Data Processing Agreement
Last updated: 6 June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Pipelit Ltd ("Processor", "we") and the customer ("Controller", "you") for the provision of Scanner Pro and related services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, as defined in UK GDPR Article 4(2).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope of processing
The Processor processes Personal Data solely to provide the Scanner Pro service, including:
| Data category | Data subjects | Purpose | Retention |
|---|---|---|---|
| Account data (name, email) | Customer team members | Authentication, communication | Duration of account + 30 days |
| Scan results | N/A (no personal data of website visitors) | Compliance analysis | Duration of account |
| Fix ticket data | Customer team members (names in audit trail) | Workflow tracking | Duration of account |
| GTM configuration data | N/A (tag configuration only) | Compliance comparison | Duration of connection |
| AI query context | N/A (scan data, no visitor PII) | AI compliance guidance | Not persisted beyond the query |
3. Processor obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Security & Data)
- Not engage a Sub-processor without prior written authorisation from the Controller
- Assist the Controller in responding to data subject rights requests
- Delete or return all Personal Data upon termination of the service, at the Controller's choice
- Make available all information necessary to demonstrate compliance and allow audits
- Notify the Controller without undue delay (and within 72 hours) of any Personal Data breach
4. Sub-processors
The Processor currently uses the following Sub-processors:
| Sub-processor | Purpose | Location | Data processed |
|---|---|---|---|
| Anthropic | AI processing (Revelio) | United States | Scan context for AI queries (no visitor PII) |
| Stripe | Payment processing | United States | Payment method, billing address |
| GTM OAuth integration | United States | OAuth tokens, GTM configuration | |
| Smartproxy | UK residential proxy | Lithuania | Target URL only (no personal data) |
The Controller is deemed to have authorised the above Sub-processors. The Processor will notify the Controller before adding or replacing Sub-processors, providing the Controller an opportunity to object.
5. International transfers
Where Personal Data is transferred outside the UK, the Processor ensures appropriate safeguards are in place, including UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as applicable.
6. Security measures
- Encryption in transit (TLS) and at rest
- Secure password hashing (scrypt with random salt)
- Cryptographic session tokens
- Role-based access control (Admin, DPO, Implementer)
- OAuth 2.0 for third-party integrations with minimal scopes
- Immutable audit log of all actions
- No public database access
Full details at pipelit.co.uk/security.
7. Data subject rights
The Processor shall assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by UK GDPR.
8. Breach notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
9. Term and termination
This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor shall delete all Personal Data within 30 days unless retention is required by applicable law.
10. Governing law
This DPA is governed by the laws of England and Wales and supplements the main Terms of Service.
11. Contact
For DPA queries, data subject requests, or breach notifications:
Email: lalarukh@pipelit.co.uk
To execute this DPA: If you require a countersigned copy of this DPA, email lalarukh@pipelit.co.uk with your company name, signatory name, and title. We will return a signed copy within 2 business days.