Data Processing Agreement
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service between you (“Controller” or “Customer”) and Cyze AS, Norway, Org. No. 932 904 500 (“Processor” or “Vioro”). It takes effect automatically when you accept the Terms of Service and applies to all processing of personal data by Cyze AS on your behalf.
This DPA governs the relationship where Cyze AS acts as Data Processor on behalf of the Customer. Cyze AS’s processing of personal data in its own right as a Data Controller (account data, billing, communications) is addressed in the Privacy Policy.
This DPA implements the requirements of GDPR Article 28 and applies when you use Vioro to monitor websites on which personal data of your end users or clients may be incidentally processed (e.g. domain names identifiable to natural persons, IP addresses visible to monitoring probes).
1. Definitions
Terms used in this DPA have the same meaning as in the GDPR (EU) 2016/679, including: Personal Data, Processing, Data Controller, Data Processor, Data Subject, Personal Data Breach, and Supervisory Authority.
- “Agreement” — these Terms of Service and this DPA
- “Customer Data” — personal data submitted by you to the Service or incidentally processed by Vioro probes on your behalf
- “Sub-processor” — any third-party engaged by Cyze AS to process Customer Data
- “Security Measures” — the technical and organisational measures described in Section 7
2. Roles & Scope
Cyze AS acts as Data Processor when it processes personal data on your behalf in the course of providing the monitoring services. You act as Data Controller for such data.
The scope of processing is limited to what is strictly necessary to provide the Service as described in Appendix A below.
3. Processor Obligations
Cyze AS undertakes to:
- Process Customer Data only on your documented instructions and in accordance with this DPA and applicable law. If Cyze AS believes an instruction infringes applicable data protection law, it will promptly notify you.
- Ensure that all persons authorised to process Customer Data are bound by confidentiality obligations.
- Implement and maintain the Security Measures described in Section 7.
- Assist you, to the extent possible, in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection).
- Assist you in fulfilling your obligations under GDPR Art. 32–36, including security obligations, breach notification, and Data Protection Impact Assessments where applicable.
- Not transfer Customer Data outside the EEA without your prior consent, except as covered by Section 6 (Sub-processors).
- Make available to you all information reasonably necessary to demonstrate compliance with this DPA and permit audits as described in Section 9.
- Notify you without undue delay upon becoming aware of a personal data breach affecting Customer Data (see Section 8).
4. Controller Obligations
You warrant that:
- You have a valid legal basis for any personal data you submit to or configure within the Service.
- You will not submit special category data (GDPR Art. 9) or data of children under 16 to the Service.
- You have provided any required notices to, and obtained any required consents from, the individuals whose data is involved.
- You are responsible for your own compliance with applicable data protection law regarding the data you collect and control.
5. Sub-processors
You provide a general authorisation for Cyze AS to engage the sub-processors listed at vioro.io/legal/subprocessors/.
Cyze AS will notify you of any new or replacement sub-processor at least 10 days in advance, by updating the sub-processors page and sending a notification to the email address on your account. If you have a reasonable, documented objection to a new sub-processor, notify us at within the 10-day window. We will work with you in good faith to address the objection. If the objection cannot be resolved and the sub-processor is necessary to provide the Service, you retain the right to terminate your subscription.
Cyze AS remains fully responsible for the acts and omissions of its sub-processors as if they were its own.
6. International Transfers
Customer Data is processed within the EU/EEA. Where a sub-processor is subject to non-EEA jurisdiction (e.g. Google’s US parent entity), transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914), supplemented by technical measures (encryption in transit and at rest).
Cyze AS will not transfer Customer Data to a country without an EU adequacy decision except under SCCs or another approved transfer mechanism.
7. Security Measures
Cyze AS implements the following technical and organisational measures, in accordance with GDPR Art. 32:
- Encryption in transit: TLS 1.3 for all data in transit
- Field-level encryption: Sensitive data fields are encrypted at the field level
- Access control: Principle of least privilege; MFA required for all administrative access; access is restricted to authorised personnel of Cyze AS who require it to perform their duties
- Infrastructure resilience: Data is replicated across distributed storage nodes to ensure resilience and availability; 99.9% backup durability
- Vulnerability management: Routine penetration testing and dependency CVE scanning
- Availability: 99.5% monthly uptime SLO; Netcup infrastructure in Germany, EU
These measures will be reviewed and updated in line with technological developments and the risk profile of the Service.
8. Personal Data Breaches
Cyze AS will notify you without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data. Notification will be sent to the email address on your account and will include:
- A description of the nature of the breach (categories and approximate number of data subjects and records affected)
- The likely consequences of the breach
- Measures taken or proposed to address the breach
You are responsible for notifying your own supervisory authority and affected data subjects where required by law.
9. Audit Rights
Upon your written request (with at least 10 days’ notice), Cyze AS will make available the information necessary to demonstrate compliance with this DPA. You may also request, no more than once per year, an audit or inspection of Cyze AS’s processing facilities and records. Such audits will be conducted at your cost, during normal business hours, and in a manner that minimises disruption.
10. Deletion & Return of Data
Upon termination of the Agreement, Cyze AS will delete all Customer Data within 30 days, except where retention is required by law. A secure deletion confirmation will be provided upon request.
Anonymised and aggregated derivatives (non-attributable statistical data) may be retained indefinitely for internal service improvement.
11. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service (Section 6). To the extent required by GDPR, both parties may be held liable for damages caused by processing that infringes this DPA or the GDPR, according to their respective responsibilities.
12. Governing Law
This DPA is governed by Norwegian law, consistent with the Terms of Service.
13. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to the processing of personal data.
Appendix A: Details of Processing
| Item | Description |
|---|---|
| Subject matter | Website monitoring services (uptime, TLS, broken links, security scanning) |
| Duration | For the term of the Agreement |
| Nature of processing | Storage, retrieval, automated scanning, alerting, aggregation, analysis |
| Purpose | To provide the monitoring services contracted by the Customer |
| Categories of personal data | Domain names (if identifiable to a natural person), URLs, IP addresses of monitored servers, account identifiers |
| Categories of data subjects | Customer’s account users; end users of Customer’s monitored websites (incidentally, via probe data) |
| Retention | Per the Privacy Policy: probe data 30 days rolling; account data active term + 6 years (bookkeeping) |
This DPA is incorporated by reference into the Terms of Service and takes effect upon account creation.
Last updated: 2026-04-06
Previous versions: vioro.io/legal/archive/