Data Processing Addendum

ShakerScan acts as a processor or service provider when it processes customer personal data through scans, evidence, support, and billing workflows on behalf of the customer.

Customers must not submit regulated production data until the DPA and related privacy terms are accepted for that use.

Customer instructions are limited to using the service as configured in the product, order form, rules of engagement, support requests, and applicable DPA. ShakerScan may reject instructions that require unauthorized testing, unsafe scanning, unsupported retention, or unlawful processing.

Customers remain responsible for deciding which targets, prompts, credentials, test accounts, documents, and environments are appropriate for the service.

The DPA references technical and organizational measures such as access control, encryption, logging, incident response, vendor management, retention controls, and raw/redacted evidence separation.

Security measures must match deployed production controls and remain current with the trust and security pages.

Subject matter: hosted security scanning, AI Gate evaluation, deploy-gate evidence, policy decisions, approval workflows, billing, support, and related product operations. Duration: the subscription or trial term plus the applicable retention period and any backup, legal, security, or incident-preservation period.

Nature and purpose: scan orchestration, target verification, finding generation, policy evaluation, evidence hashing, redacted evidence display, raw artifact handling, attestation verification, billing, support, abuse prevention, security monitoring, and service improvement for the customer workspace.

Data subjects and categories: customer users, workspace members, customer employees or test users, and end users included in target data; account data, target metadata, scan artifacts, transcripts, screenshots, headers, URLs, credential metadata, billing metadata, support communications, and operational logs. Special categories, PHI, cardholder data, government-classified data, and other regulated production data are not permitted unless a signed agreement authorizes that use.

Measures include tenant-scoped access controls, TLS in transit, secret-handling paths for credentials, raw/redacted evidence separation where supported, audit logging, role-based administrative access, incident response, vendor review, deletion controls where implemented, and scan budget/rate controls.

Customer responsibilities include using least-privilege test accounts, non-production secrets where possible, staging or preview environments for first runs, appropriate request and token budgets, and authorization controls for connected tools, documents, accounts, and downstream systems.

The DPA incorporates the subprocessor list and customer notice process for vendor changes.

The subprocessor list is maintained to reflect production vendors, processing purpose, data categories, and region information where available.

Customer gives general authorization for subprocessors listed on the Subprocessors page or in a signed agreement. ShakerScan will maintain a vendor-level subprocessor registry before paid launch, including vendor name, service, purpose, data categories, region where available, default or optional use, transfer mechanism where applicable, and date added.

Material subprocessor changes that affect customer data processing should be logged before the vendor processes production customer data. Enterprise customers may receive notice and objection rights through the applicable DPA or signed agreement.

ShakerScan currently plans to host the self-serve service in United States regions for an initial United States and possible Canadian customer base. International transfers may still occur when customers, users, support contacts, targets, providers, or integrations are outside the United States, or where provider operations require transfer mechanisms.

International transfers may require standard contractual clauses, UK transfer terms, regional hosting commitments, provider-specific transfer mechanisms, or a signed enterprise agreement. Self-serve use does not create custom regional, residency, or international-transfer commitments unless expressly stated.

Customers with EU/UK personal data, strict regional requirements, or regulated production data should use a signed agreement before sending that data through ShakerScan.

ShakerScan will provide reasonable assistance for data subject requests, security inquiries, export requests, deletion requests, and customer audit questionnaires through available product controls, support channels, and published documentation.

ShakerScan will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data and will provide information reasonably available to ShakerScan to assist Customer with its legal obligations. Return and deletion after termination follow the applicable retention matrix, implemented deletion controls, backup lifecycle, legal obligations, and incident-preservation requirements.

International transfers, EU/UK personal data, health data, payment data, government workloads, financial-services data, and other regulated use cases require review before use and may require standard contractual clauses, a regulated-customer addendum, or a signed enterprise agreement.

Self-serve ShakerScan is not intended for PHI, cardholder data, government-classified data, or other regulated production data unless a separate written agreement authorizes that use. ShakerScan does not sign BAAs, PCI commitments, FedRAMP commitments, SOC 2 commitments, ISO 27001 commitments, or similar regulated-use obligations through click-through terms.