Legal

Data Processing Agreement

Effective: April 1, 2026

This page summarizes Pentevo's Data Processing Agreement (DPA). The full DPA is incorporated by reference into our Terms of Service and governs the processing of personal data under GDPR Article 28. Enterprise customers requiring a signed DPA should contact legal@pentevo.com.

GDPR Article 28 Compliance

Where Pentevo processes personal data on behalf of a customer who is established in the European Economic Area (EEA) or processes data of EEA residents, Pentevo acts as a Data Processor and the customer acts as the Data Controller.

Pentevo commits to the following obligations under GDPR Article 28:

Process personal data only on documented instructions from the Controller.
Ensure personnel authorized to process data are bound by confidentiality obligations.
Implement appropriate technical and organizational security measures (see below).
Engage subprocessors only with prior written consent and under equivalent obligations.
Assist the Controller with data subject rights requests within 30 days.
Delete or return all personal data upon termination of the service.
Provide all information necessary to demonstrate compliance with Article 28.
Notify the Controller of any personal data breach without undue delay (within 72 hours of discovery).

Data Categories Processed

Category	Purpose	Retention
Account Data Name, email address, company, job title	Account provisioning, authentication, communication	Account lifetime + 30 days
Scan Target Data Target URLs, IP ranges, scope definitions	Scan configuration and execution	12 months (configurable)
Scan Findings Vulnerability descriptions, request/response pairs, severity classifications	Security report generation and finding storage	12 months (configurable)
Usage Data Feature usage, scan frequency, session metadata	Platform improvement, billing, abuse prevention	90 days
Billing Data Payment method metadata (tokenized), transaction history	Subscription management and invoicing	7 years (regulatory requirement)

International Data Transfers

Pentevo's primary infrastructure is located in the United States (AWS us-east-1). Transfers of personal data from the EEA to the United States are governed by:

Standard Contractual Clauses (SCCs) — EU Commission-approved SCCs are included in our DPA and apply to all EEA-to-US transfers.
EU-US Data Privacy Framework — Pentevo is working toward certification. EEA customers operating under stricter requirements should execute the full DPA.

EU-resident data storage is available to enterprise customers on request at no additional cost. Contact legal@pentevo.com to request EU data residency.

Technical & Organizational Security Measures

The following measures are implemented to protect personal data as required by GDPR Article 32:

✓AES-256 encryption at rest

✓TLS 1.2+ encryption in transit

✓FIDO2/WebAuthn MFA for all personnel access

✓Just-in-time access provisioning with audit logging

✓Quarterly access reviews and privilege audits

✓Annual third-party penetration testing

✓Continuous vulnerability monitoring

✓Incident response plan tested biannually

✓Business continuity and disaster recovery procedures

Subprocessors

Pentevo uses approved subprocessors to deliver the service. All subprocessors are bound by data processing agreements with equivalent obligations to this DPA. The full subprocessor list is published on our Trust Center.

Customers subscribed to our enterprise plan will receive 30 days advance written notice before any new subprocessor is engaged. You may object to a new subprocessor by contacting legal@pentevo.com.

Execute a Signed DPA

Enterprise customers requiring a countersigned DPA for procurement, legal, or compliance purposes can request one below. We will return a signed agreement within 3 business days.

Request a signed DPA