Data Processing Agreement

Last updated: January 9, 2025

Enterprise DPA

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service between M87 LLC and enterprise customers processing personal data through the Alprina platform.

1. Definitions

For purposes of this DPA:

  • "Controller" means the entity that determines the purposes and means of processing Personal Data
  • "Processor" means the entity that processes Personal Data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, or deletion
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and similar regulations
  • "GDPR" means Regulation (EU) 2016/679
  • "Sub-processor" means any Processor engaged by M87 LLC to process Personal Data

2. Scope and Roles

2.1 Data Processing Relationship: Customer acts as the Controller and M87 LLC acts as the Processor for any Personal Data processed through the Service.

2.2 Scope of Processing: M87 LLC will process Personal Data only as necessary to provide the Service and only in accordance with Customer's documented instructions, except where required by applicable law.

2.3 Nature and Purpose: Processing includes scanning, analyzing, and reporting on code and application security vulnerabilities as directed by Customer through the Service.

2.4 Categories of Data: May include developer information, account data, usage logs, and metadata related to security scans.

3. Data Protection Obligations

M87 LLC's Obligations

M87 LLC shall:

  • Process Personal Data only on documented instructions from Customer, unless required by law
  • Ensure that personnel authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational measures (see Section 4)
  • Respect Sub-processor requirements (see Section 5)
  • Assist Customer in responding to data subject requests (see Section 6)
  • Assist Customer in ensuring compliance with security obligations
  • Delete or return Personal Data upon termination (see Section 8)
  • Make available information necessary to demonstrate compliance

4. Security Measures

M87 LLC implements appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures

  • TLS 1.3 encryption for data in transit
  • AES-256 encryption for data at rest
  • End-to-end encryption for remote scans
  • Multi-factor authentication (MFA) support
  • Regular security testing and vulnerability assessments
  • Secure software development lifecycle
  • Network segmentation and access controls

Organizational Measures

  • Information security policies and procedures
  • Employee security training and awareness programs
  • Background checks for personnel with access to Personal Data
  • Confidentiality agreements with all personnel
  • Incident response and breach notification procedures
  • Regular security audits and compliance reviews
  • SOC 2 Type II certification (in progress)

5. Sub-processors

5.1 Authorization: Customer provides general authorization for M87 LLC to engage Sub-processors.

5.2 Current Sub-processors:

  • Amazon Web Services (AWS): Infrastructure hosting (SOC 2, ISO 27001)
  • Stripe: Payment processing (PCI-DSS)
  • SendGrid: Transactional email delivery

5.3 Notification: M87 LLC will provide at least 30 days' notice before adding or replacing Sub-processors by updating the list at https://alprina.com/sub-processors.

5.4 Objection Rights: Customer may object to a new Sub-processor on reasonable grounds related to data protection. If Customer objects, the parties will work in good faith to resolve concerns or Customer may terminate the affected portion of the Service.

5.5 Sub-processor Obligations: M87 LLC ensures all Sub-processors are bound by written agreements imposing substantially the same obligations as this DPA.

6. Data Subject Rights

M87 LLC shall, to the extent legally permitted, promptly notify Customer if M87 LLC receives a request from a data subject to exercise their rights under Data Protection Laws.

M87 LLC shall provide reasonable assistance to Customer to enable Customer to respond to data subject requests, including:

  • Right of access: Providing copies of Personal Data
  • Right to rectification: Correcting inaccurate Personal Data
  • Right to erasure: Deleting Personal Data
  • Right to restriction: Limiting processing of Personal Data
  • Right to data portability: Exporting Personal Data in portable format
  • Right to object: Ceasing certain processing activities

Customer shall reimburse M87 LLC for reasonable costs associated with providing such assistance if requests are excessive or unreasonable.

7. Data Breach Notification

7.1 Notification Duty: M87 LLC shall notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of any Personal Data breach.

7.2 Breach Information: The notification shall include, to the extent available:

  • Nature of the breach, including categories and approximate numbers of data subjects and records affected
  • Name and contact details of M87 LLC's data protection officer or other contact point
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

7.3 Cooperation: M87 LLC shall cooperate with Customer and provide reasonable assistance to enable Customer to comply with its breach notification obligations under Data Protection Laws.

8. Data Retention and Deletion

8.1 Upon Termination: Upon termination of the Service, M87 LLC shall, at Customer's choice:

  • Delete all Personal Data and existing copies (subject to Section 8.3), or
  • Return all Personal Data to Customer in a commonly used, machine-readable format

8.2 Deletion Timeframe: Deletion or return shall be completed within 30 days of termination, unless a longer period is required by applicable law.

8.3 Legal Retention: M87 LLC may retain Personal Data to the extent required by applicable law, and only for the purposes and duration required by such law.

8.4 Certification: Upon Customer's request, M87 LLC shall provide written certification of deletion or return.

9. International Transfers

9.1 Transfer Mechanisms: Where Personal Data is transferred outside the European Economic Area (EEA), M87 LLC shall ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions under GDPR Article 45
  • Other legally recognized transfer mechanisms

9.2 Standard Contractual Clauses: The EU Standard Contractual Clauses for processors are incorporated by reference and form part of this DPA.

10. Audits and Compliance

10.1 Information and Audit Rights: M87 LLC shall make available to Customer information necessary to demonstrate compliance with this DPA.

10.2 Audits: M87 LLC shall allow for and contribute to audits, including inspections, by Customer or an independent auditor mandated by Customer, subject to:

  • Reasonable advance notice (at least 30 days)
  • Audits conducted no more than once annually, unless required by data protection authorities
  • Execution of confidentiality agreements
  • Minimizing disruption to M87 LLC's operations
  • Customer reimbursing M87 LLC's reasonable costs for audits beyond annual compliance reviews

10.3 Certifications: M87 LLC may provide audit reports (e.g., SOC 2 Type II) to satisfy audit requirements.

11. Liability and Indemnification

11.1 Liability: Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

11.2 Indemnification: M87 LLC shall indemnify Customer against claims, fines, or penalties imposed by data protection authorities resulting from M87 LLC's failure to comply with this DPA or Data Protection Laws, except to the extent such failure results from Customer's instructions.

12. Term and Termination

This DPA shall remain in effect for as long as M87 LLC processes Personal Data on behalf of Customer. Termination of this DPA does not relieve the parties of obligations accrued prior to termination.

13. Contact Information

For questions regarding this Data Processing Agreement:

  • Legal Entity: M87 LLC
  • Doing Business As: Alprina
  • Data Protection Officer: dpo@alprina.com
  • Legal Email: legal@alprina.com
  • Privacy Email: privacy@alprina.com
  • Website: https://alprina.com/contact

This Data Processing Agreement is incorporated into the Terms of Service between M87 LLC and Customer. For the executed version of this DPA or to request modifications for enterprise arrangements, please contact legal@alprina.com.