CVD Portal

Data Processing Agreement

Version 1.0, July 2026. This DPA is incorporated into the CVD Portal Terms of Service for every tenant. For a countersigned copy, email [email protected].

1. Parties and Roles

This Data Processing Agreement ("DPA") applies between the customer operating a CVD Portal tenant (the "Controller") and CVD Portal (the "Processor") whenever the Processor processes personal data on the Controller's behalf under Article 28 GDPR. For vulnerability submissions received through the Controller's portal, the Controller determines the purposes and means of processing. The Processor acts only on the Controller's documented instructions as expressed through the platform's configuration and this DPA.

2. Subject Matter and Duration

The Processor operates a coordinated vulnerability disclosure platform, including a public submission portal, report management, notification workflows, and EU Cyber Resilience Act compliance tooling. Processing lasts for the duration of the Controller's account plus the deletion window in Section 8.

3. Nature and Purpose of Processing

Collection, storage, structuring, and disclosure-to-the-Controller of vulnerability reports and associated researcher contact data. Delivery of transactional notifications. Generation of compliance records required by the Cyber Resilience Act, including Article 14 reporting evidence.

4. Categories of Data and Data Subjects

  • Data subjects: security researchers submitting reports, the Controller's staff accounts, and individuals mentioned in report content.
  • Personal data: names and email addresses of staff and (where volunteered) researchers, authentication data, IP addresses and country codes in security logs, and any personal data a researcher includes in free-text report content.
  • No special categories of data are solicited by the platform.

5. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement the technical and organisational measures in Annex II.
  • Assist the Controller with data subject requests, breach notification, and records of processing, in each case insofar as the data is held on the platform.
  • Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's tenant.
  • Make available the information necessary to demonstrate compliance, and allow audits as described in Section 9.

6. Subprocessors

The Controller grants general authorisation for the subprocessors listed at cvdportal.com/trust#subprocessors(Annex III of this DPA). The Processor will give 30 days' notice before adding a subprocessor with material access to submission data. The Controller may object on reasonable data-protection grounds, in which case the parties will seek a solution and the Controller may terminate and export its data if none is found.

7. International Transfers

The platform, its database, and its backups are hosted with Hetzner in Germany. Submission data is not transferred outside the EU/EEA by default. Where a listed subprocessor processes data outside the EEA (for example optional AI features or edge network traffic), transfers rely on Standard Contractual Clauses as identified in Annex III.

8. Deletion and Return

The Controller can export all tenant data (CSV and JSON) at any time. On account deletion, all personal data is erased within 30 days. One exception applies, disclosed here and in the Privacy Policy. Audit entries forming the Controller's CRA Article 14 evidence chain are retained in pseudonymised form, with personal identifiers removed and email addresses replaced by one-way tokens, so that the regulatory compliance record survives the erasure. This retention implements a legal obligation under Regulation (EU) 2024/2847 and applies to no other data.

9. Audits

The Processor makes its security documentation available at cvdportal.com/trust, including subprocessors, security controls, and incident response. On written request, and at most once per year absent a supervisory authority requirement, the Processor will complete the Controller's security questionnaire or make audit evidence available under NDA.

Annex I — Processing Details

Subject matter, nature, purpose, duration, data categories, and data subjects are as set out in Sections 2 to 4 of this DPA.

Annex II — Technical and Organisational Measures

  • Hosting in Hetzner data centres in Nuremberg, Germany (ISO 27001 certified provider).
  • TLS 1.2+ on all endpoints, HSTS with preload, strict security headers.
  • Application-level AES-256-GCM encryption for stored integration credentials. Passwords hashed with bcrypt, API keys stored as SHA-256 hashes.
  • Tamper-evident audit logging: per-tenant SHA-256 hash chains, database-level rejection of updates and deletions, daily automated chain verification.
  • Tenant isolation enforced on every query by the verified session's tenant id.
  • Role-based access control, email verification, optional SSO and EUDI wallet verification.
  • Daily encrypted backups shipped off the primary host, decryption key held offline, with periodic restore drills.
  • Administrative access only over a private VPN overlay. No public SSH.
  • Rate limiting and abuse alerting on unauthenticated endpoints.
  • Quarterly independent penetration testing.

Annex III — Authorised Subprocessors

The current list, including purpose, data categories, region, and transfer mechanism per subprocessor, is maintained at cvdportal.com/trust#subprocessors and forms part of this DPA.