management
  • Common attack vectors
Start 2-week free trial
Watch a demo Talk to sales
Products & Solutions Resources Crowdsource Alfred AI Pricing About us
Customer log in Crowdsource log in Book a demo
Products & Solutions
Platform overview Surface Monitoring Application Scanning Integrations
Solutions by use case Attack surface protection Prevent subdomain takeover Scaling organizations Know what apps to scan
Solutions by Industry Technology Consumer packaged goods Media & Gaming Public Sector
Start 2-week free trial
Watch a demo Talk to sales
Crowdsource
Detectify Crowdsource What is Crowdsource? Meet the community Leaderboard
For ethical hackers Ethical hacking with us How Crowdsource works Detectify Labs
Start 2-week free trial
Watch a demo Talk to sales
Resources
Resource Center All resources Case studies Webinars E-books & Whitepapers Events Detectify Blog
Trending Topics External Attack Surface Management Common attack vectors
Start 2-week free trial
Watch a demo Talk to sales

Data Processing Agreement

Last Updated: 12 January 2021

These are the terms regulating Detectify’s responsibilities as a data processor for data provided by a data controller. For further terms governing Your Agreement with Detectify please find our Terms of use and our Privacy policy.

These terms constitute a part of the terms of use governing the provision of SaaS services provided by Detectify to You and any applicable Order Form (the “Agreement”), under which the Processor may process certain personal information (“Personal Information”) on behalf of the Controller. The Controller is the data controller in relation to the processing of the Personal Information. The Processor is the data processor.

These terms are between You, the user/customer (below, the “Controller”) and Detectify AB, org.nr. 556985-9084, Medborgarplatsen 25, 11872, Stockholm, Sweden (below, the “Processor”). The Controller and the Processor are separately referred to as “Party” and jointly as the “Parties”.

Instructions

The Processor may only process the Personal Information in accordance with the DPA, applicable data protection legislation (the laws and regulations, including of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of Personal Data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) (“Applicable Legislation”) and for providing the Service to the Controller. It is the responsibility and liability of The Controller that its instructions for the processing of Personal Information comply with Applicable Legislation and that the Controller further meets all other obligations of a controller under Applicable Legislation.

The Processor may only process the Personal Information for the purpose and in a manner that is necessary for providing the Service to the Controller and in accordance with this DPA or under specific written instructions from the Controller.

In the event that the Processor believes that any instructions from the Controller violate Applicable Legislation, the Processor shall refrain from acting on such instructions and promptly notify the Controller and await amended instructions.

Security Measures

The Processor shall maintain adequate security measures to ensure that the Personal Information is protected against destruction, modification and proliferation. The Processor shall further ensure that Personal Information is protected against unauthorized access and that access events are logged and traceable.

The Processor shall ensure (i) that only authorized employees who need access to the Personal Information for the fulfillment of the Processor’s rights and obligations under the Agreement have access to the Personal Information, (ii) that the authorized employees process the Personal Information only in accordance with this DPA and the Controller’s instructions and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Personal Information.

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach and shall take reasonable steps to mitigate the effects of the personal data breach. Furthermore, taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with the Controller's obligations to (a) document any personal data breach, (b) notify the applicable supervisory authority of any personal data breach and (c) communicate such personal data breaches to the data subjects, in accordance with Applicable Legislation.

The Processor’s Obligation To Assist

Taking into account the nature of the processing, the Processor shall assist the Controller with the fulfillment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures. Taking into account the nature of processing and the information available to the Processor, the Processor shall further assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR.

Sub-Processors

The Processor may engage third parties to process the Personal Information or any part thereof on its behalf (“Sub-Processor”), provided that the Controller has been informed thereof in writing and not objected in writing 10 days after such information was provided (in which event they are considered approved). This includes technology providers, financial service providers, administrative systems and various tool integrations. They will receive personal information based on the need for the performing of their task. A full list of sub-processors can be found below.

If the Controller objects to such Sub-Processor with documented reasonable cause, then the Processor shall refrain from using such Sub-Processor for the processing of the Personal Information and shall use reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable change to Controller’s configuration or use of the services to avoid processing of data by the objected-to new Sub-Processor without unreasonably burdening the Controller. If such change is not practically or commercially reasonable to make within a reasonable period of time, which shall not exceed thirty (30) days, the Processor shall at its discretion be entitled either to (i) compensation from the Controller for any additional costs incurred by it due to such objection, or, (ii) terminate the Agreement on 45 days’ notice.

When the Controller has approved a Sub-Processor, the Controller may no longer object to such Sub-Processor.

The Processor shall enter into a written agreement with every Sub-Processor to ensure that the personal data is only processed by the Sub-Processor for the purpose of providing the respective services to the Controller, in which each Sub-Processor undertakes obligations at least reflecting those undertaken by the Processor under this DPA.

Transfers to Third Countries

The Processor is entitled to transfer personal data outside the EU/EEA or engage a Sub-Processor to process Personal Information outside of the EU/EEA, provided the Processor has an applicable legal ground for such transfer, such as Standard Contractual Clauses approved by the European Commission. To the extent that the Processor processes personal data in any country outside the EEA or an adequate country, as defined in Applicable Legislation, the parties agree that the standard contractual clauses will apply in respect of that processing and are incorporated within this DPA by reference. In the event that the standard contractual clauses are not sufficient to safeguard the transfer of personal data, the Processor shall implement any additional supplementary, technical, contractual and/or policy measures as may be required to ensure the personal data is protected to a standard equivalent to that afforded by Applicable Legislation. The Processor shall upon the Controller’s request provide documented evidence showing the applicable legal ground for the transfer.

Audit

Upon the Controller’s request, the Processor will once per calendar year provide to the Controller the information necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation and this DPA.

If the Controller, despite receiving the information set out above and any additional information provided to Controller, has a legitimate and documented reason to suspect that the Processor does not meet its obligations under Applicable Legislation and this DPA, the Controller shall be entitled on 30 days’ written notice to carry out an audit of the Processor’s processing of the Personal Information and information relevant in that respect. The Processor shall reasonably assist the Controller, disclose any information necessary and provide the access necessary in order for the Controller to carry out such an audit. Each Party shall carry its own costs for such an audit.

If a data protection authority carries out an audit of the Processor which may involve the processing of Personal Information on behalf of the Controller, the Processor shall promptly notify the Controller thereof.

Costs

The Processor shall be entitled to reasonable compensation on a time and material basis for (i) complying with altered or additional instructions issued by the Controller or Applicable Legislation regarding the processing of the Personal Information, and (ii) carrying out its obligations under the obligation to assist. Unless the Parties have agreed on a price list for consultancy services, the Processor shall be compensated in accordance with its applicable price list for consultancy services as amended from time to time.

Confidentiality

The Processor undertakes not to disclose or provide any Personal Information, or any information related to the Personal Information, to any third party. For the avoidance of doubt, any Sub-Processor shall not be considered a third party. This confidentiality obligation will continue to apply also after the termination of this DPA without limitation in time.

Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under Applicable Legislation.

Limitation of liability

Each Party’s liability for damages under this DPA shall be governed by the terms of use.

If a Party becomes liable to a data subject under Applicable Legislation and the other Party was involved in the same processing which formed basis for the data subject’s claim, the other Party shall (in accordance with Article 82.5 of the GDPR) reimburse the liable Party with the part of the compensation corresponding to the other Party’s part of the responsibility for the damage. In addition, the other Party shall compensate the liable Party for fair and proportionate (in relation to the other Party's liability) costs for defending such claims. Further, a Party subject to a claim from a data subject shall within reasonable time inform the other Party in writing of the claim, if it is likely that claims against the other Party may be made. The other Party shall gain insight into the data subject’s and the Party’s documents in such lawsuit and shall be given the opportunity to comment on this.

For the avoidance of doubt, administrative fines under Article 83 of the GDPR, due to a Party’s breach of its obligations under the GDPR, will be imposed on the offending Party and are not subject to any liability arrangement between the Parties under this DPA.

Return And Deletion Of Data

Upon termination of the Agreement, the Processor shall, on the Controller’s instruction, transfer the Personal Information to the Controller (such transfer to be made in a common machine-readable format). The Processor will erase the Personal Information from according to its data retention policy as set out in our privacy policy.

Nature and Purpose of the processing

The purpose of the processing under this DPA is to fulfil the Processor’s obligations under the Agreement.

The nature of the processing is to conduct tests and continuous monitoring (including crawling and penetration of the Controller’s web application as specified in the Order Form) for the purpose of identifying security vulnerabilities gaps in the Controller’s web applications or web sites in order to maintain the availability, confidentiality and the integrity of the web application or web site.

Description of the processing of personal data

Categories of data subjects: The Controller may submit personal data to the Service to the extent determined by the Controller in its sole discretion, and which may relate to the following categories of data subjects:

  • The Controller’s prospects, customers, business partners and vendors (who are natural persons)
  • The Controller’s employees, agents, advisors, freelancers (who are natural persons)
  • The Controller’s end-users and consumers (who are natural persons)

Personal data that will be processed: The Controller may submit personal data to the Service to the extent determined by the Controller in its sole discretion, and which may include the following categories of personal data:

  • First and last name
  • Employment related information: Title, Position, Employer
  • Contact information: Company, email, phone, physical business address
  • ID data
  • Professional life data
  • Personal life data
  • Connection data
  • Localisation data

Sub-processors

Sub-processor, Amazon Web Services EMEA SARL: 38 avenue John F. Kennedy, L-1855 Luxembourg
Location for processing: Ireland
Type of service: Cloud service platform

Sub-processor, Google Cloud EMEA Limited: 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
Location for processing: EU and US (SCCs are applicable to transfers of personal data to sub-processors outside the EU)
Type of service: Cloud service platform

Get started
  • Start 2-week free trial
  • Book a demo
Product
  • Platform overview
  • Surface Monitoring
  • Application Scanning
  • Asset Classification and Scan Recommendations
  • Alfred AI
  • Custom Policies
  • Integrations
  • Customer login
Pricing
  • Platform pricing
For customers
  • Product changes
  • API documentation
  • Knowledge Base
  • Status page
Solutions by use case
  • Attack surface protection
  • Prevent subdomain takeover
  • Scaling organizations
Solutions by industry
  • Technology
  • Consumer packaged goods
  • Media & Gaming
  • Public Sector
Crowdsource
  • What is Crowdsource
  • Meet the community
  • Hack with us
  • How it works
  • Join Crowdsource
  • Hacker login
Resources
  • All resources
  • Case studies
  • Webinars
  • E-books & whitepapers
  • Videos
  • Events
Blogs
  • Detectify Blog
  • Detectify Labs
Trending topics
  • External Attack Surface Management
  • Common attack vectors
  • Log4j help
Partner program
  • Become a partner
Legal
  • Terms of Use
  • Privacy Policy
  • Cookie Policy
  • Cookie Settings
  • Compliance & Security
  • Responsible Disclosure
Company
  • About us
  • Careers
  • Press & Media
  • Contact
Twitter icon
linkedin icon
G2 Badge High Performer Fall 2024
G2 Badge Easiest To Use Fall 2024
G2 Badge Easiest To Do Business With Fall 2024
G2 Badge Users Love Us
ISO certification badge
AWS partner logo
Detectify logo
© 2025 Detectify