Legal

Data Processing Addendum

This Data Processing Addendum ("DPA") supplements and forms part of the Bug Circuit Terms of Service between Bug Circuit and its business customers. It governs how Bug Circuit processes personal data on the customer's behalf when providing the Bug Circuit security-testing services, and it reflects the parties' respective roles and obligations under the EU General Data Protection Regulation and equivalent UK data protection law.

Last updated: 6 July 2026

1.Introduction and Scope

This Data Processing Addendum ("DPA") is entered into between WEB CODE STORE (PVT) LTD ("Bug Circuit", "we", "us") and the business customer that has agreed to the Bug Circuit Terms of Service (the "Customer", "you"). It applies where, and to the extent that, Bug Circuit processes Customer Personal Data on your behalf in the course of providing the Bug Circuit services described in the Terms (the "Services").

This DPA forms part of, and is incorporated into, the Terms of Service. Where there is a conflict between this DPA and the Terms on the subject of the processing of Customer Personal Data, this DPA prevails. All capitalised terms not defined here have the meaning given in the Terms.

In this DPA, "GDPR" means Regulation (EU) 2016/679; "UK GDPR" means the GDPR as incorporated into the law of the United Kingdom; and "Data Protection Law" means the GDPR, the UK GDPR, and any other applicable data protection or privacy laws, in each case as amended or replaced from time to time. "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" have the meanings given in Data Protection Law.

2.Roles of the Parties

As between the parties, the Customer is the Controller and Bug Circuit is the Processor with respect to Customer Personal Data. The Customer determines the purposes and means of the Processing; Bug Circuit processes Customer Personal Data only on the Customer's behalf and in accordance with this DPA.

The Customer is responsible for ensuring that it has a valid lawful basis for the Processing, that it has provided any notices and obtained any consents required under Data Protection Law, and that its instructions to Bug Circuit comply with Data Protection Law. The Customer warrants that it is entitled to submit the domains and other information it provides to the Services and that it has all necessary authority to authorise the security testing it requests.

Bug Circuit acts as an independent Controller for a limited set of data it processes for its own purposes — for example, account and billing records, security and audit logging, and product analytics. That Processing is governed by the Bug Circuit Privacy Policy, not by this DPA.

3.Subject Matter, Duration, Nature and Purpose of Processing

Subject matter. The provision of the Services under the Terms, namely a manual security audit of a domain the Customer owns and has authorised for testing, together with the account, verification, checkout, support, and reporting functions that surround it.

Nature and purpose. Processing is carried out to authenticate and administer the Customer's account; to verify domain ownership and record the Customer's Authorization to Test; to receive and manage scan requests; to conduct the manual audit and passive reconnaissance and to deliver the resulting verdict or written report; to process orders and payments; to provide premium support and live chat; and to maintain security and an append-only audit log. Processing operations include collection, recording, storage, organisation, retrieval, consultation, use, transmission to Sub-processors, restriction, erasure, and destruction.

Duration. Processing continues for the term of the Terms and for as long as Bug Circuit retains Customer Personal Data to provide the Services, subject to the deletion and return obligations in Section 10.

4.Categories of Personal Data and Data Subjects

Categories of Data Subjects. The Customer's authorised users and personnel who create or operate an account; individuals who contact Bug Circuit through support or live chat; the Customer's billing and administrative contacts; and any individuals whose personal data may incidentally appear within security findings relating to the tested domain.

Categories of Personal Data

  • Account and identity data: business email address (used for passwordless one-time-code login), organisation name, and the named contact for paid plans.
  • Domain and verification data: verified domains and the ownership-verification records associated with them, and the recorded Authorization to Test.
  • Scan and findings data: scan requests, the manual verdict or written report, and any personal data incidentally contained in vulnerability findings for the tested domain.
  • Support and communications data: live-chat transcripts including the name and email captured at the start of a chat, and other support correspondence.
  • Transaction data: order and voucher records and payment confirmation status. Full card or account credentials are handled by the third-party payment processor and are not stored by Bug Circuit.
  • Log data: the append-only audit log of account and Service activity.
The Services are not designed to process special categories of personal data. The Customer must not deliberately submit special-category data (Article 9 GDPR) or data relating to criminal convictions to the Services.

5.Bug Circuit's Processing Obligations

Bug Circuit will process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law; in that case Bug Circuit will, where legally permitted, inform the Customer of that legal requirement before Processing. The Terms, this DPA, and the Customer's use of the Services (including submitting scan requests and configuration choices) constitute the Customer's documented instructions.

If Bug Circuit believes an instruction infringes Data Protection Law, it will inform the Customer without undue delay. Bug Circuit is not obliged to carry out an instruction it reasonably considers unlawful.

Bug Circuit will ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations and are trained on their data protection responsibilities, and will limit access to those personnel who need it to provide the Services. Administrative access is restricted and staff authenticate using passkeys (WebAuthn).

6.Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risks to Data Subjects, Bug Circuit will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR.

  • Tenant isolation of Customer data with database row-level security.
  • Passwordless one-time-code login for customers and phishing-resistant passkey (WebAuthn) authentication for administrative staff.
  • Encryption of data in transit, and access controls that enforce least-privilege access to production systems and data.
  • An append-only audit log of account and Service activity to support accountability and incident investigation.
  • Use of reputable cloud infrastructure and vetted third-party Sub-processors for hosting, payment processing, transactional email, and the AI chat assistant.
  • The server-side AI chat assistant answers product questions only and has no access to Customer Personal Data.

Bug Circuit may update its security measures from time to time provided that the updates do not materially reduce the overall level of protection of Customer Personal Data.

7.Sub-processors

The Customer provides a general authorisation for Bug Circuit to engage Sub-processors to process Customer Personal Data in connection with the Services. The categories of Sub-processors currently authorised are set out in the Annex to this DPA.

Before a Sub-processor processes Customer Personal Data, Bug Circuit will impose on it, by written contract, data protection obligations no less protective than those in this DPA, in particular appropriate security measures under Article 28(4) GDPR. Bug Circuit remains fully liable to the Customer for the performance of each Sub-processor's obligations.

Bug Circuit will give the Customer notice of any intended addition or replacement of a Sub-processor, giving the Customer a reasonable opportunity to object on reasonable data protection grounds. If the Customer raises a legitimate objection that the parties cannot resolve, the Customer may, as its sole remedy, terminate the affected Services in accordance with the Terms.

8.Assistance to the Customer

Taking into account the nature of the Processing and the information available to it, Bug Circuit will provide reasonable assistance to the Customer, by appropriate technical and organisational measures and insofar as possible, so that the Customer can respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including access, rectification, erasure, restriction, portability, and objection).

If Bug Circuit receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond to the substance of the request except on the Customer's documented instructions, and will without undue delay forward the request to the Customer, unless prohibited by law.

Bug Circuit will also provide reasonable assistance to the Customer with data protection impact assessments and any prior consultation with a Supervisory Authority, in each case where required under Articles 35 and 36 GDPR and relating to the Processing under this DPA.

9.Personal Data Breach Notification

Bug Circuit will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe, to the extent known and as it becomes available, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it and mitigate its effects.

Bug Circuit will cooperate with the Customer and take reasonable steps that the Customer directs to assist in the investigation, mitigation, and remediation of the breach. Bug Circuit's notification is not an acknowledgement of fault or liability.

The Customer, as Controller, is responsible for determining whether a Personal Data Breach must be notified to a Supervisory Authority or to affected Data Subjects, and for making any such notification.

10.Return and Deletion of Data

On termination or expiry of the Services, and at the Customer's choice, Bug Circuit will delete or return all Customer Personal Data and delete existing copies, unless applicable law requires storage of the Personal Data. Where the Customer does not make a choice, Bug Circuit will delete Customer Personal Data after a reasonable wind-down period.

Bug Circuit may retain Customer Personal Data to the extent and for the period required by applicable law, and may retain the append-only audit log and limited records needed for security, legal, accounting, or dispute-resolution purposes. Any such retained data remains subject to the confidentiality and security terms of this DPA, and Bug Circuit will no longer actively process it other than as required for those purposes. Data held in routine backups is deleted in accordance with Bug Circuit's backup rotation cycle.

11.Audits and Demonstrating Compliance

Bug Circuit will make available to the Customer information reasonably necessary to demonstrate compliance with the obligations in Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

To respect the security of other customers and Bug Circuit's infrastructure, audits are subject to reasonable conditions: they take place during normal business hours, on reasonable prior written notice, no more than once in any twelve-month period (unless required by a Supervisory Authority or following a Personal Data Breach), under confidentiality, and without unreasonable disruption to Bug Circuit's operations. The Customer bears its own costs and any reasonable costs Bug Circuit incurs in supporting the audit. Bug Circuit may satisfy audit requests by providing relevant policies, summaries of security measures, and any third-party certifications or reports it holds.

12.International Transfers

Bug Circuit and its Sub-processors may process Customer Personal Data in locations outside the European Economic Area or the United Kingdom. Where such Processing involves a transfer of Customer Personal Data to a country that is not the subject of an adequacy decision, Bug Circuit will ensure an appropriate transfer mechanism is in place as required by Data Protection Law.

In particular, the parties agree that the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor, and Module Three: Processor to Sub-processor as applicable) are incorporated into this DPA by reference and apply to any such transfer, together with the UK International Data Transfer Addendum where the transfer is subject to the UK GDPR. Where required, the parties will complete the relevant clauses consistently with this DPA, and this DPA and the Terms populate the descriptive appendices to those clauses.

13.Liability, Term and General

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA takes effect on the effective date of the Terms and remains in force for as long as Bug Circuit processes Customer Personal Data on the Customer's behalf.

This DPA is governed by, and construed in accordance with, the laws of Sri Lanka, except to the extent that Data Protection Law or the Standard Contractual Clauses require otherwise. If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full force.

Data protection queries and requests under this DPA should be sent to [email protected]. Legal notices should be sent to [email protected], and security matters to [email protected]. General enquiries: [email protected]. WEB CODE STORE (PVT) LTD, a company registered in Sri Lanka, PV 00318975.

14.Annex — Sub-processor Categories

Bug Circuit engages the following categories of Sub-processors to process Customer Personal Data in connection with the Services. Specific providers within each category may change on notice in accordance with Section 7.

  • Cloud hosting and infrastructure — hosting of the application and databases (PostgreSQL and Redis), used to store and process account, scan, support, and log data.
  • Payment processor (e.g. PayPal) — processing of checkout and payment transactions; handles card and account details, which Bug Circuit does not store.
  • Transactional email provider — delivery of one-time login codes, account, order, and support notifications; processes recipient email addresses and message content.
  • AI assistant provider (Google, Gemini) — the server-side AI chat assistant that answers product questions; it has no access to Customer Personal Data and receives only the product-related query content sent to it.
Questions about this policy? Email [email protected] or see our other legal documents.