GDPR Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Argus Technologies ("Processor") and you ("Controller") for the use of the Argus platform ("Service").

This DPA reflects the parties' agreement with respect to the processing of Personal Data by the Processor on behalf of the Controller in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses adopted by the European Commission for international data transfers.

3. Scope of Processing

3.1 Subject Matter

The Processor will process Personal Data as necessary to provide the Service, which includes AI-powered end-to-end testing, browser automation, and related functionality.

3.2 Duration

Processing will continue for the duration of the Agreement, unless otherwise agreed in writing.

3.3 Nature and Purpose

The purpose of processing is to:

• Execute browser-based tests on Controller's applications
• Capture screenshots and recordings of test executions
• Analyze page content for test automation purposes
• Generate test reports and analytics
• Provide support and maintain the Service

3.4 Categories of Data Subjects

Data Subjects may include:

• End users of Controller's applications being tested
• Controller's employees who use the Service
• Individuals whose data appears on pages being tested

3.5 Types of Personal Data

Personal Data processed may include:

• Names, email addresses, and other identifiers visible on tested pages
• User-generated content captured in screenshots
• IP addresses and device information from test executions
• Login credentials used for test authentication (encrypted)

4. Controller Obligations

The Controller shall:

• Ensure lawful basis for processing Personal Data through the Service
• Provide clear instructions regarding the processing of Personal Data
• Obtain necessary consents from Data Subjects where required
• Avoid testing pages containing sensitive personal data unless necessary
• Configure appropriate data retention settings
• Notify Processor promptly of any data subject requests

5. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Not engage Sub-processors without prior written authorization
• Assist the Controller in responding to Data Subject requests
• Delete or return all Personal Data at the end of the Agreement
• Make available all information necessary to demonstrate compliance
• Allow and contribute to audits conducted by the Controller

6. Security Measures

The Processor implements the following security measures:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident detection and response procedures
• Employee security training and awareness programs
• Physical security controls at data center facilities
• Business continuity and disaster recovery plans

See our Security page for detailed information about our security practices.

7. Sub-processors

7.1 Authorized Sub-processors

The Controller hereby authorizes the engagement of the following Sub-processors:

7.2 Changes to Sub-processors

The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller an opportunity to object. Updates will be posted to this page.

8. International Transfers

For transfers of Personal Data outside the EEA, the Processor relies on:

• European Commission Standard Contractual Clauses (Module 2: Controller to Processor)
• Additional safeguards including encryption and access controls
• Data processing agreements with all Sub-processors

The SCCs are incorporated into this DPA by reference. A copy of the signed SCCs can be requested from legal@heyargus.ai.

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

The Processor will notify the Controller within 48 hours of receiving any Data Subject request related to Personal Data processed under this DPA.

10. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay (within 48 hours) of becoming aware of a breach
• Provide sufficient information for the Controller to meet its notification obligations
• Cooperate with the Controller in investigating and mitigating the breach
• Take reasonable steps to contain and remediate the breach

11. Data Retention and Deletion

Upon termination of the Agreement or upon Controller's request:

• The Processor will delete all Personal Data within 30 days
• Controller may request export of data before deletion
• Deletion will be certified upon request
• Backups will be deleted according to the backup retention schedule (max 90 days)

12. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits or inspections, subject to:

• Reasonable advance notice (minimum 30 days)
• Reasonable scope and duration
• Confidentiality obligations
• Non-interference with operations

Alternatively, the Processor may provide third-party audit reports (e.g., SOC 2) to satisfy audit requirements.

13. Contact

For questions about this DPA or to request a signed copy: