Data Processing Agreement

A Data Processing Agreement (DPA) is a contract that governs how Averrow processes personal data on a customer’s behalf. This page explains what ours covers and how to get one — it is not the agreement itself.

Available on request Our DPA is issued directly to customers who need one, not published as a self-serve document — the terms are tied to the customer’s specific plan and processing relationship. Request our DPA through the contact form and our team will send it over.

What a DPA typically includes

  • The roles of each party — who is the data controller and who is the data processor
  • The subject matter, duration, nature, and purpose of processing
  • The categories of personal data and data subjects involved
  • Our sub-processors and the obligations we flow down to them
  • Security measures applied to the data we process
  • How we assist with data subject rights requests
  • Breach notification commitments and timelines
  • Deletion or return of data at the end of the engagement

Business and Enterprise customers, generally

If your organization is processing personal data through Averrow — and you fall under a framework like GDPR or PIPEDA — a DPA formalizes that relationship. This typically applies to Business and Enterprise plan customers. Professional and Free Scan users are welcome to request one too; we just haven’t needed to standardize it for that tier yet.

Consistent with our Security & Trust page

The summary below reflects how the platform actually operates today — see Security & Trust for the full detail.

Sub-processors

Cloudflare (edge compute, database, cache, and storage) and our AI model provider (inference, routed through an AI gateway). No customer data goes further than that.

No PII beyond account info

Averrow scans public signals — domains, public DNS records, public social profiles, and threat feed matches. We don’t collect email content, credentials, or internal network data.

Encrypted at rest and in transit

Data is encrypted at rest (D1) and in transit (TLS 1.3). API keys are stored as hashed secrets.

Retention

Active account data is retained during the subscription. Scan results are cached 24 hours. Deletion completes within 30 days of a request.

GDPR-aligned processing PIPEDA WCAG 2.1 AA SOC 2 Type I — Q3 2026

Need a signed DPA?

Tell us about your organization and plan, and we’ll get one over to you.