Data Processing Agreement
Last updated: April 20, 2026
This DPA forms part of the SquareBreach Terms of Service and applies whenever SquareBreach processes personal data on your behalf as a Processor under the GDPR.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the Terms of Service.
- Customer — the legal entity or individual holding the SquareBreach account (acts as Controller).
- SquareBreach — the operator of squarebreach.com (acts as Processor).
- Personal Data — data relating to identified or identifiable natural persons that the Customer submits to the service or causes the service to process.
2. Subject matter & duration
SquareBreach processes Personal Data on the Customer’s documented instructions (which include using the service as intended). Processing lasts for the duration of the Customer’s active account plus the retention periods documented in the Privacy Policy.
3. Nature & purpose of processing
Hosting of authentication credentials, search history, usage analytics, payment metadata and credit ledger entries that are necessary for delivering the SquareBreach SaaS.
4. Categories of data subjects & data
- Data subjects:the Customer’s end users (typically the Customer themselves; for team accounts, their employees).
- Data categories: email address, OAuth provider id, IP address, user-agent, search query strings, payment metadata, credit balance, and any data the Customer voluntarily submits.
5. Obligations of SquareBreach
SquareBreach will:
- process Personal Data only on the Customer’s documented instructions;
- ensure that personnel authorised to process Personal Data are bound by confidentiality;
- implement the technical and organisational measures listed on /security;
- assist the Customer in responding to data-subject requests (access, rectification, erasure, portability) within reasonable timeframes;
- notify the Customer of a Personal Data breach without undue delay and within 72 hours of becoming aware;
- on termination, delete or return all Personal Data within 30 days (subject to legal retention obligations).
6. Subprocessors
The Customer authorises SquareBreach to use the subprocessors listed on /legal/subprocessors. SquareBreach will give 30 days’ advance notice of new subprocessors. Customer may object in writing within that period; if the parties cannot reach a resolution, the Customer may terminate the affected service.
7. International transfers
Where personal data is transferred outside the EEA, SquareBreach relies on (a) adequacy decisions, or (b) Standard Contractual Clauses 2021/914 with the receiving party, supplemented by the technical measures described in our Privacy Policy.
8. Audits
On reasonable written request (and no more than once per year unless a breach has occurred), the Customer may audit SquareBreach’s compliance with this DPA. SquareBreach may satisfy the audit right by providing the most recent third-party audit reports of its subprocessors (e.g. Supabase SOC 2 report).
9. Liability
Liability for processing under this DPA is governed by the limitation clauses in the Terms of Service. Each party remains liable for its own GDPR fines.
10. Acceptance
By using the service the Customer accepts this DPA. Enterprise customers may request a counter-signed PDF version at legal@squarebreach.com.