sniffedsniffed

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Controller”, “Customer”) and Pyrite Advisory Ltd, a company registered in England and Wales, trading as sniffed(“Processor”, “we”, “us”), for the provision of the sniffed platform (“the Service”).

This DPA applies where and to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the Service, as governed by UK data protection legislation including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person, as defined by the UK GDPR.
  • Processing — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
  • Controller — the Customer, who determines the purposes and means of processing Personal Data.
  • Processor — Pyrite Advisory Ltd (trading as sniffed), who processes Personal Data on behalf of the Controller.
  • Sub-processor — a third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
  • Data Subject — an identified or identifiable natural person whose Personal Data is processed.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service as described in the Terms of Service. This includes:

  • Storing account information (name, email, organisation) to operate user accounts.
  • Storing target configurations and scan results to deliver the security testing service.
  • Processing credentials provided for authenticated testing, encrypted at rest and decrypted only within isolated, ephemeral sandbox environments.
  • Sending transactional emails (scan alerts, security digests) via third-party email providers.
  • Processing billing events via Stripe.

3. Categories of Data and Data Subjects

Personal Data processed

  • Account holder names and email addresses
  • Organisation names
  • Target domain names and IP addresses
  • Authentication credentials for testing (encrypted)
  • Scan results and findings, which may incidentally contain personal data discovered during testing

Data Subjects

  • Customer employees and authorised users of the Service
  • Individuals whose personal data may be incidentally discovered during security testing of the Customer's systems

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by law.
  • Ensure that persons authorised to process Personal Data are bound by appropriate obligations of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described on our Security page.
  • Assist the Controller in fulfilling its obligations regarding Data Subject rights, including requests for access, rectification, erasure, and data portability.
  • Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.
  • Delete or return all Personal Data to the Controller upon termination of the Service, unless retention is required by law. Data is deleted within 30 days of account termination.
  • Make available to the Controller all information necessary to demonstrate compliance with these obligations and allow for reasonable audits.

5. Obligations of the Controller

The Controller shall:

  • Ensure it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf.
  • Ensure it has provided appropriate notice and, where required, obtained consent from Data Subjects whose data may be processed through the Service.
  • Only submit targets for testing that it owns or has explicit authorisation to test.
  • Promptly inform the Processor of any data protection impact assessments or consultations with supervisory authorities that relate to the Service.

6. Sub-processing

The Controller provides general written authorisation for the Processor to engage sub-processors for the purpose of delivering the Service. The current list of sub-processors is maintained at sniffed.io/subprocessors.

The Processor shall notify the Controller of any intended changes to its sub-processors, giving the Controller the opportunity to object. If the Controller raises a reasonable objection, the Processor shall work with the Controller to find an alternative solution. If no resolution can be reached, the Controller may terminate the affected Service.

The Processor shall impose the same data protection obligations on each sub-processor as are set out in this DPA by way of a contract or other legal act.

7. International Transfers

Some sub-processors are located outside the United Kingdom, primarily in the United States. Where Personal Data is transferred internationally, the Processor ensures appropriate safeguards are in place in accordance with UK GDPR requirements. Details of sub-processor locations are available on the sub-processors page.

8. Data Security

The Processor implements technical and organisational measures appropriate to the nature and sensitivity of the Personal Data processed. These measures include but are not limited to:

  • Encryption of data in transit (TLS) and at rest (AES-256-GCM for credentials)
  • Isolated, ephemeral Docker sandbox containers for scan execution
  • Hashed passwords (never stored in plain text)
  • Domain ownership verification before scanning is permitted
  • Access controls and role-based permissions
  • Regular review and update of security practices

Full details of our security practices are available on our Security page.

9. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

10. Audit Rights

The Controller may request, at reasonable intervals and with reasonable notice, that the Processor provides information necessary to demonstrate compliance with this DPA. The Processor shall cooperate with such requests. Audits shall be conducted in a manner that minimises disruption to the Processor's operations. The Controller shall bear its own costs for any audit.

11. Duration and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the Service, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may request a copy of its data before deletion.

12. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

For questions about this DPA or to exercise any rights under it, contact us at hello@sniffed.ai.