Data Processing Agreement

Last updated: April 8, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Controller”) and WADA BV (“Processor”) for the use of SweepHound. This DPA applies to the extent that WADA BV processes personal data on your behalf in connection with the service.

Definitions

• Controller — You, the customer, who determines the purposes and means of processing personal data through the use of SweepHound.
• Processor — WADA BV, which processes personal data on behalf of the Controller in connection with the SweepHound service.
• Personal Data — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• Sub-Processor — A third party engaged by the Processor to process personal data on behalf of the Controller.

Scope of Processing

The personal data processed under this DPA falls into two categories:

• Personal data contained in scanned pages — When SweepHound scans your website, the HTML content of those pages may contain personal data belonging to your website visitors (names in testimonials, email addresses in contact information, images of identifiable individuals, etc.).
• Account holder data — Name, email address, and account information provided by you when registering for SweepHound.

Processing Details

• Nature of processing — Automated scanning and analysis of web page content for accessibility compliance.
• Purpose — Accessibility auditing, monitoring, and remediation guidance as described in the SweepHound service agreement.
• Types of personal data — URLs, HTML page content, user account information (name, email), and any personal data incidentally present in scanned pages.
• Categories of data subjects — Account holders (you and your authorized users) and website visitors whose personal data appears in scanned pages.
• Duration — For the term of the service agreement, plus any retention period specified in our Privacy Policy.

Controller Obligations

As the Controller, you are responsible for:

• Ensuring you have a lawful basis for processing the personal data contained in the websites you submit for scanning.
• Providing any required notices to data subjects whose personal data may be processed through SweepHound scans.
• Ensuring that your instructions to the Processor comply with applicable data protection law.

Processor Obligations

As the Processor, WADA BV commits to:

• Process personal data only on documented instructions from the Controller, unless required by law.
• Ensure that persons authorized to process personal data have committed themselves to confidentiality.
• Implement appropriate technical and organizational security measures as described in the Security Measures section below.
• Assist the Controller in responding to data subject access requests (DSARs) and other rights requests under the GDPR.
• Assist the Controller in ensuring compliance with obligations related to data protection impact assessments and prior consultation with supervisory authorities.
• At the Controller's choice, delete or return all personal data upon termination of the service, and delete existing copies unless retention is required by law.

Sub-Processors

The Controller provides general authorization for the Processor to engage the following sub-processors:

The Processor will notify the Controller before adding or replacing a sub-processor. The Controller has 30 days from the date of notification to object. If the Controller objects on reasonable grounds and the parties cannot resolve the objection, the Controller may terminate the affected service.

Security Measures

The Processor implements and maintains the following technical and organizational measures:

• Encryption in transit — All data transmitted between clients and the service is encrypted using TLS 1.2 or higher.
• Encryption at rest — Database storage and file storage are encrypted at rest using AES-256.
• Access controls — Access to production systems is restricted to authorized personnel using multi-factor authentication and role-based access controls.
• Regular security updates — Dependencies and infrastructure components are kept up to date with security patches.
• Error monitoring — Application errors are tracked through Sentry with PII scrubbing enabled.
• Secrets management — Sensitive credentials are stored in Infisical, not in application code or environment files.

Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address and mitigate the breach.

Audits

The Processor will make available to the Controller, on reasonable request, all information necessary to demonstrate compliance with this DPA. For Enterprise plan customers, the Processor will allow and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.

International Transfers

Where personal data is transferred to sub-processors located outside the European Economic Area in countries without an adequacy decision, the transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where necessary.

Term

This DPA is co-terminous with the service agreement between the Controller and the Processor. It takes effect when you begin using SweepHound and remains in effect until the service agreement is terminated and all personal data has been deleted or returned in accordance with this DPA.

Contact

For questions about this DPA or to exercise data protection rights, contact us at contact@sweephound.com.

WADA BV
Belgium