GuardLaneGuardLane

Data Processing Agreement (DPA)

Last Updated: March 7, 2026

DRAFT - REQUIRES LEGAL REVIEW

Effective Date: March 7, 2026

This Data Processing Agreement ("DPA") is entered into between SMK SOFTWARE LLC ("Processor") and the customer identified in the applicable Service Agreement ("Controller") and forms part of the Terms of Service governing the use of the GuardLane platform and services ("Service").

This DPA complies with Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Definitions

Terms used in this DPA have the meanings set forth below or as defined in the GDPR:

  • "Controller" means the entity that determines the purposes and means of processing Personal Data. In the context of the Service, this is typically the customer (you).
  • "Processor" means SMK SOFTWARE LLC, which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, and other relevant legislation.
  • "Service Agreement" means the Terms of Service or other agreement governing the use of the GuardLane Service.
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection laws.

2. Scope and Relationship of the Parties

2.1 Roles and Responsibilities

  • Controller Responsibilities: The Controller determines the purposes and means of processing Personal Data. The Controller is responsible for ensuring that it has a lawful basis for processing and that it complies with all applicable Data Protection Laws.
  • Processor Responsibilities: The Processor processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions as set out in this DPA and the Service Agreement.

2.2 Scope of Processing

This DPA applies to the processing of Personal Data by the Processor in connection with the provision of the Service, including but not limited to:

  • User account information (names, email addresses)
  • Project and team member data
  • Audit reports and security findings
  • Usage analytics and logs
  • Communications and support interactions

2.3 Controller Instructions

The Processor will process Personal Data only in accordance with the Controller's documented instructions, which include:

  • This DPA and the Service Agreement
  • Use of the Service features and functionality as intended
  • Written instructions provided by the Controller via email or support channels
  • Configuration settings and permissions set by the Controller

The Processor will immediately inform the Controller if, in the Processor's opinion, an instruction violates Data Protection Laws.

3. Processing Details

3.1 Nature and Purpose of Processing

Nature of Processing:

  • Collection, storage, retrieval, analysis, and deletion of Personal Data
  • Automated security audit processing
  • AI-powered analysis and recommendation generation
  • Team collaboration and access management

Purpose of Processing:

  • To provide the GuardLane Service as described in the Service Agreement
  • To enable security auditing, reporting, and remediation guidance
  • To facilitate team collaboration on projects
  • To provide customer support and service improvements

3.2 Duration of Processing

Processing will continue for the duration of the Service Agreement and for the retention period specified in the Privacy Policy (typically 90 days after account closure, unless legal obligations require longer retention).

3.3 Types of Personal Data

Personal Data processed may include:

  • Identity Data: Names, usernames, email addresses
  • Contact Data: Email addresses, notification preferences
  • Account Data: Passwords (encrypted), authentication tokens, subscription details
  • Technical Data: IP addresses, browser types, device information, usage logs
  • Project Data: Project names, repository metadata, team member roles
  • Audit Data: Security findings, code snippets (for context), vulnerability reports
  • Communication Data: Support tickets, feedback, survey responses

3.4 Categories of Data Subjects

Data Subjects may include:

  • Controller's employees, contractors, and authorized users
  • Controller's customers or end-users (if audit data includes their information)
  • Project collaborators and team members

3.5 Special Categories of Data

The Processor does not intentionally process special categories of Personal Data (e.g., health data, biometric data, racial or ethnic origin). If the Controller's code repositories or audit data inadvertently contain such data, the Controller must notify the Processor immediately and ensure appropriate safeguards are in place.

4. Security Obligations

4.1 Security Measures

The Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

  • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
  • Secure password hashing (bcrypt)
  • Multi-factor authentication (2FA/TOTP)
  • Role-based access control (RBAC)
  • Automated vulnerability scanning and patching
  • Firewalls, intrusion detection, and DDoS protection
  • Isolated environments (development, staging, production)
  • Regular security testing and penetration testing

Organizational Measures:

  • Employee background checks and confidentiality agreements
  • Security awareness training for all staff
  • Incident response and business continuity plans
  • Data minimization and pseudonymization where feasible
  • Logging and monitoring of access to Personal Data
  • Regular audits and compliance reviews

4.2 Security Certifications and Audits

The Processor maintains the following security certifications and audits (as applicable):

  • None currently
  • Annual penetration testing by third-party security firms
  • Compliance with industry best practices (OWASP, NIST)

The Controller may request evidence of compliance (e.g., audit reports, certifications) once per year, subject to reasonable confidentiality agreements.

4.3 Confidentiality

The Processor ensures that all personnel authorized to process Personal Data:

  • Are subject to confidentiality obligations (contractual or statutory)
  • Receive appropriate training on data protection
  • Have access only to Personal Data necessary for their role (principle of least privilege)

4.4 Testing and Updating

The Processor will:

  • Regularly test, assess, and evaluate the effectiveness of security measures
  • Update security measures to address new threats and vulnerabilities
  • Notify the Controller of any material changes to security practices

5. Sub-processors

5.1 General Authorization

The Controller provides general authorization for the Processor to engage Sub-processors to assist in providing the Service, subject to the conditions set out in this Section 5.

5.2 List of Sub-processors

The Processor currently engages the following Sub-processors:

Sub-processorService ProvidedLocationData Transferred
Firebase (Google)Authentication, email verification, 2FAGlobal (EU data residency available)Email, name, authentication tokens
PaddlePayment processing, subscription managementUK, EUEmail, name, billing information
AnthropicAI model inference for security audit analysis (Claude Opus 4.6, Claude Sonnet 4.6)San Francisco, United StatesSource code submitted for audit, repository metadata
OpenAIAI model inference for security audit analysis (GPT via GitHub Copilot/Codex)San Francisco, United StatesSource code submitted for audit, repository metadata
Google (Gemini)AI model inference for security audit analysis (Gemini 3.1 Pro via Copilot)Mountain View, United StatesSource code submitted for audit, repository metadata
Zhipu AI / z.aiAI model inference for security audit analysis (GLM-5)Beijing, ChinaSource code submitted for audit, repository metadata
Railway (Brex Inc.)Cloud hosting (backend, frontend, PostgreSQL, Redis)San Francisco, United StatesAll Service data (user accounts, source code during processing, audit results, database contents)
Resend (Resend Inc.)Transactional email deliverySan Francisco, United StatesRecipient email addresses, email content

Note on AI Sub-Processors: All AI sub-processors receive source code and repository metadata solely for the purpose of security analysis. Data is not used for training purposes under our agreements.

Important Notice Regarding Zhipu AI: Zhipu AI is based in the People's Republic of China. China does not have an EU adequacy decision. Data transfers occur under Standard Contractual Clauses. EU customers should be aware their code may be processed in China.

Updated List: An up-to-date list of Sub-processors is available at https://guardlane.io/legal/sub-processors or upon request to support@guardlane.io.

5.3 Sub-processor Requirements

The Processor ensures that all Sub-processors:

  • Are bound by written agreements that impose data protection obligations equivalent to this DPA
  • Implement appropriate technical and organizational security measures
  • Process Personal Data only for the purposes specified by the Processor
  • Allow the Processor and Controller to audit their compliance
  • Notify the Processor of any data breaches or security incidents

5.4 Changes to Sub-processors

  • Notice: The Processor will notify the Controller of any intended changes (addition or replacement) of Sub-processors at least 30 days in advance.
  • Notification Method: Via email to the Controller's registered email address and/or through the Service dashboard.
  • Objection: The Controller may object to a new Sub-processor on reasonable grounds relating to data protection within 14 days of notification.
  • Resolution: If the Controller objects, the parties will work in good faith to resolve concerns. If resolution is not possible, the Controller may terminate the Service Agreement without penalty.

5.5 Liability

The Processor remains fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA.

6. Data Subject Rights

6.1 Assistance with Requests

The Processor will assist the Controller in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure ("right to be forgotten") (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)

6.2 Self-Service Tools

The Processor provides self-service tools within the Service to enable the Controller to:

  • Access and export Personal Data
  • Correct or update Personal Data
  • Delete Personal Data and close accounts
  • Manage user permissions and access

6.3 Requests Received by Processor

If the Processor receives a request from a Data Subject directly (e.g., via email or support channel):

  • The Processor will promptly forward the request to the Controller (within 2 business days)
  • The Processor will not respond to the Data Subject without the Controller's prior written authorization
  • The Controller is responsible for verifying the identity of the Data Subject and responding to the request

6.4 Assistance Fees

Assistance with Data Subject requests is generally provided at no additional charge. If a request requires substantial effort beyond normal Service functionality (e.g., custom data extraction, manual processing), the Processor may charge reasonable fees at its standard rates. The Processor will notify the Controller of any fees before incurring them.

7. Personal Data Breach Notification

7.1 Notification to Controller

In the event of a Personal Data breach, the Processor will:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to enable the Controller to meet its obligations to notify Supervisory Authorities and Data Subjects under Data Protection Laws

7.2 Breach Information

The breach notification will include, to the extent known:

  • Nature of the breach: Description of the incident, categories and approximate number of Data Subjects and Personal Data records affected
  • Consequences: Likely consequences of the breach
  • Mitigation: Measures taken or proposed to address the breach and mitigate its effects
  • Contact: Contact point for further information (DPO or security team)

7.3 Investigation and Remediation

The Processor will:

  • Investigate the breach and take appropriate measures to remediate and prevent recurrence
  • Provide regular updates to the Controller on investigation progress
  • Cooperate with the Controller and Supervisory Authorities in investigating and resolving the breach
  • Preserve evidence and logs relevant to the breach

7.4 Controller's Obligations

The Controller is responsible for:

  • Assessing whether the breach requires notification to Supervisory Authorities (within 72 hours under GDPR Article 33)
  • Notifying affected Data Subjects if the breach is likely to result in high risk to their rights and freedoms (GDPR Article 34)
  • Determining the content and timing of notifications

7.5 No Admission of Liability

Notification of a breach does not constitute an admission of fault or liability by the Processor.

8. Data Protection Impact Assessment and Prior Consultation

8.1 Assistance with DPIA

If required by Data Protection Laws, the Processor will provide reasonable assistance to the Controller in conducting a Data Protection Impact Assessment (DPIA), including:

  • Providing information about the nature, scope, and purposes of processing
  • Describing the technical and organizational security measures implemented
  • Assessing risks to Data Subjects' rights and freedoms

8.2 Prior Consultation

The Processor will assist the Controller in consulting with Supervisory Authorities if a DPIA indicates high risk and the Controller is required to consult under GDPR Article 36.

8.3 Fees

Assistance beyond providing standard documentation may be charged at the Processor's standard rates. The Processor will notify the Controller of any fees in advance.

9. Deletion and Return of Personal Data

9.1 Post-Termination Obligations

Upon termination or expiration of the Service Agreement, or upon the Controller's written request, the Processor will:

Option 1 - Deletion (default):

  • Delete all Personal Data processed on behalf of the Controller within 90 days of termination
  • Delete Personal Data from backups within 90 days of backup rotation
  • Provide written certification of deletion upon request

Option 2 - Return:

  • Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (JSON, CSV)
  • Delete all remaining copies after return
  • The Controller must request return within 30 days of termination

9.2 Exceptions

The Processor may retain Personal Data to the extent:

  • Required by applicable law (e.g., financial records, audit logs)
  • Necessary to defend against legal claims
  • Stored in backup systems that are immutable for a defined retention period (maximum 90 days)

Retained data will continue to be subject to this DPA and will be deleted at the earliest opportunity.

9.3 Export Before Termination

The Controller is responsible for exporting any required data before termination using the Service's data export functionality. The Processor is not liable for data loss after the retention period expires.

10. Audits and Inspections

10.1 Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

Audit Frequency:

  • Once per year under normal circumstances
  • More frequently if required by a Supervisory Authority or in response to a suspected breach

Audit Scope:

  • Review of security measures and data protection practices
  • Inspection of relevant documentation, policies, and procedures
  • Interviews with authorized personnel

Audit Methodology:

  • On-site inspections (with reasonable advance notice, typically 30 days)
  • Document reviews and questionnaires
  • Third-party audit reports (SOC 2, ISO 27001, penetration tests)

10.2 Third-Party Audits

The Controller may engage a third-party auditor, subject to:

  • Prior written approval by the Processor (not to be unreasonably withheld)
  • Execution of a confidentiality agreement acceptable to the Processor
  • Reasonable scheduling and scope limitations to avoid disrupting the Processor's operations
  • The Controller bearing all costs of the third-party audit

10.3 Alternative to On-Site Audits

As an alternative to on-site audits, the Processor may provide:

  • Current third-party audit reports (e.g., SOC 2 Type II)
  • Security certifications (e.g., ISO 27001)
  • Completed security questionnaires
  • Written attestations of compliance

10.4 Costs

The Processor will bear the cost of providing documentation and reasonable assistance. If audits require substantial Processor resources (e.g., on-site inspections exceeding 2 days), the Processor may charge reasonable fees at its standard rates.

10.5 Remediation

If an audit reveals non-compliance with this DPA, the Processor will:

  • Promptly remediate identified issues
  • Provide a remediation plan with timelines
  • Verify remediation through follow-up audits (at no additional charge)

11. International Data Transfers

11.1 Data Transfer Locations

Personal Data may be transferred to and processed in the following locations:

  • European Union, Armenia, United States, and China
  • Data center locations: United States and China (for Zhipu AI processing only)

Source code and repository metadata are processed by AI sub-processors in the United States (Anthropic, OpenAI, Google) and China (Zhipu AI). See Section 5.2 for the complete sub-processor list.

11.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA), UK, or Switzerland to countries without an adequacy decision, the Processor relies on the following safeguards:

Standard Contractual Clauses (SCCs):

  • The Processor implements EU Standard Contractual Clauses (2021/914) as approved by the European Commission
  • SCCs are incorporated by reference into this DPA and apply to all transfers of Personal Data to third countries

Adequacy Decisions:

  • Where the EU Commission has issued an adequacy decision for the recipient country, transfers are permitted without additional safeguards

Additional Safeguards:

  • Encryption in transit and at rest
  • Access controls limiting access to authorized personnel
  • Contractual restrictions on Sub-processors
  • Regular security audits and compliance reviews

11.3 UK and Swiss Transfers

For transfers from the UK, the UK Addendum to the EU SCCs applies. For transfers from Switzerland, the Swiss Federal Data Protection and Information Commissioner (FDPIC) requirements apply.

11.4 Data Subject Rights

Data Subjects have enforceable rights as third-party beneficiaries under the Standard Contractual Clauses, including the right to:

  • Obtain a copy of the SCCs
  • Bring a claim against the Processor or Sub-processors
  • Seek remedies for violations of the SCCs

11.5 Changes in Law

If laws in the Processor's or Sub-processor's jurisdiction materially affect the ability to comply with this DPA or SCCs:

  • The Processor will promptly notify the Controller
  • The parties will work in good faith to implement additional safeguards
  • If compliance is not possible, the Controller may suspend data transfers or terminate the Service Agreement

12. Liability and Indemnification

12.1 Allocation of Liability

Each party is liable for damages caused by its failure to comply with obligations under this DPA and applicable Data Protection Laws, subject to the limitations of liability set out in the Service Agreement.

12.2 Chain Liability (GDPR Article 82)

Under GDPR Article 82:

  • Both Controller and Processor may be held liable for damages caused by processing that violates Data Protection Laws
  • A party that has paid full compensation may recover from other responsible parties the portion attributable to their liability

12.3 Indemnification

The Processor will indemnify the Controller against:

  • Fines and penalties imposed by Supervisory Authorities resulting solely from the Processor's violation of this DPA
  • Third-party claims resulting from the Processor's breach of this DPA

This indemnification is subject to:

  • Prompt written notice of the claim
  • The Processor's right to control the defense and settlement
  • The Controller's reasonable cooperation in the defense

12.4 Limitations

Indemnification does not apply to:

  • Claims arising from the Controller's instructions or misuse of the Service
  • Claims arising from the Controller's failure to comply with Data Protection Laws
  • Claims to the extent caused by the Controller's negligence or willful misconduct

12.5 Caps and Exclusions

Liability under this DPA is subject to the limitations and exclusions set out in the Service Agreement, except where prohibited by law.

13. Term and Termination

13.1 Term

This DPA takes effect on the Effective Date and continues for the duration of the Service Agreement.

13.2 Survival

The following provisions survive termination of this DPA:

  • Data deletion and return obligations (Section 9)
  • Confidentiality obligations (Section 4.3)
  • Liability and indemnification (Section 12)
  • Any provisions necessary to give effect to the rights and obligations of the parties

13.3 Effect of Termination

Upon termination:

  • The Processor will cease processing Personal Data (except as required for deletion/return)
  • The Processor will delete or return Personal Data as specified in Section 9
  • The Controller's payment obligations for services rendered before termination remain in effect

14. Miscellaneous

14.1 Precedence

In the event of a conflict between this DPA and the Service Agreement, this DPA prevails with respect to data protection matters.

14.2 Amendments

This DPA may be amended:

  • By mutual written agreement of the parties
  • By the Processor to comply with changes in Data Protection Laws (with 30 days' notice)

14.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect. The parties will negotiate in good faith to replace the invalid provision with a valid provision that achieves the same purpose.

14.4 Governing Law

This DPA is governed by the same law as the Service Agreement, except where Data Protection Laws require otherwise.

14.5 Notices

All notices under this DPA must be in writing and sent to:

To the Processor: SMK SOFTWARE LLC 38 Shengavit Street, Apartment 8, Shengavit District, 0050 Yerevan, Armenia Email: support@guardlane.io

To the Controller: The email address registered with the Service

15. Contact Information

For questions about this DPA or data protection matters:

Data Protection Officer (Mikhail Kuznetsov): Email: support@guardlane.io Response Time: Within 7 business days

Legal Department: Email: support@guardlane.io

Supervisory Authority Contact (if applicable): Not applicable

AGREED AND ACCEPTED:

By using the GuardLane Service, the Controller agrees to the terms of this Data Processing Agreement.

For the Processor: SMK SOFTWARE LLC

For the Controller: As identified in the Service Agreement

Effective Date: March 7, 2026

Annexes:

  • Annex A: Details of Processing (see Section 3)
  • Annex B: List of Sub-processors (see Section 5.2 and https://guardlane.io/legal/sub-processors)
  • Annex C: Technical and Organizational Security Measures (see Section 4.1)
  • Annex D: Standard Contractual Clauses (EU SCCs 2021/914) - incorporated by reference

Last Updated: March 7, 2026