A11yWard
Sign inGet early access

Data Processing Addendum

Effective June 1, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Controller") and A11yward ("Processor"). It is required reading for EU/EEA/UK/Swiss customers and is also signed on request by US customers needing CCPA / state-privacy commitments.

1. Definitions

Terms used in this DPA have the meaning set out in the GDPR (Regulation (EU) 2016/679), the UK Data Protection Act 2018, the Swiss FADP, or analogous local law as applicable. Capitalized terms not defined here carry the meaning set out in the Terms of Service.

2. Roles and scope

  • You are the Controller of Customer Data processed via the Service.
  • A11yward is the Processor and acts only on your documented instructions.
  • Your instructions are embodied in the configuration of your Service tenancy and these documents.

3. Subject matter, duration, nature, purpose

  • Subject matter: Personal data contained in your account, monitoring configuration, and any personal data incidentally present in scanned page markup.
  • Duration: For the term of the Terms of Service plus the retention periods set out below.
  • Nature and purpose: Crawling the web pages you designate, evaluating them against WCAG criteria, storing and reporting accessibility findings, and providing dashboard access and evidence export.
  • Categories of data subjects: Customer's authorized users (account holders / team members); incidentally, any individuals whose personal data appears in the markup of pages the Customer chooses to scan.
  • Categories of personal data: Account identifiers (name, email, scrypt-hashed password), authentication and session metadata, monitored-site URLs and labels, and any personal data incidentally captured in page-markup snippets within scan results.
  • Out of scope: A11yward does not, in its normal scan path, collect personal data about the Customer's end users. The Service is not designed to process special-category data.

4. Processor obligations

  1. Lawfulness: Process Customer Data only on the Controller's documented instructions and in accordance with applicable law.
  2. Confidentiality: Ensure personnel authorized to process Customer Data are bound by confidentiality obligations.
  3. Security: Implement and maintain the technical and organizational measures listed in Annex A (Security Measures).
  4. Sub-processors: Engage Sub-processors only with general written authorization (Annex B). We will notify Customer of additions at least 30 days in advance and provide a right to object.
  5. Data subject requests: Assist Customer in responding to data subject rights requests within 5 business days.
  6. Assistance: Provide reasonable assistance with DPIAs, prior consultations, and audits under GDPR Art. 28(3)(f).
  7. Breach notification: Notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach.
  8. Deletion: At Customer's option on termination, delete or return all Customer Data, except where retention is required by law.
  9. Audit rights: Make available all information necessary to demonstrate compliance and allow audits, including inspections, on reasonable notice (no more than once per 12 months absent suspected breach).

5. International transfers

Where transfer of Personal Data outside the EEA, UK, or Switzerland is necessary, the parties enter into the appropriate version of the EU Commission's Standard Contractual Clauses (SCCs) (Module 2 — Controller to Processor), incorporated by reference. The UK Addendum and Swiss adaptations apply where relevant. Supplementary technical and organizational measures are described in Annex A.

6. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service, except for liability under Article 82 GDPR which is determined in accordance with that Article.

Annex A — Security Measures

A11yward implements and maintains the following technical and organizational measures. Measures are stated as they exist today; items we intend to add but have not yet completed are identified as planned, so this Annex never overstates our posture. The live status of our compliance program is published at /security.

  • TLS encryption in transit for all access to the Service
  • Passwords hashed with scrypt; plaintext never persisted
  • Session management via secure cookies; sign-in metadata retained for a limited window
  • SSRF guards on scan targets to prevent the crawler from reaching internal or unauthorized hosts
  • Tenant isolation by organization_id on every record and read path
  • Tamper-resistant handling of scan evidence and account records
  • Principle of least privilege on production infrastructure access
  • EU/EEA data residency for account data, monitoring configuration, and scan results
  • Dependency vulnerability monitoring and timely patching
  • Documented incident-response procedure with a 72-hour breach-notification commitment
  • Planned: independent penetration test and SOC 2 Type II examination (not yet commenced — see /security for current status)

Annex B — Authorized Sub-processors

The current list of Sub-processors authorized to process Customer Data (also published, with the live posture, at /security):

Sub-processorPurposeLocationTransfer mechanism
Fly.io (Hash, Inc.)Cloud hosting, application infrastructure, and primary data storageEU (Frankfurt) primarySCCs + DPA
Resend (Hopjump, Inc.)Transactional email delivery (sign-in, alerts, scan digests)USSCCs + DPA
Stripe (Stripe Payments Europe Ltd.)Payment processing and billing (paying customers only)Ireland (EU)DPA

Annex C — Contact for Privacy Matters

Privacy & data protection: deniz@promptward.ai
Security incidents: deniz@promptward.ai

Template notice: This document is provided as a starting point for A11yward customers and prospects. Before relying on it in a paid engagement, have it reviewed by counsel familiar with your jurisdiction (e.g. GDPR, UK DPA 2018, CCPA). Bracketed placeholders [ ] must be filled in.