1. Scope and Roles

Safe in Cyber Space acts as a Data Processor.

We process personal data only under the documented instructions of the Customer to provide domain protection and scanning services.

Paddle acts as an independent Data Controller for subscription billing and payment processing.

Scaleway and Hanko are utilized as sub-processors to support infrastructure and identity management.

2. Subject Matter and Duration

Nature of Processing: Provision of a B2B security SaaS platform, including domain scanning, vulnerability reporting, and threat intelligence.

Data Categories: Identity data (names, emails), technical identifiers (IP addresses), and security metadata of the Customer's authorized users.

Duration: The duration of the processing shall be for the term of the service agreement plus any period until all data is deleted or returned.

3. Sub-processors

The Customer provides a general authorization for the Processor to engage the following sub-processors:

• Scaleway (EU): Cloud infrastructure and data storage (Primary processing in Paris/Amsterdam/Warsaw regions).
• Hanko (EU): Authentication and identity verification services.
• Paddle (Global): Merchant of record and payment processing.

The Processor shall maintain an up-to-date list and notify the Customer of any significant changes to sub-processors.

4. Technical and Organizational Measures (TOMs)

The Processor implements robust security measures including:

• Infrastructure Security: Leveraging Scaleway's ISO 27001 and HDS-certified data centers.
• Data Encryption in Transit: All data moving between the user, the platform, and sub-processors is encrypted using TLS 1.3.
• Advanced Encryption at Rest:
  • Standard data is encrypted at the storage layer.
  • Sensitive customer data subsets—including user and company profile fields, audit metadata, notification integration credentials, and organisation export ZIP archives—are encrypted at the application layer with AES-256-GCM using a dedicated encryption key per customer. In production, each customer key is stored in Scaleway Secret Manager, providing cryptographic isolation between tenants even at the database level. Export downloads use short-lived, one-time signed tokens; encrypted artifacts are deleted after a successful download or retention expiry.
• Access Control: Strict Role-Based Access Control (RBAC) and passwordless authentication via Hanko.
• Monitoring: Continuous security logging, automated vulnerability scanning, and incident response protocols.

5. International Data Transfers

EEA Processing: The primary processing of Customer data (via Scaleway) occurs within the European Economic Area.

Third Countries: For sub-processors located outside the EEA (e.g., Paddle components in the US/UK), the Processor ensures compliance via Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

6. Data Subject Rights

The Processor shall assist the Customer in fulfilling obligations to respond to requests from individuals exercising their rights under GDPR (e.g., access, rectification, or deletion).

7. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Customer without undue delay (within 72 hours where feasible) after becoming aware of the breach.

8. Governing Law and Jurisdiction

This DPA is governed by the laws of Spain. Any disputes shall be subject to the exclusive jurisdiction of the courts of Santa Cruz de Tenerife.

9. Contact

To request a signed copy of this DPA or a full list of Technical measures, contact: hello@safeincyber.space .