// LEGAL
Data Processing Agreement
Last updated: 7 June 2026. This DPA forms part of the engagement agreement between Acta Security and each client.
1. Parties and scope
Data Processor: Acta Security, Avenida da República 1363, 4430-190 Vila Nova de Gaia, Portugal ("Acta" or "we").
Data Controller: the client entity identified in the onboarding submission or engagement agreement ("Client" or "you").
This Data Processing Agreement ("DPA") governs all processing of personal data that Acta carries out on behalf of the Client in connection with the delivery of security services. It applies from the point of onboarding and for the duration of the engagement.
2. Subject matter and nature of processing
Acta processes personal data solely to the extent necessary to deliver the agreed security services, which may include:
- Penetration testing, attack surface mapping and vulnerability assessment of assets the Client controls and has authorised us to test.
- Delivery of written reports, findings and remediation guidance via the client portal.
- Virtual CISO (vCISO) advisory — reviewing policies, programmes and governance documentation that may reference individuals.
- Incident response — analysis of logs, artefacts and communications containing personal data to the extent provided by the Client.
3. Categories of data subjects and personal data
Depending on the engagement scope and materials provided by the Client, processing may involve:
- Client personnel: names, email addresses, roles, system access credentials (in scope targets only).
- End users of the Client's systems: authentication artefacts, session tokens, or data incidentally observed during testing — limited to what is technically necessary and removed from deliverables unless explicitly required.
- Third-party data: Acta will not retain personal data of individuals beyond what is required to substantiate a finding. We redact PII from reports wherever its inclusion is not necessary to evidence the vulnerability.
4. Processor obligations
Acta shall:
- Process personal data only on the documented instructions of the Client, including with regard to transfers to third countries.
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures as set out in Section 7.
- Assist the Client, at the Client's cost, in fulfilling its obligations to respond to data subject rights requests, data protection impact assessments, and supervisory authority consultations.
- Delete or return all personal data upon completion or termination of the engagement, at the Client's choice, within 30 days, and delete existing copies unless EU law requires storage.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections — either directly or through an appointed third-party auditor.
- Inform the Client immediately if any instruction infringes the GDPR or applicable data protection law.
5. Sub-processors
Acta uses the following sub-processors. The Client provides general authorisation for their use. Acta will notify the Client of intended additions or replacements, giving the Client the opportunity to object.
| Sub-processor | Country | Purpose |
|---|---|---|
| Infomaniak Network SA | Switzerland (EU-adequate) | Cloud hosting, email relay, VM infrastructure |
| Cloudflare, Inc. | USA (SCC) | Bot protection (Turnstile) on the client portal |
| Stripe, Inc. | USA (SCC) | Payment processing — Stripe processes billing data as an independent controller for PCI purposes; only the checkout session ID and buyer email are passed to Acta |
| meetergo GmbH | Germany (EU) | Assessment booking — optional; only if a booking is made |
All sub-processors are bound by data processing agreements at least as protective as this DPA.
6. International transfers
Processing takes place primarily within the EU/EEA or Switzerland (Infomaniak). Where sub-processors are based outside the EEA (Cloudflare, Stripe), transfers are made under European Commission Standard Contractual Clauses (SCCs) in accordance with GDPR Article 46(2)(c).
7. Security measures
- Encryption in transit: all portal traffic is TLS 1.2+; no plain-HTTP communication for client data.
- Encryption at rest: database volumes are encrypted; report storage is access-controlled.
- Authentication: passwordless email OTP for portal access; SSH key-only access to infrastructure.
- Secrets management: all credentials are stored in OpenStack Barbican and fetched at runtime — not persisted in configuration files.
- Least privilege: each service runs under its own user/role with minimal permissions.
- Network isolation: the client portal runs on a dedicated VM isolated from the marketing infrastructure; all services bind to loopback and are proxied via nginx.
- Vulnerability management: automated certificate renewal, unattended-upgrades, and fail2ban intrusion prevention.
8. Personal data breach notification
Acta shall notify the Client without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Client data. Notification will be made to the contact email on record and will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. Acta will cooperate fully in any required supervisory authority notification.
9. Duration and termination
This DPA applies for the duration of the engagement and any retention period thereafter. On expiry or termination, Acta will securely delete or return all personal data within 30 days unless a longer retention period is required by Portuguese or EU law, in which case Acta will protect the data and limit processing to what is legally required.
10. Governing law
This DPA is governed by the laws of Portugal. Disputes arising in connection with this DPA are subject to the exclusive jurisdiction of the courts of Portugal, without prejudice to the Client's right to lodge a complaint with its local data protection supervisory authority.
11. Contact
Questions about this DPA or data protection matters: privacy@actasecurity.eu.