Data Processing Agreement

Last updated: June 13, 2026

Introduction

This Data Processing Agreement (“DPA”) is entered into between Admiresty (“Processor”, “we”, “us”, or “our”) and the customer entity that has accepted the TLINK PRO Terms of Service (“Controller”, “you”, or “your”). This DPA forms part of, and is incorporated into, the Terms of Service between Admiresty and the Controller.

This DPA applies where and to the extent that Admiresty processes Personal Data on behalf of the Controller in the course of providing the TLINK PRO attack surface monitoring service (“Service”). It is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 (“GDPR”) and equivalent data protection legislation in other jurisdictions where applicable.

In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA shall take precedence. In all other respects, the Terms of Service shall govern.

By continuing to use the Service after accepting the Terms of Service, the Controller acknowledges that it has read, understood, and agrees to be bound by this DPA. If you are accepting this DPA on behalf of a legal entity, you represent that you have authority to bind that entity.

1. Definitions

Unless otherwise defined in this DPA, capitalized terms have the meanings given to them in the GDPR. The following definitions apply throughout this DPA:

  • “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data (GDPR Art. 4(7)). In the context of this DPA, the Controller is the TLINK PRO customer entity that has accepted the Terms of Service.
  • “Processor” means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller (GDPR Art. 4(8)). In the context of this DPA, the Processor is Admiresty.
  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (GDPR Art. 4(1)).
  • “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction (GDPR Art. 4(2)).
  • “Sub-processor” means any Processor engaged by Admiresty to carry out specific processing activities on behalf of the Controller.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as may be amended or replaced from time to time.
  • “Supervisory Authority” means an independent public authority established pursuant to GDPR Article 51 and, as applicable, the equivalent regulatory body in other jurisdictions.
  • “Data Subject” means an identified or identifiable natural person whose Personal Data is processed pursuant to this DPA.

2. Scope and Details of Processing

In accordance with Article 28(3) of the GDPR, the following sets out the subject matter and details of the Processing carried out by Admiresty on behalf of the Controller.

2.1 Subject Matter

The subject matter of the Processing is the provision of the TLINK PRO attack surface monitoring service, which involves the automated discovery, scanning, analysis, and monitoring of internet-facing assets associated with the domains and IP ranges specified by the Controller. In the course of providing these services, Admiresty may incidentally collect, store, and process Personal Data that is publicly associated with those assets.

2.2 Duration of Processing

Admiresty will process Personal Data for the duration of the Controller's active subscription to the TLINK PRO service, beginning on the date the Controller's account is activated and ending on the date the subscription is terminated or expires. Upon termination, Admiresty will delete or return Personal Data in accordance with Section 9 of this DPA.

2.3 Nature and Purposes of Processing

The Processing activities carried out by Admiresty on behalf of the Controller include:

  • Automated scanning: Periodic and continuous active probing of internet-facing assets to identify open ports, exposed services, TLS/SSL configurations, DNS records, and related technical attributes.
  • Data collection and storage: Collection and persistent storage of scan results, historical snapshots, asset metadata, and associated threat intelligence signals.
  • Analysis and enrichment: Automated analysis of collected data to identify security exposures, misconfigurations, and changes; enrichment of findings with threat intelligence data from external sources.
  • Alerting and notification: Generation and delivery of security alerts, notifications, and digest reports to the Controller based on monitored asset changes and detected exposures.
  • API access: Making collected data available to the Controller via the TLINK PRO API for integration into the Controller's own systems and workflows.
  • Reporting: Generation of reports summarizing the Controller's attack surface posture, historical trends, and detected findings.

The purposes for which Admiresty processes Personal Data are strictly limited to the provision of the Service as described above. Admiresty does not process Personal Data for its own independent purposes, for advertising, or for sale to third parties.

2.4 Types of Personal Data Processed

The categories of Personal Data that Admiresty may process in the course of providing the Service include the following, to the extent such data is publicly associated with assets monitored at the Controller's instruction:

  • Contact information in WHOIS records: Names, email addresses, postal addresses, and telephone numbers of domain registrants, administrative contacts, and technical contacts as published in public WHOIS databases.
  • Email addresses of monitored targets: Email addresses discovered through scanning, certificate transparency logs, DNS records, or other public sources that are associated with the monitored domains or infrastructure.
  • IP addresses: IP addresses associated with monitored domains and infrastructure, including assignee information from public WHOIS and ARIN/RIPE/APNIC records.
  • Domain ownership and registration data: Registrant names, organizations, and contact details as published in public registry records.
  • SSL/TLS certificate data: Subject alternative names, organizational details, and contact information included in publicly issued certificates associated with monitored domains.
  • Account data for platform users: Names and email addresses of individuals who are registered as users of the Controller's TLINK PRO account, used for authentication, notification delivery, and audit logging.

Admiresty does not intentionally collect special categories of Personal Data as defined in GDPR Article 9 (such as health data, biometric data, or data revealing racial or ethnic origin). If special category data is incidentally encountered through the scanning of public sources, it will not be specifically extracted, stored separately, or used for any purpose.

2.5 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

  • Employees, contractors, and agents of the Controller whose contact information is associated with the Controller's monitored domains and infrastructure.
  • Employees and contacts of organizations associated with monitored assets, whose details appear in public WHOIS records, certificate data, or DNS records.
  • Registered users of the Controller's TLINK PRO account, including administrators, team members, and API users.
  • Technical contacts and domain administrators whose information is publicly registered in DNS or WHOIS records for monitored assets.

3. Processor Obligations

In its capacity as a Processor, Admiresty shall comply with the following obligations in accordance with GDPR Article 28 and applicable data protection law.

3.1 Processing on Documented Instructions Only

Admiresty shall process Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service, unless required to do so by Union or Member State law to which Admiresty is subject. In such a case, Admiresty shall inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure on grounds of public interest.

The Controller's instructions are embodied in: (a) the configuration of assets for monitoring in the TLINK PRO platform; (b) the alert rules and notification settings configured by the Controller; and (c) any written instructions provided by the Controller to Admiresty's support or operations team. Admiresty shall promptly inform the Controller if it believes any instruction infringes applicable data protection law.

3.2 Confidentiality

Admiresty shall ensure that persons authorised to process Personal Data on behalf of the Controller are subject to a duty of confidentiality, whether contractual or statutory. Access to Personal Data is restricted on a need-to-know basis. Admiresty shall not disclose Personal Data to any third party except as expressly permitted under this DPA, the Terms of Service, or applicable law.

All Admiresty employees and contractors with access to Personal Data are required to sign confidentiality obligations as a condition of employment or engagement, and receive data protection training appropriate to their role.

3.3 Technical and Organisational Security Measures

Admiresty shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons, in accordance with GDPR Article 32. Such measures include, as appropriate:

  • Encryption in transit: All data transmitted between the Controller and the TLINK PRO platform is encrypted using TLS 1.2 or higher. API communications are encrypted end-to-end.
  • Encryption at rest: Personal Data stored in Admiresty's databases and object storage is encrypted at rest using AES-256 or equivalent.
  • Access control: Role-based access control is applied to all systems containing Personal Data. Access is granted on the principle of least privilege and reviewed periodically.
  • Authentication: Multi-factor authentication (MFA) is required for administrative access to production systems. The platform supports and encourages MFA for all customer accounts.
  • Audit logging: Comprehensive audit logs are maintained for all access to and operations performed on Personal Data, including who accessed the data, when, and from where.
  • Vulnerability management: Admiresty conducts regular vulnerability assessments, dependency scanning, and penetration testing of its platform and infrastructure.
  • Incident response: Admiresty maintains a documented incident response plan that includes procedures for detecting, containing, and recovering from Personal Data breaches.
  • Business continuity: Admiresty maintains backup and recovery procedures to ensure the availability and resilience of processing systems.
  • Vendor due diligence: Sub-processors are subject to security due diligence and contractual data protection requirements before being authorised to process Personal Data.

Further details of Admiresty's security practices are available on the Security page at admiresty.co/security.

3.4 Assistance with Data Subject Rights

Admiresty shall assist the Controller, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR. These rights include:

  • Right of access (Art. 15): Admiresty will provide the Controller with access to Personal Data held on the Controller's account upon request, to enable the Controller to respond to Data Subject access requests.
  • Right to rectification (Art. 16): Admiresty will correct inaccurate Personal Data upon instruction from the Controller.
  • Right to erasure (Art. 17): Admiresty will delete Personal Data upon instruction from the Controller, subject to retention obligations imposed by applicable law.
  • Right to restriction of processing (Art. 18): Admiresty will restrict the processing of Personal Data upon instruction from the Controller where required by the GDPR.
  • Right to data portability (Art. 20): Admiresty will provide Personal Data in a structured, commonly used, machine-readable format upon request from the Controller to enable portability.
  • Right to object (Art. 21): Admiresty will assist the Controller in addressing Data Subject objections to processing where applicable.

Requests related to data subject rights should be directed to dpa@admiresty.co. Admiresty will use reasonable efforts to respond to such requests within 5 business days to give the Controller sufficient time to respond to the Data Subject within the GDPR-mandated timeframe (generally 30 days, extendable to 90 days for complex requests).

3.5 Assistance with Compliance Obligations

Admiresty shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of Processing and the information available to Admiresty. This includes:

  • Data Protection Impact Assessments (Art. 35): Where the Controller determines that a DPIA is required, Admiresty will provide relevant information about its processing activities and security measures to assist the Controller in completing the assessment.
  • Prior consultation (Art. 36): Where required, Admiresty will cooperate with the Controller in consulting the relevant Supervisory Authority.
  • Security compliance (Art. 32): Admiresty will provide information about its technical and organisational measures upon reasonable request to assist the Controller in assessing the security of Processing.

3.6 Deletion or Return of Data

Upon termination or expiry of the subscription agreement, or upon written request from the Controller at any time, Admiresty shall, at the choice of the Controller:

  • Delete all Personal Data and copies thereof within 30 days of the termination date or receipt of the request, and provide the Controller with written confirmation of deletion; or
  • Return all Personal Data to the Controller in a structured, commonly used, machine-readable format within 30 days of the termination date or receipt of the request, and thereafter delete all copies.

Admiresty may retain Personal Data beyond the 30-day period only to the extent and for as long as required by applicable Union or Member State law, and shall inform the Controller of any such retention obligation. Retained data will continue to be subject to the confidentiality and security obligations of this DPA.

3.7 Demonstrating Compliance and Audit Rights

Admiresty shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

In practice, Admiresty will:

  • Respond to reasonable written requests for information about its data processing practices and security measures within 10 business days.
  • Provide access to relevant audit reports, certifications, and compliance documentation upon request, subject to reasonable confidentiality obligations.
  • Allow the Controller (or a mandated auditor) to conduct on-site audits of relevant systems and processes, subject to reasonable advance notice (at least 30 days), agreement on audit scope and logistics, and execution of an appropriate non-disclosure agreement. On-site audits shall be conducted during Admiresty's normal business hours and in a manner that minimises disruption to Admiresty's operations and the security of other customers' data.
  • The Controller shall bear the costs of any audit it conducts unless the audit reveals material non-compliance with this DPA, in which case the cost allocation may be adjusted as mutually agreed.

4. Sub-processors

The Controller provides Admiresty with general written authorisation to engage Sub-processors to assist in the provision of the Service, subject to the conditions set out in this Section 4.

4.1 Current Sub-processors

As of the last updated date of this DPA, Admiresty uses the following Sub-processors in connection with the Service:

  • Amazon Web Services, Inc. (AWS) — Primary cloud infrastructure and storage provider. AWS hosts the compute, database, and object storage infrastructure on which the TLINK PRO platform runs. As a result, AWS processes Personal Data as part of the underlying infrastructure. Location: United States. Transfer mechanism: Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller to Processor). AWS is certified under ISO 27001 and SOC 2 Type II.
  • Stripe, Inc. — Billing and payment processing. Stripe processes billing information including payment card data and associated contact details for the purpose of subscription management. Stripe does not have access to monitoring data, scan results, or any other operational Personal Data collected by the Service. Location: United States. Transfer mechanism: Standard Contractual Clauses.
  • Resend / SMTP Email Provider — Transactional email delivery. Used to deliver security alerts, digest reports, account notifications, and other transactional emails to users of the Controller's account. The email provider receives recipient email addresses and email content for the purpose of delivery. Location: United States. Transfer mechanism: Standard Contractual Clauses.

4.2 Sub-processor Requirements

Before engaging any Sub-processor, Admiresty shall:

  • Carry out appropriate due diligence to assess the Sub-processor's ability to provide the required level of data protection.
  • Impose on the Sub-processor data protection obligations equivalent to those set out in this DPA, including obligations relating to confidentiality, security, and the use of further sub-processors.
  • Remain fully liable to the Controller for the performance of the Sub-processor's data protection obligations to the extent that the Sub-processor fails to fulfil them.

4.3 Changes to Sub-processors

Admiresty shall inform the Controller of any intended additions to or replacements of Sub-processors by providing at least 14 days' prior written notice of the change, giving the Controller sufficient time to object to the change before the new Sub-processor begins Processing.

The Controller may object to a new Sub-processor on reasonable grounds related to data protection by notifying Admiresty in writing within 14 days of receipt of the notice. If the Controller objects and Admiresty is unable to resolve the objection, the Controller may terminate its subscription with a pro-rata refund of prepaid fees for the remaining subscription period. Admiresty will use reasonable efforts to make Sub-processor changes in a manner that minimises disruption to the Service.

Notice of Sub-processor changes will be communicated via email to the primary account email address and posted to the TLINK PRO status and legal pages. Controllers may also subscribe to Sub-processor change notifications by contacting dpa@admiresty.co.

5. International Data Transfers

The TLINK PRO platform is operated from infrastructure located primarily in the United States. As a result, Personal Data processed by Admiresty and its Sub-processors may be transferred to and processed in the United States, which is a country outside the European Economic Area (EEA) and may not provide the same level of data protection as countries within the EEA.

For transfers of Personal Data from the EEA (or the United Kingdom, Switzerland, or other jurisdictions with equivalent transfer restrictions) to the United States, Admiresty relies on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs): Admiresty incorporates the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914 into its agreements with Sub-processors located in the United States. The relevant module (Module 2: Controller to Processor, or Module 3: Processor to Processor as applicable) is used depending on the role of the parties.
  • SCCs between Controller and Processor: To the extent required by applicable law, Admiresty agrees to execute the Standard Contractual Clauses in the applicable module with the Controller upon request. Controllers may request SCC execution by contacting dpa@admiresty.co.

Admiresty conducts Transfer Impact Assessments (TIAs) in relation to transfers to third countries as required by applicable guidance, and implements supplementary measures where appropriate (such as encryption and pseudonymisation) to ensure that transferred data is protected to an equivalent standard.

For UK-based Controllers, transfers are covered by the UK Addendum to the EU SCCs (as issued by the Information Commissioner's Office) or the International Data Transfer Agreement (IDTA), as applicable. For Swiss-based Controllers, Admiresty applies the Swiss Federal Act on Data Protection (revFADP) requirements, including executing the SCCs as adapted for Swiss law.

6. Data Subject Rights Requests

The Controller is responsible for responding to Data Subject rights requests under the GDPR. The Controller acknowledges that, as the Processor, Admiresty is not directly obligated to respond to Data Subject requests but will assist the Controller as described in Section 3.4.

Where Admiresty receives a Data Subject request directly (e.g., a Data Subject contacts Admiresty's support team regarding their Personal Data), Admiresty will:

  • Acknowledge receipt of the request within 2 business days.
  • Forward the request to the relevant Controller within 3 business days, unless Admiresty is the Controller for that specific data (e.g., account-level data for Admiresty's own customer relationship).
  • Cooperate with the Controller in preparing the response, providing such information as is reasonably necessary and available to Admiresty.
  • Not respond directly to Data Subjects on behalf of the Controller without the Controller's written authorisation, except to acknowledge receipt and redirect the Data Subject to the Controller.

7. Personal Data Breach Notification

In the event of a Personal Data breach (as defined in GDPR Art. 4(12)), Admiresty shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

The breach notification will include, to the extent available at the time of notification:

  • A description of the nature of the Personal Data breach, including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
  • The name and contact details of the Data Protection Officer or other contact point where more information can be obtained.
  • A description of the likely consequences of the Personal Data breach.
  • A description of the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all of the above information at the same time, the information may be provided in phases without undue further delay. Admiresty will cooperate with the Controller in any investigation of the breach and in any notifications the Controller is required to make to Supervisory Authorities or affected Data Subjects.

Breach notifications should be directed to the primary account email address on file. Controllers are encouraged to maintain an up-to-date security contact email in their account settings to ensure breach notifications are received promptly. Breach notifications can also be sent to security@admiresty.co.

Notification of a breach by Admiresty does not constitute an admission of fault or liability. The Controller is solely responsible for determining whether the breach triggers any notification obligations to Supervisory Authorities or Data Subjects under applicable law.

8. Controller Responsibilities

The Controller acknowledges and agrees that it is responsible for:

  • Establishing the lawful basis for any Processing of Personal Data that it instructs Admiresty to carry out on its behalf, including ensuring that any necessary consents have been obtained or that another applicable legal basis exists under GDPR Article 6.
  • Ensuring that its instructions to Admiresty comply with applicable data protection law.
  • Ensuring that it has the appropriate authorisation (legal or contractual) to add assets to the TLINK PRO platform for monitoring, in accordance with the Acceptable Use Policy.
  • Responding to Data Subject rights requests within the timeframes required by applicable law.
  • Providing appropriate privacy notices to Data Subjects whose Personal Data may be incidentally collected through the monitoring of the Controller's assets.
  • Determining whether a Data Protection Impact Assessment is required before commencing certain types of monitoring activity.
  • Complying with any obligations it may have as a Controller under applicable data protection law, including obligations to Supervisory Authorities.

9. Duration and Termination

This DPA shall come into force on the date the Controller accepts the Terms of Service and shall remain in force for as long as the Controller has an active subscription to the TLINK PRO service, or until terminated by either party in accordance with the Terms of Service.

This DPA shall automatically terminate upon termination or expiry of the Terms of Service. Termination of this DPA shall not affect any rights or obligations that have accrued prior to the date of termination.

Upon termination of this DPA, Admiresty shall delete or return all Personal Data as described in Section 3.6 within 30 days, subject to any retention obligations imposed by applicable law. The confidentiality and security obligations in this DPA shall survive termination for as long as Admiresty retains any Personal Data.

10. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Service between the parties, unless required otherwise by applicable data protection law. In particular, where the GDPR applies, the parties agree that the courts of competent jurisdiction for disputes arising under this DPA shall include the courts of the EU Member State in which the Controller is established.

Where the SCCs are incorporated as part of this DPA, the governing law and jurisdiction provisions of the applicable SCCs shall take precedence over this Section 10 with respect to the transfer of Personal Data covered by those clauses.

11. Miscellaneous

Entire agreement. This DPA, together with the Terms of Service and any applicable SCCs, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements, representations, and understandings on the same subject matter.

Amendments. Admiresty may amend this DPA to reflect changes in applicable data protection law, guidance from Supervisory Authorities, or changes to the Service. Material amendments will be communicated to the Controller with at least 30 days' notice. Continued use of the Service after the effective date of an amendment constitutes acceptance. Where an amendment is required by applicable law, it may take effect immediately.

Severability. If any provision of this DPA is found to be unenforceable or invalid under applicable law, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

No waiver. Failure by either party to enforce any provision of this DPA shall not constitute a waiver of that party's right to enforce it in the future.

12. Contact

Questions about this DPA, requests to execute Standard Contractual Clauses, Sub-processor change notifications, data subject rights requests, or any other data protection inquiries should be directed to:

Admiresty
admiresty.co

We aim to respond to all data protection inquiries within 5 business days.