Data Processing Agreement
Last updated: March 3, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Solustiq Yazilim ve Yapay Zeka Teknolojileri A.S. ("Processor", "we", "us") and you ("Controller", "you", "your"). This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the Vuln0x platform ("Service").
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1) and KVKK Article 3.
- Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
- Sub-processor: A third-party entity engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope of Processing
2.1 Categories of Data Processed
| Data Category | Examples | Lawful Basis |
|---|---|---|
| Account Data | Name, email address, company name | Contract performance |
| Authentication Data | Hashed passwords, session tokens, OAuth tokens | Contract performance |
| Billing Data | Payment method details (processed by Stripe) | Contract performance |
| Scan Configuration Data | Target URLs, scan types, scheduling preferences | Contract performance |
| Scan Result Data | HTTP headers, technology stack information, vulnerability findings, error messages (which may incidentally contain personal data) | Legitimate interest / Contract |
| Usage Data | IP addresses, browser information, access logs | Legitimate interest |
2.2 Purpose of Processing
Personal Data is processed solely for the following purposes:
- Providing and operating the Vuln0x scanning service.
- Authenticating users and managing accounts.
- Processing subscription payments.
- Generating security scan reports.
- Communicating service updates and security alerts.
- Maintaining platform security and preventing abuse.
3. Data Storage and Location
Data processed through Vuln0x is stored in the following locations:
- Primary Infrastructure: Fly.io — data centers located in the United States.
- Authentication: Supabase — hosted in the United States.
- Payment Processing: Stripe — data processed in the United States and European Union.
Important for Turkish customers (KVKK): By using the Service, you acknowledge that your data will be transferred to and processed in the United States. This constitutes a cross-border data transfer under KVKK Article 9. We ensure adequate protection through contractual safeguards with our sub-processors.
Important for EU/EEA customers (GDPR): Data transfers to the United States are conducted pursuant to Standard Contractual Clauses (SCCs) as approved by the European Commission.
4. Data Retention
- Active Accounts: Data is retained for the duration of your subscription and active use of the Service.
- Account Deletion: When you delete your account, all associated data — including scan results, reports, configurations, and personal information — is permanently deleted within 30 days.
- Billing Records: Transaction records may be retained for up to 7 years to comply with tax and accounting obligations.
- Security Logs: Access and audit logs are retained for 90 days for security and abuse prevention purposes.
5. Sub-processors
The following sub-processors are authorized to process Personal Data on behalf of the Controller:
| Sub-processor | Purpose | Location |
|---|---|---|
| Fly.io | Application hosting and infrastructure | United States |
| Supabase | Database and authentication | United States |
| Stripe | Payment processing | United States / EU |
| Upstash (Redis) | Caching and rate limiting | United States |
| Vercel | Frontend hosting and CDN | Global (edge network) |
We will notify you of any changes to the sub-processor list at least 30 days before the new sub-processor begins processing Personal Data. You may object to a new sub-processor by contacting us at privacy@vuln0x.com.
6. Security Measures
The Processor implements appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access control with principle of least privilege.
- Regular security assessments and vulnerability scanning.
- Secure software development lifecycle practices.
- Incident response procedures with defined escalation paths.
- Employee security awareness training.
7. Data Subject Rights
We will assist the Controller in fulfilling data subject rights requests under GDPR (Articles 15–22) and KVKK (Article 11), including:
- Right of access to personal data.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten").
- Right to data portability.
- Right to restrict processing.
- Right to object to processing.
8. Data Breach Notification
In the event of a personal data breach, the Processor will:
- Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
- Provide details including the nature of the breach, categories of data affected, and remedial actions taken.
- Cooperate with the Controller in notifying relevant supervisory authorities and affected data subjects as required by law.
9. Audit Rights
The Controller may, upon reasonable written notice (at least 30 days), audit the Processor's compliance with this DPA. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations. The Controller bears the cost of any audit.
10. Term and Termination
This DPA remains in effect for the duration of the Terms of Service. Upon termination, the Processor will delete all Personal Data within 30 days, unless retention is required by applicable law.
11. GDPR Article 28 Compliance
This DPA is designed to meet the requirements of GDPR Article 28. The Processor:
- Processes data only on documented instructions from the Controller.
- Ensures that personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implements appropriate technical and organizational security measures.
- Assists the Controller with data protection impact assessments where required.
- Deletes or returns all Personal Data upon termination of the agreement.
12. Contact
For questions about this Data Processing Agreement or to exercise data subject rights, contact us at privacy@vuln0x.com.