Skip to content
← Legal

Data Processing Agreement

Effective: Last updated:

This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or, for self-serve customers, the Terms of Service between Fimil, Inc. (“Fimil,” “Processor”) and the customer (“Customer,” “Controller”). It governs Fimil’s processing of personal data on Customer’s behalf in connection with the Service and applies where Data Protection Laws require such terms. Capitalized terms not defined here have the meaning given in the MSA or Terms of Service.

This is Fimil’s standard DPA template. A counter-signed copy is available to customers on request; for enterprise agreements, the executed order or DPA controls where it conflicts with this page.

1. Definitions

  • “Data Protection Laws” means applicable data-protection and privacy laws, including the EU GDPR, the UK GDPR, and the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA).
  • “Personal Data,” “Processing,” “Controller,” “Processor,” and “Data Subject” have the meanings given in the GDPR (and equivalent terms under other Data Protection Laws).
  • “Subprocessor” means a third party engaged by Fimil to Process Personal Data.
  • “Customer Personal Data” means Personal Data contained in Customer Data that Fimil Processes on Customer’s behalf.

2. Roles of the parties

For Customer Personal Data, Customer is the Controller (or processor acting on behalf of a third-party controller) and Fimil is the Processor (or sub-processor). Under the CCPA/CPRA, Customer is the Business and Fimil acts as a Service Provider. Fimil Processes Customer Personal Data only on Customer’s documented instructions, including as set out in the Terms of Service, this DPA, and Customer’s configuration and use of the Service.

3. Subject matter and details of processing

  • Subject matter & duration — Processing for the duration of the Service term, plus any period required to return or delete data.
  • Nature & purpose — Providing the application-security Service: scanning, autonomous penetration testing, AI-assisted triage and remediation, reporting, billing, support, and securing the Service.
  • Categories of Data Subjects — Customer’s authorized users and administrators, and any individuals whose Personal Data appears within Customer Data (for example, identifiers present in source code, configuration, or a tested application’s responses).
  • Types of Personal Data — Account and contact details; authentication data; usage, log, and audit data including IP addresses; integration credentials; and any Personal Data contained in repositories, findings, or target responses that Customer submits to or generates through the Service. Customer should avoid submitting special-category data except where necessary.

4. Processor obligations

  1. Instructions. Fimil Processes Customer Personal Data only on Customer’s documented instructions and will inform Customer if it believes an instruction violates Data Protection Laws.
  2. Confidentiality. Personnel authorized to Process Customer Personal Data are bound by confidentiality obligations.
  3. Security. Fimil implements appropriate technical and organizational measures as described in our Security Policy, including encryption in transit and at rest, access control and MFA, isolation of scanner workloads, logging and monitoring, and incident response.
  4. Subprocessors. Customer provides general authorization for Fimil to engage Subprocessors listed on our Subprocessors page. Fimil imposes data-protection obligations on each Subprocessor that are no less protective than this DPA and remains responsible for their performance. Before adding or replacing a Subprocessor, Fimil will give notice (by updating the Subprocessors page and, where Customer subscribes to notifications, by email). Customer may object on reasonable data-protection grounds within fourteen (14) days of the notice; absent an objection within that period, the change is deemed accepted. If Customer objects, the parties will work in good faith to resolve it, and if they cannot, Customer may terminate the affected portion of the Service as its exclusive remedy.
  5. Data-breach notification. Fimil will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, consistent with GDPR timelines, and provide information reasonably available to assist Customer’s own obligations.
  6. Assistance with Data-Subject rights. Taking into account the nature of the Processing, Fimil will assist Customer in responding to Data-Subject requests, including via the Service’s data-export and erasure functionality.
  7. DPIAs and consultation. Fimil will provide reasonable assistance with data-protection impact assessments and prior consultations with supervisory authorities.

5. International data transfers

Fimil Processes Customer Personal Data in the United States. For transfers of Personal Data from the EEA, Switzerland, or the United Kingdom to a country without an adequacy decision, the parties incorporate by reference the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor) — and, where Customer acts as a processor, Module Three (Processor-to-Processor). For UK transfers, the UK International Data Transfer Addendum to the SCCs applies; for Swiss transfers, the SCCs apply as amended by the Swiss FDPIC. The clauses are completed by the docking information in Schedule 1 (parties and data map) and Schedule 2 (technical and organizational measures), with the optional docking clause enabled, the audit/Subprocessor options consistent with this DPA, and the governing law and forum of the Republic of Ireland (or, for the UK Addendum, the courts of England and Wales). Where the SCCs conflict with this DPA, the SCCs prevail as to the restricted transfer.

6. Audits

Fimil will make available information reasonably necessary to demonstrate compliance with this DPA, including third-party reports and questionnaires where available through the Trust Center. Where Data Protection Laws require an audit right, audits will be conducted on reasonable prior notice, no more than once per year (absent a regulatory requirement or a breach), subject to confidentiality and without disrupting Fimil’s operations or other customers.

7. Return and deletion

Upon termination of the Service, Fimil will, at Customer’s choice, delete or return Customer Personal Data and delete existing copies within thirty (30) days, except to the extent retention is required by law. Penetration-test audit data (records of an Engagement’s requests, outcomes, and redacted evidence) is retained for, and purged at the end of, the configured retention period for the relevant testing policy — 365 days by default — so that test results remain reviewable; Customer may configure a shorter period. Backups are overwritten on their ordinary rotation cycle.

8. CCPA/CPRA terms

As a Service Provider, Fimil will not sell or share Customer Personal Data, will not retain, use, or disclose it for any purpose other than performing the Service (or as otherwise permitted by the CCPA/CPRA), and will not combine it with Personal Data from other sources except as permitted. Fimil certifies that it understands and will comply with these restrictions.

9. Liability and order of precedence

The liability provisions of the Master Subscription Agreement (or, for self-serve customers, the Terms of Service) apply to this DPA. If there is a conflict regarding the Processing of Personal Data, this DPA controls over the MSA and the Terms of Service; an executed Order Form controls where it expressly so provides; and the SCCs control as to a restricted transfer.

10. Contact and EU/UK representative

Data-protection inquiries: Ethan Aldrich, Data Protection Officer — dpo@fimil.dev or privacy@fimil.dev.

Where required under Article 27 of the EU GDPR or UK GDPR, Fimil’s designated representative in the EU/UK is: [EU/UK representative — to be appointed]. Until appointed, EU and UK data subjects may contact the Data Protection Officer above.

Schedule 1 — Details of processing and data map

This Schedule completes the SCCs (Annexes I.A–I.B) and serves as the Article 30 record for the Processing under this DPA.

A. Parties. Data exporter: Customer (Controller). Data importer: Fimil, Inc. (Processor), 2093 Philadelphia Pike, Suite #2016, Claymont, DE 19703, USA — contact: dpo@fimil.dev.

B. Categories of Data Subjects.

  • Customer’s authorized users and administrators.
  • Individuals whose Personal Data is contained in Customer’s repositories, configuration, or scan data.
  • Individuals whose Personal Data is incidentally present in the responses of a system Customer authorizes for penetration testing (for example, account data returned by a tested application).

C. Categories of Personal Data.

  • Identity and contact data (name, email, organization).
  • Authentication data (password hashes, encrypted MFA secrets, hashed API tokens).
  • Usage, log, and audit data, including IP addresses, user-agent, and approximate location.
  • Integration and target credentials provided by Customer (stored encrypted).
  • Personal Data contained in source code, findings, and SBOMs.
  • Personal Data and secrets incidentally captured during authorized penetration testing, subject to truncation and automated redaction before retention.

Sensitive/special-category data: Not requested or required. However, because the Service includes an offensive testing agent, Personal Data — and potentially special-category data or secrets — may be incidentally surfaced in the responses of a tested system. This is not a “none” data map. Fimil applies truncation, automated redaction, encryption, access control, and time-bound retention to such data and does not intentionally collect it.

D. Frequency of processing. Continuous, for the duration of the subscription.

E. Nature and purpose. Hosting and operating the application-security platform: scanning, autonomous penetration testing, AI-assisted triage and remediation, reporting, billing, support, and security.

F. Retention. Customer Personal Data: deleted/returned within 30 days of termination, except as required by law. Penetration-test audit data: per-policy retention, 365 days by default.

G. Subprocessors. As listed on the Subprocessors page.

Schedule 2 — Technical and organizational measures

Fimil maintains the measures described in the Security Policy, including at minimum:

  • Encryption — TLS 1.2+ in transit; managed-database encryption at rest plus application-layer encryption (Fernet/AES) of sensitive fields (credentials, tokens, MFA secrets).
  • Access control — role-based access with tenant isolation; Argon2id password hashing; MFA; time-limited, fully audit-logged privileged and support access.
  • Workload isolation — network-isolated, hardened, non-root scanner/agent execution; Kubernetes network policies; runtime monitoring (Falco).
  • Testing-data minimization — response-body truncation and automated PII/secret redaction before evidence is retained; configurable audit retention.
  • Logging and monitoring — audit logging with actor/tenant/IP attribution; security telemetry and alerting.
  • Resilience — nightly backups with offsite storage; documented RTO (4h) / RPO (24h) and disaster-recovery testing.
  • Incident response — documented plan with defined severities and breach-notification procedures aligned to GDPR (72-hour) and CCPA timelines.
  • Supply chain — CI security gates, dependency management, signed images, and SBOMs.