NOWL
Start scanning

Data Processing Agreement

1. Definitions

"Customer": the entity executing this Agreement and using NOWL services to scan and analyze code.

"NOWL": the data processor providing security scanning, fix generation, and deployment services described at nowl.build.

"Personal Data": any information relating to an identified or identifiable natural person, including Customer's end users' code metadata, email addresses, and authentication tokens.

"Processing": any operation performed on Personal Data (collection, storage, scanning, fixing, deletion).

2. Scope and Roles

Customer is the data controller; NOWL is thedata processor acting on Customer's documented instructions (the NOWL Terms of Service + this DPA).

3. Security Measures

NOWL maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data in transit and of sensitive data at rest
  • Secure, industry-standard session and authentication handling
  • Rate limiting and a managed web application firewall
  • Regular rotation of cryptographic keys and credentials

Further detail on NOWL's security controls is available to customers under NDA upon request.

4. Data Subject Rights

NOWL assists Customer in responding to data subject requests within 30 days:

  • Access: users can export their account data from account settings
  • Deletion: account deletion with cascade removal; permanent deletion within 30 days
  • Rectification: users can update their profile from account settings
  • Portability: data export includes scan history and findings

5. Data Retention

  • User account data: deleted within 30 days of account closure
  • Audit logs: 90 days (default) or 1 year (Max plan)
  • Scan results: soft-delete + hard-delete after 90 days
  • Stripe billing data: 7 years (legal retention)

6. Breach Notification

NOWL notifies Customer of any Personal Data breach within 72 hoursof becoming aware (GDPR Art 33). Notification includes nature, categories, approximate records affected, contact point, likely consequences, mitigation.

7. Audit Rights

Customer may audit NOWL's compliance with this DPA once per year with 30 days' notice. NOWL provides relevant security documentation in lieu of on-site audit.

8. Termination

Upon contract termination, NOWL:

  • Stops Processing within 7 days
  • Deletes Personal Data within 30 days (extractable export upon request)
  • Retains audit logs per Section 5 (legal retention)

9. Governing Law

For EU customers: governed by Irish law (EU establishment). For US customers: governed by Delaware law.