1. Parties and scope

Data Processor: Simoné Deyzel, independent cybersecurity consultant, Porto, Portugal ("I", "me").

Data Controller: the client entity that has engaged my services ("Client" or "you").

This Data Processing Agreement ("DPA") governs all personal data I process on behalf of the Client in connection with the delivery of security services. It applies from the start of the engagement and for any retention period thereafter.

2. Subject matter and nature of processing

Personal data is processed solely to the extent necessary to deliver the agreed services, which may include:

  • Penetration testing, attack surface mapping and vulnerability assessment of assets the Client controls and has authorised me to test.
  • Delivery of written reports, findings and remediation guidance via secure delivery channels agreed with the Client.
  • Virtual CISO (vCISO) advisory — reviewing policies, programmes and governance documentation that may reference named individuals.
  • Incident response — analysis of logs, artefacts and communications containing personal data, to the extent provided by the Client for this purpose.

3. Categories of data subjects and personal data

Depending on the engagement scope and materials provided, processing may involve:

  • Client personnel: names, email addresses, roles, and system access credentials (in-scope targets only, as authorised).
  • End users of the Client's systems: authentication artefacts, session tokens, or data incidentally observed during testing — limited to what is technically necessary and removed from deliverables unless explicitly required to evidence a finding.
  • Third-party individuals: personal data will not be retained beyond what is required to substantiate a finding; PII is redacted from reports wherever its inclusion is not necessary.

4. Processor obligations

I shall:

  • Process personal data only on the documented instructions of the Client, including with regard to transfers to third countries.
  • Ensure that any personnel or sub-contractors authorised to process personal data are bound by appropriate confidentiality obligations.
  • Implement the technical and organisational security measures set out in Section 7.
  • Assist the Client, at the Client's cost, in responding to data subject rights requests, data protection impact assessments, and supervisory authority consultations, to the extent I hold relevant data.
  • Delete or return all personal data upon completion or termination of the engagement, at the Client's choice, within 30 days — unless a longer period is required by EU or Portuguese law.
  • Provide information reasonably necessary to demonstrate compliance with this DPA, and support audits or inspections by the Client or an appointed third-party auditor, with reasonable notice.
  • Inform the Client without undue delay if I believe any instruction infringes the GDPR or applicable data protection law.

5. Sub-processors

I use the following sub-processors for infrastructure and tooling. The Client provides general authorisation for their use. I will notify the Client of any intended additions or replacements with reasonable advance notice.

All sub-processors are bound by data processing agreements at least as protective as this DPA.

6. International transfers

Processing takes place primarily within the EU/EEA. Switzerland (Infomaniak) is covered by a European Commission adequacy decision. Where Cloudflare processes data outside the EEA, this is done under Standard Contractual Clauses (GDPR Article 46(2)(c)). A copy of the applicable SCCs is available on request.

7. Security measures

  • Encryption in transit: all traffic to simone-deyzel.com is TLS 1.2+ enforced at the CDN edge; no plain-HTTP communication for any data.
  • Encryption at rest: work product and any client-provided materials shared electronically are stored on access-controlled EU-resident infrastructure; backups are AES-256 encrypted before upload to object storage.
  • Authentication: SSH key-only access to all server infrastructure; all service credentials stored in OpenStack Barbican and never written to disk in plaintext.
  • Least privilege: each service runs under a dedicated OS user with minimal permissions; the contact handler holds a Barbican-read-only credential scoped only to the secrets it needs.
  • Network isolation: all server processes bind to loopback or a private network and are proxied via nginx; UFW firewall restricts inbound traffic to Gcore CDN CIDR ranges only — direct-to-origin access is blocked.
  • Edge security: Gcore WAAP enforces OWASP Top Threats, L7 DDoS, and protocol-validation rulesets in front of all public-facing services.
  • Intrusion prevention: CrowdSec monitors nginx and SSH logs; confirmed attack signatures trigger automatic IP blocking at the host (iptables) and CDN edge (Gcore) layers simultaneously.
  • Security monitoring: a dedicated SIEM (Wazuh) aggregates logs from all infrastructure in real time; detection rules cover authentication anomalies, file-integrity changes, and MITRE ATT&CK-aligned patterns.
  • Log retention and purge: traffic and security logs are retained for 90 days and then automatically purged.

8. Personal data breach notification

I shall notify the Client without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Client data. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. I will cooperate fully in any required supervisory authority notification.

9. Duration and termination

This DPA applies for the duration of the engagement and any retention period thereafter. On expiry or termination, I will securely delete or return all personal data within 30 days unless a longer retention period is required by EU or Portuguese law, in which case I will protect the data and limit processing to what is legally required.

10. Governing law

This DPA is governed by the laws of Portugal and the European Union. Disputes arising in connection with this DPA are subject to the competent courts of Portugal, without prejudice to the Client's right to lodge a complaint with its local data protection supervisory authority.

11. Contact

Questions about this DPA or data protection matters: contact form.