Data Processing Agreement (DPA)

Between the customer (data controller) and Security Guru / ManPro Group AB (data processor).

1. Scope

This DPA applies to all processing of personal data that Security Guru performs on behalf of the customer under the main agreement (purchase of Premium Scan / RAG add-on).

2. What personal data

Domain names and technical configuration data provided by the customer.
Uploaded policy documents that may contain names, email addresses and organisational structure.
Scan findings that may reference employee accounts (e.g. exposed secrets in Git history).

3. Duration of processing

Only during the service period + max 30 days retention for uploaded documents after report delivery.

4. Sub-processors

Sub-processor	Function	Region
Stripe Payments Europe	Payment	Ireland (SCC + DPF)
Cloudflare	CDN / Tunnel	EU-edge
Hetzner	Hosting	Sweden/Finland
JuiceFactory / Z.AI	LLM (RAG)	EU/CN — only text chunks without personal data sent
Mailjet	SMTP	EU

5. Security measures

TLS 1.2+ for all data transfer
Per-org isolation in vector DB
JWT-based auth, no password database
Daily backup, encrypted at rest
Audit logs 90 days

6. Incident notification

In the event of a personal data breach we will notify the customer within 24 hours and assist with the customer's obligation to report to IMY within 72 hours (GDPR Art. 33).

7. Deletion at end of agreement

Within 30 days of the agreement ending we will delete all customer data, unless otherwise required by law (bookkeeping requirements: 7 years for transactions).

8. Confirmation

This DPA is automatically accepted on first purchase in Stripe Checkout. Written version on request from [email protected].