Platform Checks Reports Account Pricing Run Trust Scan →
Legal

Data Processing Addendum

This Data Processing Addendum forms part of the Terms of Service or other written agreement between Tesoniq and a business customer where Tesoniq processes Customer Personal Data as a processor on behalf of the Customer.

By using Tesoniq for private reports, monitored domains, scheduled scans, account-based reports, exports, or other customer-controlled processing, the Customer agrees to this Data Processing Addendum unless a written agreement states otherwise.

1. Parties

This Data Processing Addendum is between:

  • Customer: the organisation, agency, consultant, freelancer, business, or other legal entity using Tesoniq under an applicable subscription, account, order, or agreement.
  • Tesoniq: the website and online service operated under the Tesoniq name.

Together, the parties are referred to as the Parties.

2. Relationship to the main agreement

This Data Processing Addendum supplements the Terms of Service, subscription terms, checkout terms, or other written agreement between the Parties. If there is a conflict regarding the processing of Customer Personal Data, this Data Processing Addendum controls to the extent required by applicable data protection law.

3. Definitions

  • Customer Personal Data means personal data processed by Tesoniq on behalf of Customer as a processor.
  • Data Protection Laws means applicable data protection, privacy, and security laws, including the General Data Protection Regulation where applicable.
  • Controller, processor, personal data, processing, personal data breach, and subprocessor have the meanings given under applicable Data Protection Laws.

4. Roles

For Customer-controlled private reports, monitored domains, scheduled scans, submitted content, exports, and account-based workflows:

  • Customer is the controller or processor, as applicable.
  • Tesoniq is the processor or subprocessor, as applicable.

For account administration, billing, security, abuse prevention, service analytics, product operation, fraud prevention, legal compliance, public or free scan operation, and business communications, Tesoniq may act as an independent controller as described in the Privacy Policy.

5. Customer responsibilities

Customer is responsible for:

  • Having authority to submit domains, URLs, pages, screenshots, content, and personal data to Tesoniq.
  • Providing required notices and obtaining required consents.
  • Establishing and documenting a lawful basis for processing.
  • Ensuring that instructions to Tesoniq comply with Data Protection Laws.
  • Avoiding submission of unnecessary sensitive, special category, confidential, or high-risk personal data.
  • Responding to data subject requests where Customer is the controller.
  • Ensuring that Customer users, clients, contractors, and administrators comply with the agreement.

6. Processing instructions

Tesoniq will process Customer Personal Data only:

  • To provide, secure, support, maintain, and improve the Service.
  • As instructed by Customer through product settings, account workflows, order forms, support requests, and the agreement.
  • To comply with applicable law.
  • To protect the Service, users, Tesoniq, or third parties from abuse, security threats, fraud, or legal risk.

If Tesoniq believes an instruction violates Data Protection Laws, it will notify Customer where legally permitted. Tesoniq may suspend the affected processing until the concern is resolved.

7. Details of processing

The subject matter, duration, nature, purpose, data categories, and data subjects are described in Annex A.

8. Confidentiality

Tesoniq will ensure that personnel authorised to process Customer Personal Data are subject to confidentiality obligations, whether by employment contract, professional obligation, written agreement, or equivalent duty.

9. Security measures

Tesoniq will maintain appropriate technical and organisational measures designed to protect Customer Personal Data. These measures may include those described in Annex B.

Security measures may be updated over time, provided they do not materially reduce the overall level of protection.

10. Subprocessors

Customer authorises Tesoniq to use subprocessors to provide the Service. Tesoniq will maintain a list of subprocessors or provider categories available through the legal hub, account area, order form, or on request.

Tesoniq will impose data protection obligations on subprocessors that are substantially similar to those in this Data Processing Addendum where required by Data Protection Laws. Tesoniq remains responsible for the performance of subprocessors' obligations to the extent required by applicable law.

Tesoniq may add or replace subprocessors. Where required by law or enterprise agreement, Tesoniq will provide notice of material subprocessor changes and a reasonable opportunity to object on data protection grounds. If Customer objects and the parties cannot reasonably resolve the objection, Customer's remedy is to stop using the affected feature or terminate the affected order as permitted by the agreement.

11. International transfers

Where Customer Personal Data is transferred internationally, Tesoniq will use appropriate transfer safeguards where required by Data Protection Laws, such as adequacy decisions, Standard Contractual Clauses, transfer impact assessments, or equivalent lawful mechanisms.

Transfer terms are described in Annex C.

12. Assistance with data subject requests

Taking into account the nature of processing and information available to Tesoniq, Tesoniq will provide reasonable assistance to help Customer respond to data subject rights requests where required by Data Protection Laws.

Tesoniq may charge reasonable fees for assistance that is excessive, complex, manual, outside standard product functionality, or not caused by Tesoniq's breach of this Data Processing Addendum, unless prohibited by law.

13. Personal data breach

Tesoniq will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data where notification is required by Data Protection Laws.

Notification will include information reasonably available to Tesoniq, which may include the nature of the incident, affected data categories, likely consequences, and mitigation steps. Tesoniq may provide information in phases as it becomes available.

Tesoniq's notification or response to a personal data breach is not an admission of fault, liability, or violation.

14. Deletion or return

At the end of the Service relationship or on valid Customer request, Tesoniq will delete or return Customer Personal Data through available product functionality or reasonable assistance, subject to retention required or permitted for legal compliance, billing, tax, accounting, security, abuse prevention, backup, dispute resolution, or legitimate business records.

Backup copies may be overwritten according to normal backup cycles.

15. Audits and information

Tesoniq will make available information reasonably necessary to demonstrate compliance with this Data Processing Addendum, subject to confidentiality, security, and reasonable operational limits.

Unless a signed enterprise agreement states otherwise:

  • Audits are limited to once per calendar year.
  • Customer must provide at least 30 days' written notice.
  • Audits must occur during normal business hours.
  • Audits are remote-first unless on-site access is legally required.
  • Customer is responsible for its own audit costs and reasonable costs incurred by Tesoniq for extensive assistance.
  • Audits must not compromise Tesoniq security, source code, trade secrets, other customers' data, provider systems, or confidential business information.
  • Tesoniq may satisfy audit requests through policies, summaries, certifications, third-party reports, questionnaires, or equivalent documentation where available.

16. Liability

Liability arising from this Data Processing Addendum is subject to the limitations, exclusions, and caps in the Terms of Service or applicable written agreement, unless prohibited by law.

17. Annex A: Processing details

| Item | Description | | --- | --- | | Subject matter | Processing personal data through the Tesoniq website trust intelligence platform | | Duration | The term of Customer's use of the Service plus retention required for backups, legal, billing, security, abuse prevention, and dispute purposes | | Nature of processing | Collection, transmission, storage, hosting, retrieval, analysis, extraction, screenshot processing, report generation, scoring, export, deletion, support access, logging, and security monitoring | | Purpose | Providing scans, reports, monitored domains, scheduled scans, usage tracking, support, security, abuse prevention, reliability, and service administration | | Data subjects | Customer users, administrators, client contacts, website authors, website visitors whose personal data appears on submitted pages, and individuals referenced in submitted content | | Personal data categories | Names, email addresses, business contact details, account identifiers, IP addresses, device data, log data, submitted website text, screenshots, metadata, report evidence, and scan results | | Sensitive data | Not required for normal use. Customer must not submit sensitive or special category data unless it has a lawful basis, authority, and safeguards | | Frequency | Continuous or as initiated by Customer, scheduled scans, support workflows, and automated service operations |

18. Annex B: Technical and organisational measures

Tesoniq's measures may include:

  • Role-based access controls.
  • Least-privilege access.
  • Authentication for internal systems.
  • Encryption in transit using Transport Layer Security.
  • Encryption at rest for sensitive stores where supported.
  • Audit logging and monitoring.
  • Backup and recovery procedures.
  • Vulnerability management and patching procedures.
  • Incident response procedures.
  • Subprocessor due diligence and contractual obligations.
  • Data minimisation and retention controls.
  • Separation between public and private report workflows.
  • Abuse-prevention controls, rate limits, and domain verification.
  • Secrets management and restricted access to production configuration.
  • Security review of material changes where appropriate.

19. Annex C: International transfer safeguards

Where required, transfers may rely on:

  • Adequacy decisions.
  • Standard Contractual Clauses approved by the European Commission.
  • United Kingdom or Swiss transfer mechanisms where applicable.
  • Transfer impact assessments.
  • Supplementary technical, contractual, or organisational safeguards where appropriate.

If Standard Contractual Clauses are required, the Parties agree to execute or incorporate the applicable clauses and modules for the relevant transfer scenario.

20. Annex D: Subprocessor and provider categories

Tesoniq may use providers in the following categories:

  • Hosting and infrastructure.
  • Content delivery network and edge security.
  • Database, storage, and backup.
  • Authentication and identity.
  • Email delivery.
  • Payment processing and billing.
  • Analytics and product measurement.
  • Error monitoring and logging.
  • Customer support and communications.
  • Artificial intelligence, page analysis, screenshot, or content-analysis providers.
  • Security, fraud prevention, abuse prevention, and rate limiting.
  • Professional advisers and compliance providers.

A provider list with specific names may be maintained separately and updated as the Service evolves.

Contact

For privacy or DPA questions, contact [email protected] or use the Privacy Request category on the Contact page. We aim to respond to most inquiries within 3 business days.