Data Processing Agreement

Last updated: June 25, 2026

Important: this draft reflects how the product works but has not yet been reviewed by a licensed attorney. Have your own lawyer review it before relying on it in production.

This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies where, in using the Service, you act as a data controller and we act as your processor under Article 28 of the GDPR — for example, where the pages you scan contain personal data of your end users. Where you provide us your own account data, we act as a controller as described in the Privacy Policy.

Roles and scope

You are the controller and we are the processor for personal data contained in the pages, screenshots, and scan results you submit. We process this data only to provide the scanning, reporting, and monitoring features, and only on your documented instructions, which include your configuration and use of the Service.

Subject matter and duration

Subject matter: automated accessibility scanning and report generation. Duration: for as long as your account is active, plus the retention period in the Privacy Policy. Nature and purpose: crawling, rendering, and analyzing the URLs you submit. Data subjects: visitors and users whose personal data may appear on scanned pages. Data types: whatever appears on the pages you choose to scan.

Our obligations

We will: process personal data only on your instructions; ensure persons authorized to process it are bound by confidentiality; implement appropriate technical and organizational security measures; assist you, taking into account the nature of processing, with data-subject requests and with your security, breach-notification, and impact-assessment obligations; and make available information needed to demonstrate compliance.

Sub-processors

You authorize us to engage the sub-processors listed on our Sub-processors page. We impose data-protection terms on each sub-processor no less protective than this DPA and remain responsible for their performance. We will give prior notice of any intended change so you can object.

International transfers

Where personal data is transferred outside the EEA, the UK, or Switzerland, we rely on Standard Contractual Clauses or another valid transfer mechanism, as described in the Privacy Policy.

Security and breach notification

We maintain encryption in transit and at rest, access controls, and logging. We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own notification obligations.

Return and deletion

On termination, or on your request, we will delete or return personal data processed on your behalf, subject to any legal retention obligation. Deletion follows the lifecycle in the Privacy Policy.

Requesting a signed DPA

To execute a countersigned copy of this DPA, email legal@eaacompliant.com with your organization and signatory details.

This page is informational only and does not constitute legal advice, nor a guarantee of WCAG or EU Accessibility Act conformance. Automated testing finds a subset of accessibility issues; please consult a qualified accessibility or legal professional before relying on it.

Questions? Email legal@eaacompliant.com.