Data Processing Agreement (DPA)
Last updated: May 23, 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Processor: TitanShield SAS (registered in France, SIREN 994833143), trading as TitanShield, operating titanshield.tech ("we", "us", "TitanShield")
- Controller: the customer subscribed to a TitanShield paid plan ("you", "Customer")
This DPA forms part of the Terms of Service and applies whenever you upload or process personal data through the Service.
2. Subject Matter and Duration
TitanShield processes Customer data solely for the purpose of providing the security testing services (SAST, DAST, SCA, source code analysis, autofix). Processing duration matches the active subscription term plus retention period defined per plan.
3. Nature and Purpose of Processing
- SAST/SCA: static analysis of uploaded binaries (APK, AAB, IPA) and source code archives
- DAST: dynamic runtime analysis on isolated emulated devices
- Autofix: patch generation via local sovereign LLMs (Mac M4, Qwen/Gemma) on EU-hosted infrastructure
- Reports: generation of SARIF, PDF, and HTML deliverables
- CI/CD Integration: webhook delivery to GitHub, GitLab, Bitbucket, Jenkins
4. Categories of Personal Data
The Service may incidentally process the following personal data contained in customer uploads:
- Developer email addresses present in git history or app metadata
- API keys, OAuth tokens, secrets detected by the secrets scanner (redacted before display)
- User account data of the Customer (name, email, billing address)
- End-user data potentially present in third-party application binaries scanned by Customer
TitanShield does not request, require, or knowingly process special categories of personal data (GDPR Article 9).
5. Sub-Processors
TitanShield uses the following sub-processors:
- Hetzner Online GmbH (Germany) - hosting and compute infrastructure
- Stripe Payments Europe Ltd. (Ireland) - billing and payment processing
- Resend Inc. (USA, SCC-bound) - transactional email delivery
- Sentry Software Inc. (USA, SCC-bound) - error monitoring (PII-scrubbed)
Notice of sub-processor changes is provided at least 30 days in advance via email and posted on this page.
6. Data Location and International Transfers
All Customer data is stored and processed in the European Union (Hetzner Falkenstein and Nuremberg data centers). Transfers to non-EU sub-processors (Resend, Sentry) are covered by Standard Contractual Clauses (SCC) per Commission Implementing Decision (EU) 2021/914.
7. Security Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- 2FA enforced on all admin and customer accounts
- Audit logging of all data access events
- Quarterly internal security reviews
- Annual third-party penetration test (planned Q4 2026)
- Backup retention: 3 daily / 7 weekly / 12 monthly snapshots
8. Data Subject Rights
You may request data export (GDPR Article 20) and deletion (Article 17) via /settings/data-export and /settings/delete-account or by emailing privacy@titanshield.tech. We respond within 30 days as required by GDPR.
9. Data Breach Notification
TitanShield will notify the Customer without undue delay and no later than 72 hours after becoming aware of a personal data breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and mitigation measures.
10. Retention and Deletion
Customer uploads and scan artifacts are retained per plan tier (Community: 30 days, Starter: 90 days, Titan: 365 days, Compliance: 7 years). Upon subscription termination or upon written request, TitanShield deletes all Customer personal data within 30 days, with backup purge cycles completing within 90 days.
11. Audit Rights
Customers on Compliance Copilot tier may request a security audit pack (SOC 2 Type II planned 2027, ISO 27001 roadmap) once per calendar year. Self-assessed audit documentation is available on request to compliance@titanshield.tech.
12. Liability and Limitations
Liability and indemnification are governed by the Terms of Service, except where statutory liability under GDPR Articles 82-84 applies.
13. Contact
For DPA-specific questions, signature requests, or to receive a counter-signed copy:
- Email: privacy@titanshield.tech
- Mail: TitanShield SAS, France
- Data Protection contact: dpo@titanshield.tech
A counter-signed PDF version of this DPA is available on request for Enterprise and Compliance customers.
This DPA template is reviewed by EU counsel and aligned with GDPR Article 28. Customers on Enterprise or Compliance Copilot plans may negotiate amendments. Last legal review: May 2026.