Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement (“DPA”) is entered into between:
- Customer (the legal entity or individual identified in the Vigil account, acting as data controller); and
- ClawNet, incorporated in England & Wales, trading as Vigil (acting as data processor).
This DPA forms part of the Terms of Service between Customer and Vigil and is incorporated into those Terms by reference. In the event of conflict between this DPA and the Terms of Service, this DPA prevails on data protection matters.
Capitalised terms not defined in this DPA have the meanings given in the Terms of Service or, where applicable, in Regulation (EU) 2016/679 (GDPR) or the UK GDPR.
1. Definitions
“Applicable Data Protection Law” means, as relevant to the processing activities described in this DPA:
- Regulation (EU) 2016/679 (EU GDPR) and its implementing legislation in EEA member states;
- The UK GDPR (as defined in the Data Protection Act 2018) and the Data Protection Act 2018;
- Any other applicable national or international data protection laws to which the parties are subject.
“Personal Data” has the meaning given in Applicable Data Protection Law.
“Processing” has the meaning given in Applicable Data Protection Law.
“Sub-processor” means any third party engaged by Vigil to process Personal Data on behalf of Customer in connection with providing the Service.
2. Scope and Purpose
2.1 Scope.This DPA applies where Vigil processes Personal Data on behalf of Customer in the course of providing the Service. This primarily covers Personal Data relating to Customer's authorised employees, team members, and users who are granted access to the Vigil platform under Customer's account (“Authorised Users”).
2.2 Vigil's scope as processor. Vigil acts as a data processorin relation to Personal Data of Authorised Users that Customer directs through the Vigil platform (for example, adding team members' email addresses to a shared account for alert delivery). For its own account management and operational data (e.g., Customer's billing email used for Vigil's own invoicing), Vigil acts as a data controller — see Vigil's Privacy Policy.
2.3 Narrow scope.The processing covered by this DPA is limited: Vigil does not process Customer's end-customer data. The subject matter is Vigil's delivery of security alerts to Authorised Users designated by Customer.
3. Duration
This DPA commences on the date Customer accepts the Terms of Service and continues for the duration of the subscription term, including any renewal periods. It terminates automatically on termination or expiry of the subscription, subject to the post-termination obligations in Section 12.
4. Nature and Purpose of Processing
Vigil processes Personal Data solely to:
- Authenticate and manage Authorised User accounts.
- Deliver vulnerability alerts and service notifications to Authorised Users.
- Maintain authentication logs and service security records.
- Provide customer support in relation to Authorised User accounts.
Vigil shall not process Personal Data for any other purpose unless required by law, in which case Vigil shall (to the extent permitted by law) inform Customer in advance.
5. Types of Personal Data Processed
| Category | Detail |
|---|---|
| Email addresses | Authorised User email addresses used for account login and alert delivery |
| Authentication tokens | Session tokens and password hashes managed by Supabase |
| Usage and access data | IP addresses, user agent strings, authentication event timestamps (90-day retention) |
Vigil does not process special categories of personal data (GDPR Art. 9) or data relating to criminal convictions and offences (GDPR Art. 10) under this DPA.
6. Categories of Data Subjects
The data subjects are Customer's authorised employees, contractors, and team members who are designated by Customer as Authorised Users of the Vigil platform.
7. Controller's Obligations
Customer, as data controller, represents, warrants, and undertakes that:
- It has a valid lawful basis under Applicable Data Protection Law for processing the Personal Data it directs Vigil to process.
- It has provided all required notices to, and (where applicable) obtained any required consents from, Authorised Users in connection with the processing described in this DPA.
- The Personal Data provided to Vigil is accurate and up to date.
- It will promptly notify Vigil of any data subject rights requests relating to Personal Data processed by Vigil under this DPA, and will cooperate with Vigil to fulfil such requests.
- It will comply with all obligations imposed on controllers under Applicable Data Protection Law.
8. Processor's Obligations
Vigil, as data processor, undertakes to:
8.1 Documented instructions
Process Personal Data only on Customer's documented instructions, as set out in this DPA and the Terms of Service. If Vigil is required by law to process Personal Data for another purpose, Vigil will inform Customer (to the extent permitted by law) before carrying out such processing.
8.2 Confidentiality
Ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory).
8.3 Security
Implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, destruction, alteration, or disclosure, in accordance with GDPR Article 32 and equivalent provisions of Applicable Data Protection Law. These measures include, at minimum:
- Encryption of Personal Data in transit (TLS) and at rest (AES-256 via Supabase/AWS).
- Access controls limiting access to Personal Data to personnel who need it to perform the Service.
- Authentication and audit logging.
- Regular review of security measures.
8.4 Sub-processors
Vigil shall not engage new Sub-processors without notifying Customer at least 30 days in advance (by email or via an update to the Sub-processor list), giving Customer a reasonable opportunity to object. Customer's objection to a new Sub-processor must be made in writing within 14 days of notice. If Vigil cannot accommodate the objection, Customer may terminate the subscription with a pro-rata refund for the unused subscription period.
Vigil ensures that each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA.
8.5 Assistance with data subject rights
Vigil will assist Customer, through appropriate technical and organisational measures and to the extent reasonably practicable, with fulfilling Customer's obligations to respond to data subject rights requests under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).
8.6 Data breach notification
Vigil will notify Customer without undue delay, and in any event within 24 hours of becoming aware of a Personal Data breach affecting data processed under this DPA. Notification will be sent to the email address associated with Customer's account and will include, to the extent then known:
- The nature of the breach (categories and approximate number of data subjects and records affected);
- Contact details of Vigil's privacy contact;
- Likely consequences of the breach;
- Measures taken or proposed to address the breach.
Where full information is not available within 24 hours, Vigil will provide available information promptly and supplement it as further details become known (GDPR Art. 33(4)).
Vigil will cooperate with Customer to enable Customer to comply with any statutory breach notification obligation (including GDPR Art. 33 notification to supervisory authorities within 72 hours of Customer becoming aware of the breach).
8.7 Data protection impact assessments
Vigil will provide reasonable assistance to Customer with any data protection impact assessments (DPIAs) and, where required, prior consultation with supervisory authorities, to the extent such assessments relate to processing by Vigil under this DPA.
8.8 Audit cooperation
Vigil will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA and Applicable Data Protection Law. Vigil will permit Customer (or a third-party auditor appointed by Customer and reasonably acceptable to Vigil) to conduct audits or inspections of Vigil's processing activities under this DPA, on reasonable notice, at Customer's expense, and no more than once per 12-month period, unless a specific data breach or regulatory requirement justifies additional inspection.
Vigil may satisfy audit obligations by providing relevant third-party audit reports (e.g., SOC 2, ISO 27001 where available) in lieu of an on-site audit, where reasonable.
8.9 Deletion on termination
On termination of the subscription, Vigil shall, at Customer's election, either delete or return all Personal Data processed under this DPA within 30 days of termination, and delete existing copies, unless Applicable Data Protection Law requires further retention (in which case Vigil will inform Customer of the retention obligation and retain only the minimum data necessary).
9. Sub-Processors
The current list of Vigil's approved Sub-processors is published at /subprocessors:
| Sub-processor | Purpose | Personal Data | Location |
|---|---|---|---|
| Supabase Inc. | Authentication, database, account storage | Email, password hash, auth tokens, usage logs | US-East (AWS us-east-1) |
| Resend Inc. | Transactional email delivery | Email address, alert content | United States |
| Stripe Inc. | Subscription billing | Billing email, payment method token | United States |
| Railway Corp. | Application hosting | All transient request data | US-West (GCP us-west2) |
| Cloudflare Inc. | DNS, CDN, DDoS protection | IP address, user agent (edge logs) | Global edge; origin US |
Vigil will notify Customer of intended changes to this list (additions or replacements) at least 30 days before any change takes effect.
10. International Transfers
10.1 Transfer mechanisms. Where processing under this DPA involves a transfer of Personal Data outside the UK or European Economic Area (EEA), Vigil relies on the following transfer mechanisms:
(a) EU Standard Contractual Clauses (EU SCCs)
Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller to Processor), is incorporated by reference into the agreements between Vigil and each EU/EEA-origin Sub-processor that receives Personal Data. Vigil will maintain completed Annexes I, II, and III (parties, transfer descriptions, and technical/organisational measures) for each such transfer.
(b) UK International Data Transfer Addendum (UK Addendum)
The International Data Transfer Addendum (Version B1.0), issued by the UK Information Commissioner under s. 119A Data Protection Act 2018, is incorporated into Vigil's Sub-processor agreements as an addendum to the EU SCCs, covering UK → third-country transfers.
(c) EU-US Data Privacy Framework (DPF)
Where applicable Sub-processors are certified under the EU-US Data Privacy Framework (and its UK Extension), that adequacy mechanism is used as a primary transfer tool, with EU SCCs + UK Addendum as fallback.
10.2 Request for copies. Customer may request copies of applicable SCCs and Sub-processor DPAs by contacting privacy@vigil.junocode.com.
10.3 Annex availability. Completed Annex I (parties and transfer description), Annex II (technical and organisational measures), and Annex III (sub-processors) are available on request.
11. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, subject to the dispute resolution provisions in the Terms of Service.
12. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. The parties agree that the liability cap in the Terms of Service applies to claims under this DPA.
Where a party is liable to a third party (including a data subject) as a result of a breach caused by the other party, that other party shall indemnify the first party against its liability, to the extent that the breach was caused by that other party's act or omission.
13. Precedence
In the event of any conflict or inconsistency between this DPA and the EU SCCs or UK Addendum as incorporated by reference, the EU SCCs or UK Addendum (as applicable) shall take precedence over this DPA solely to the extent of that conflict, in accordance with the requirements of Applicable Data Protection Law.
For questions about this DPA, contact: privacy@vigil.junocode.com