Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and Elunor (CVR-nr. 46462041), a sole proprietorship registered in Denmark, operating the Sitecheck service (the "Processor", "Sitecheck", "we", "us"). It applies whenever the Processor processes personal data on behalf of the Controller within the meaning of GDPR Art. 28. The DPA does not apply to personal data for which Sitecheck acts as an independent controller (for example billing data, OAuth identity data, and operational logs), which is governed by our Privacy Policy.

By using Sitecheck on behalf of a company, organisation, or other third party — including any use case where you submit URLs, content, or scan configurations that may relate to identifiable natural persons other than yourself — you accept this DPA. If you do not accept it, you must not use Sitecheck on behalf of others.

Definitions

Terms in this DPA carry the meaning given to them in the EU General Data Protection Regulation 2016/679 ("GDPR"). "Controller", "Processor", "Personal Data", "Data Subject", "Processing", "Sub-Processor", and "Personal Data Breach" have the meanings set out in GDPR Art. 4.

Subject Matter, Duration, Nature, and Purpose

• Subject matter: provision of the Sitecheck service — automated website analysis, accessibility scanning, performance and SEO auditing, sitemap and uptime monitoring, and related reporting.
• Duration: this DPA is effective for as long as the Controller maintains an active Sitecheck account or until terminated in accordance with the Terms of Service. Obligations that by their nature should survive (confidentiality, breach handling, deletion) survive termination.
• Nature of processing: collection, storage, retrieval, structuring, transmission, and (when instructed) erasure of personal data necessary to render scan results, store screenshots, generate reports, deliver dashboards, and provide technical support.
• Purpose of processing: solely to deliver the Sitecheck service to the Controller in accordance with the Terms of Service and the Controller's documented instructions.

Categories of Data Subjects and Personal Data

Categories of data subjects

• The Controller's employees, contractors, and authorised users who access Sitecheck
• Visitors to, and other individuals identifiable on, the websites that the Controller submits for scanning (incidental processing — Sitecheck does not target visitor data, but rendered pages and screenshots may contain personal data published on the scanned site)

Categories of personal data

• Account and access data: name, email, hashed password, OAuth identity data (when sign-in via Google/GitHub is used)
• Service data: URLs submitted, scan configurations, scheduled-scan and sitemap settings, uptime monitor configurations
• Scan output: rendered HTML, accessibility reports, performance metrics, screenshots, and security headers captured during a scan. May incidentally contain personal data visible on the public surface of the scanned site (e.g., names, email addresses, photos shown on contact pages)
• Support communications: emails and content of support requests

No special categories: Sitecheck is not designed to process special categories of personal data under GDPR Art. 9 (e.g., health, biometric, religious, political data) or criminal-conviction data under Art. 10. The Controller agrees not to use Sitecheck to process such data.

Controller Obligations

• Ensure a lawful basis under GDPR Art. 6 for the processing carried out via Sitecheck
• Provide complete, accurate, and lawful processing instructions to the Processor. Documented instructions are issued via (a) acceptance of this DPA and the Terms of Service, (b) configuration choices made within the Sitecheck application, and (c) written communications to support@sitecheck.dk
• Only submit URLs that the Controller is legally entitled to scan, and only configure monitoring that is permitted by applicable law
• Inform their own data subjects about the processing carried out by Sitecheck, where required by GDPR Arts. 13–14
• Promptly notify the Processor if the Controller becomes aware that processing instructions infringe GDPR or other applicable data protection law

Processor Obligations

• Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organisational security measures (see Annex II)
• Respect the conditions on engaging sub-processors set out below and in Annex III
• Assist the Controller, taking into account the nature of the processing and the information available, in responding to data-subject requests and in fulfilling the Controller's obligations under GDPR Arts. 32–36
• At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless storage is required by Union or Member State law (notably the Danish Bookkeeping Act for billing records)
• Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits, as set out under "Audits" below

Sub-Processors

The Controller grants the Processor general written authorisation to engage sub-processors to assist in providing the service, subject to the conditions of this clause.

The current list of sub-processors is set out in Annex III and mirrors the third-party services disclosed in our Privacy Policy.

The Processor will provide at least 30 days' prior notice of intended changes to the list of sub-processors by email to the Controller's account email and by updating Annex III. The Controller may object to a proposed sub-processor on reasonable data-protection grounds within 30 days of notice; if an objection cannot be resolved, the Controller may terminate the affected services without penalty for the remainder of the prepaid period.

The Processor shall impose data-protection obligations on each sub-processor that are no less protective than those set out in this DPA, by way of written contract.

International Data Transfers

Where the Processor or its sub-processors transfer personal data outside the European Economic Area (EEA), such transfers will be made on the basis of an adequacy decision under GDPR Art. 45 (including the EU-U.S. Data Privacy Framework where applicable to the recipient) or on the basis of Standard Contractual Clauses adopted by the European Commission under GDPR Art. 46(2)(c). The Controller acknowledges and authorises such transfers as a necessary part of providing the service.

Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of natural persons, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The current measures are described in Annex II. The Processor may update Annex II from time to time, provided that no such update materially reduces the overall level of security.

Personal Data Breach Notification

• The Processor shall notify the Controller without undue delay, and in any case no later than 24 hours after becoming aware of a personal data breach affecting the Controller's personal data
• The notification shall include, to the extent then known: the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach and to mitigate its possible adverse effects
• Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay
• The Processor shall reasonably assist the Controller in fulfilling the Controller's notification obligations to the Danish Data Protection Authority (Datatilsynet) under GDPR Art. 33 and, where required, to data subjects under GDPR Art. 34

Assistance with Data-Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under GDPR Chapter III (Arts. 15–22).

Where the Controller can fulfil a data-subject request through Sitecheck's self-service functions — including account-level data export at /api/account/export and account deletion at /api/account/delete — the Controller shall do so. The Processor is not obliged to perform manually a request that the Controller can fulfil through the available self-service functions.

For formal data-subject requests that cannot be handled via self-service, the Processor will respond within 5 working days of receiving the Controller's instruction.

Audits and Documentation

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with GDPR Art. 28, including this DPA, the Privacy Policy, the Terms of Service, and Annex II. On reasonable written request, and no more than once per calendar year, the Processor will respond in writing to a security questionnaire covering the matters in Annex II. The Controller is not entitled to on-site inspection of the Processor's premises or sub-processor infrastructure for security and confidentiality reasons; the Processor will, where available, make third-party audit reports or certifications available in place of on-site audits.

The Controller bears its own costs of conducting any audit and shall reimburse the Processor's reasonable time and expense in responding (charged at the Processor's standard rates), except where an audit reveals material non-compliance by the Processor with this DPA or GDPR, in which case the Processor bears its own costs and refunds the Controller's reasonable costs.

Deletion or Return on Termination

• On termination of the services or written request from the Controller, the Processor will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, within 30 days
• Backup copies held in encrypted offsite backups will be overwritten in line with the rolling backup retention schedule described in Annex II (maximum 30 days)
• The Processor may retain personal data to the extent and for the period required by Union or Member State law — in particular, billing records (invoices, receipts, Stripe transaction metadata) are retained for 5 years from the end of the relevant accounting year as required by the Danish Bookkeeping Act §10
• The Controller is responsible for exporting any data it wishes to keep before requesting deletion; once deletion is executed it cannot be reversed

Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes the liability of either party for the matters that cannot be limited or excluded under applicable mandatory law (including liability for death or personal injury caused by negligence, for fraud, or for administrative fines imposed directly on a party under GDPR Art. 83).

Assignment

The Processor may assign this DPA together with the Terms of Service to a successor entity in connection with a merger, acquisition, restructuring, or change of control (including any conversion of Elunor from a sole proprietorship to a limited-liability company), provided that the successor assumes the obligations under this DPA in writing. The Controller may not assign this DPA without the Processor's prior written consent, except to an affiliate or successor of substantially all of the Controller's business.

Survival

Clauses that by their nature should survive termination of this DPA — including confidentiality, the obligations relating to the return or deletion of personal data, breach-notification obligations relating to events occurring during the term, liability, governing law, and dispute resolution — survive termination for as long as the Processor or any sub-processor retains any personal data processed on behalf of the Controller, and as long as required by applicable law.

Governing Law and Jurisdiction

This DPA is governed by Danish law, excluding its conflict-of-law rules. Disputes arising out of or in connection with this DPA shall be subject to the jurisdiction of the Danish courts, with Retten i Odense as the venue, without prejudice to the data subject's right to bring proceedings in their place of residence.

Changes to this DPA

The Processor may update this DPA from time to time to reflect changes in law, regulatory guidance, or processing arrangements. Material changes will be notified to the Controller by email and through the Sitecheck application at least 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the revised DPA.

Annex I — Details of Processing

• Categories of data subjects: as set out in section "Categories of Data Subjects and Personal Data" above
• Categories of personal data: as set out in section "Categories of Data Subjects and Personal Data" above
• Sensitive data: not processed (see exclusion above)
• Frequency of processing: continuous for the duration of the service
• Nature of processing: automated scanning, storage, rendering, reporting, transmission, and on-instruction deletion
• Purpose of processing: provision of the Sitecheck service in accordance with the Terms of Service
• Duration of processing: for the duration of the Controller's account plus the retention periods specified in the Privacy Policy and in section "Deletion or Return on Termination"

Annex II — Technical and Organisational Security Measures

The Processor implements the following technical and organisational measures (TOM) to protect personal data:

Technical measures

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for database and backups
• Salted password hashing via Supabase Auth (Argon2/bcrypt)
• Postgres Row-Level Security enforcing per-user data isolation
• Service-role keys held server-side only; never exposed to the browser
• Multi-factor authentication required for administrative access to production systems
• Automated daily backups with maximum 30-day retention; backups encrypted at rest
• Network controls: HTTPS-only endpoints, restricted database access, rate limiting on public APIs
• Dependency vulnerability scanning and prompt patching of critical CVEs
• Application logs retained for 30 days for incident investigation

Organisational measures

• Access to production data restricted to authorised personnel on a need-to-know basis
• Confidentiality obligations imposed on all personnel and sub-processors
• Documented procedures for incident response and breach notification (24-hour Controller notification SLA)
• Documented procedures for data-subject request handling
• Annual review of this DPA and Annex II
• Sub-processor due diligence prior to engagement

Annex III — List of Sub-Processors

The current sub-processors, their role, the data they process, and their location are as follows:

• Supabase Inc. — authentication, Postgres database, file storage. EU (Frankfurt). DPA in place.
• PostHog Inc. — EU Cloud — opt-in product analytics. EU. DPA in place.
• Resend, Inc. — transactional email delivery (auth, billing, uptime alerts). DPA in place.
• BlitzBrowser — hosted headless-Chrome rendering used to fetch and inspect URLs submitted for scanning.
• Vercel Inc. — application hosting and edge delivery. US, transfers covered by SCCs. DPA in place.
• Hetzner Online GmbH — server infrastructure and S3-compatible object storage for scan artefacts. EU (Germany/Finland). DPA in place.

Stripe, Google (OAuth and PageSpeed Insights), and GitHub are not sub-processors under this DPA — they act as independent controllers for the processing they perform. They are nonetheless disclosed in our Privacy Policy in the interest of transparency.

Contact

For any questions relating to this DPA, including requests for sub-processor change notifications, security questionnaires, or breach correspondence, contact us at:

Email: support@sitecheck.dk