Data Processing Agreement

1. Definitions

• Data Controller ("Customer"): The entity that determines the purposes and means of processing personal data by using PreShip services.
• Data Processor ("PreShip"): PreShip, which processes personal data on behalf of the Customer in connection with the provision of the services.
• Personal Data: Any information relating to an identified or identifiable natural person that is processed by PreShip on behalf of the Customer.
• Sub-processor: Any third party engaged by PreShip to process personal data on behalf of the Customer.

2. Scope and Purpose of Processing

PreShip processes personal data solely to provide the services described in the applicable service agreement. The types of data processed and purposes include:

• Account information (name, email) for authentication and account management
• URLs submitted for scanning to perform accessibility, security, and performance analysis
• Scan results and reports for display in the dashboard and API responses
• Usage data for billing, support, and service improvement

3. Obligations of the Processor

PreShip shall:

• Process personal data only on documented instructions from the Customer
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Customer in responding to data subject access requests
• Delete or return all personal data upon termination of the service agreement, at the Customer's election
• Make available all information necessary to demonstrate compliance with these obligations

4. Security Measures

PreShip implements the following technical and organizational measures to protect personal data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Network-level isolation and firewall protection via Cloudflare
• Access controls with role-based permissions and multi-factor authentication
• Regular security assessments and vulnerability scanning
• Automated backup systems with encrypted storage
• Incident response procedures with 72-hour breach notification

5. Sub-processors

PreShip engages the following sub-processors to deliver its services. The Customer will be notified at least 30 days before any new sub-processor is engaged.

6. Data Subject Rights

PreShip will assist the Customer in fulfilling its obligations to respond to data subject requests, including rights of access, rectification, erasure, restriction, portability, and objection. PreShip will promptly notify the Customer if it receives a data subject request directly, unless prohibited by law.

7. Data Breach Notification

In the event of a personal data breach, PreShip will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, approximate number of data subjects affected, and measures taken to address the breach.

8. International Transfers

Personal data is primarily processed in the United States. Where personal data is transferred outside the European Economic Area, PreShip ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

9. Data Retention

Scan data is retained according to the Customer's subscription plan:

• Free: 7 days
• Pro: 90 days
• Team: 1 year
• Enterprise: Unlimited retention

Account and billing data is retained for the duration of the service agreement and for any additional period required by applicable law (e.g., tax and accounting obligations).

10. Term and Termination

This DPA is effective for the duration of the service agreement between the Customer and PreShip. Upon termination, PreShip will delete all personal data within 30 days, unless retention is required by applicable law. The Customer may request a copy of their data before deletion.

11. Contact

For questions about this Data Processing Agreement or to request a signed copy, please contact us at legal@preship.dev.