Legal
Data Processing Agreement
Last updated: June 2026
Important notice
This Data Processing Agreement (“DPA”) is a template that forms part of the agreement between you (the “Customer” / controller) and OverlayRiskWitness (the “Processor”) when you use the service to process personal data. It is not legal advice. Have qualified counsel review and adapt it, including the jurisdiction and signatory blanks, before relying on it.
1. Roles of the parties
For personal data processed through the service, the Customer is the controller (or processor acting for its own controller) and OverlayRiskWitness is the processor. OverlayRiskWitness processes personal data only to provide the service and only on the Customer’s documented instructions, which include these Terms, this DPA, and use of the service’s features.
2. Scope and nature of processing
The processing covered by this DPA includes:
- Scan-submitted URLs and the page content fetched from them, loaded through a hosted headless browser with the overlay both active and blocked
- Account data such as email address, authentication identifiers, and billing references
- Run and evidence records including timestamped DOM snapshots, screenshots, and axe-core results retained as part of a Risk Packet
The duration of processing is the term of the Customer’s use of the service, plus any retention period described in Section 7.
3. Processor obligations
- process personal data only on the Customer’s documented instructions
- ensure persons authorized to process the data are bound by confidentiality
- implement the technical and organizational measures described in Section 5
- assist the Customer, taking into account the nature of processing, in responding to data-subject requests and meeting its security and breach obligations
- make available information reasonably necessary to demonstrate compliance with this DPA
4. Subprocessors
The Customer authorizes OverlayRiskWitness to engage the subprocessors listed at overlayrisk.com/subprocessors. We impose data-protection obligations on each subprocessor that are no less protective than this DPA, and we remain responsible for their performance. We will update the subprocessor list before adding or replacing a subprocessor used to process Customer personal data.
5. Security measures
We maintain technical and organizational measures appropriate to the risk, including:
- encryption of data in transit (TLS)
- row-level security (RLS) on the database to isolate each account’s data
- least-privilege access controls for staff and service credentials
- secret management and environment isolation between development and production
- logging and monitoring of access to production systems
6. Data-subject rights
Taking into account the nature of the processing, we will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights (such as access, rectification, erasure, restriction, portability, and objection). If we receive a request directly from a data subject relating to Customer personal data, we will refer them to the Customer.
7. Retention and deletion
On termination of the service, and at the Customer’s choice, we will delete or return Customer personal data, and delete existing copies unless retention is required by applicable law. Evidence packets and run records associated with the account are removed as part of account deletion, subject to backup-rotation windows.
8. Breach notification
We will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably available to help the Customer meet its own notification obligations.
9. International transfers
Our subprocessors are primarily located in the United States. Where personal data is transferred across borders, the parties will rely on an appropriate transfer mechanism as required by applicable law.
TODO: Confirm with counsel which transfer mechanism (for example, Standard Contractual Clauses) applies for your target markets and attach it as an annex.
10. Governing law, term, and signatures
This DPA is governed by the laws of [Jurisdiction] and continues for as long as we process Customer personal data. It is entered into by:
Customer (Controller)
Name: [Customer name]
Signatory: [Name / title]
Date: [Date]
OverlayRiskWitness (Processor)
Name: [Legal entity name]
Signatory: [Name / title]
Date: [Date]
TODO: Replace [Jurisdiction] and the signatory blanks with confirmed values, and have counsel confirm the controlling legal entity before execution.
11. Contact
To request a countersigned DPA or to raise a data-protection question, contact privacy@overlayrisk.com.