Data Processing Agreement
Last updated: April 2, 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service between WCAGAlert ("Processor") and the customer ("Controller") and governs the processing of personal data in accordance with GDPR (Regulation 2016/679).
1. Scope and Roles
The Controller determines the purposes and means of processing personal data by using the WCAGAlert service. The Processor processes personal data solely on behalf of the Controller and in accordance with the Controller's documented instructions (i.e., the service configuration).
2. Data Processed
In the course of providing the service, WCAGAlert processes:
- Account data: Email address, full name, organization name
- Site data: URLs submitted for scanning, scan configurations
- Scan results: HTML snippets, CSS selectors, WCAG violation data, accessibility scores
- Usage data: Login timestamps, scan history, audit logs
- Technical data: IP address hashes (SHA-256, for rate limiting only)
WCAGAlert does not intentionally collect sensitive personal data. If scanned web pages contain personal data (e.g., names in alt text), such data is incidentally processed as part of scan results.
3. Processing Instructions
The Processor shall process personal data only in accordance with the Controller's documented instructions, which are defined by the service functionality: scanning specified URLs, generating reports, sending notifications, and providing dashboard access.
4. Sub-processors
The Controller authorizes the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage | EU (Frankfurt) |
| Stripe Inc. | Payment processing | USA (EU SCCs) |
| Vercel Inc. | Application hosting, CDN | USA (EU SCCs) |
| Railway Corp. | Scan worker infrastructure | USA (EU SCCs) |
| Brevo (Sendinblue) | Transactional email delivery | EU (France) |
We will notify the Controller before adding new sub-processors, allowing 14 days to object.
5. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security (RLS) ensuring data isolation between organizations
- Multi-factor authentication (TOTP) available for all accounts
- API key authentication with scoped permissions
- Regular security audits and dependency updates
- Minimal data collection principle — we only store what is necessary
- IP addresses are hashed (SHA-256) before storage — raw IPs are never persisted
6. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing the necessary technical capabilities through the service dashboard and API.
7. Data Retention and Deletion
- Account data: Retained while account is active. Deleted within 30 days of account deletion.
- Scan results: Retained while account is active. Deleted with account.
- Free audit results: Automatically deleted after 30 days.
- Audit logs: Retained for 12 months for compliance purposes.
- Payment data: Managed by Stripe under their data retention policies. WCAGAlert does not store credit card numbers.
8. International Transfers
Where personal data is transferred outside the EEA (to Stripe, Vercel, or Railway in the USA), such transfers are protected by EU Standard Contractual Clauses (SCCs) as maintained by those sub-processors.
9. Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, likely consequences, and measures taken to address it.
10. Termination
Upon termination of the service agreement, the Processor shall delete or return all personal data to the Controller within 30 days, unless retention is required by applicable law.
11. Contact
For DPA-related inquiries: info@wcagalert.com