For Business and MSP customers: This DPA is incorporated by reference into your DNSAFE Terms of Service and is effective automatically for all Business and MSP plan customers. If you require a countersigned copy for your compliance records, email legal@dnsafe.net with the subject line "DPA Request" and we will return an executed copy within 5 business days.
1. Definitions
In this Data Processing Agreement ("DPA"):
- "Controller" means the Customer (you), who determines the purposes and means of processing Personal Data.
- "Processor" means Admiresty Corporation, which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, including IP addresses and DNS query logs where these relate to an identified individual.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Data Subject" means an individual whose Personal Data is processed.
- "Sub-processor" means any third party engaged by Admiresty to process Personal Data in the course of providing the Service.
- "GDPR" means the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR as incorporated into UK law by the Data Protection Act 2018.
- "Applicable Data Protection Law" means GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable data protection legislation.
- "Service" means the DNSAFE DNS security platform as described in the Terms of Service.
2. Nature and Purpose of Processing
Subject matter: Processing of Personal Data associated with DNS queries resolved by the DNSAFE Service on behalf of the Customer.
Duration: For the term of the Customer's subscription, plus any applicable retention periods described in this DPA.
Nature: Collection, storage, analysis, and deletion of DNS query logs including source IP addresses, domain names queried, timestamps, and filtering actions taken.
Purpose: To provide the DNS security filtering service, including threat detection, query logging for the Customer's dashboard, and generation of security reports.
Types of Personal Data: IP addresses of registered devices; domain names resolved (which may indirectly reveal browsing patterns); account email addresses; billing contact information.
Categories of Data Subjects: The Customer's employees, contractors, household members, or end users whose devices are configured to use DNSAFE resolvers.
3. Processor Obligations
Admiresty Corporation (as Processor) shall:
- Process Personal Data only on documented instructions from the Controller (i.e., as described in this DPA and the Terms of Service), unless required to do so by applicable law. In such cases, we will inform the Controller before processing, unless prohibited by law.
- Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organisational security measures described in Section 5 of this DPA.
- Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests, to the extent possible given the nature of the processing.
- Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless applicable law requires retention.
- Make available all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits requested by the Controller, with reasonable notice and at the Controller's cost.
- Promptly inform the Controller if, in our opinion, an instruction infringes Applicable Data Protection Law.
4. Controller Obligations
The Controller (Customer) shall:
- Ensure a lawful basis exists for all Personal Data provided to or generated by the Service.
- Provide any required notices to Data Subjects about the use of DNSAFE to process their Personal Data.
- Comply with Applicable Data Protection Law with respect to its instructions to Admiresty Corporation.
- Not instruct Admiresty to process Personal Data in a manner that would violate Applicable Data Protection Law.
5. Technical and Organisational Security Measures
Admiresty Corporation implements the following measures to protect Personal Data:
- Encryption in transit: All data transmitted between users and DNSAFE systems is encrypted using TLS 1.2 or higher. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are supported.
- Encryption at rest: Sensitive data fields stored in the database are encrypted. Backups are encrypted before transfer to off-site storage.
- Access controls: Logical access to production systems is restricted to authorised personnel. Multi-factor authentication is required for administrative access.
- Network security: Infrastructure is protected by firewalls, rate limiting, intrusion detection monitoring, and regular vulnerability assessments.
- Data minimisation: We collect only the DNS query data necessary to provide the Service (domain name, timestamp, action). We do not log full URLs, query content, or payload data.
- Backup and recovery: Automated daily backups with tested recovery procedures. Backups are stored in geographically separate locations.
- Incident response: A documented incident response procedure including breach notification timelines as described in Section 7.
- Sub-processor security: All sub-processors are required to maintain security standards at least equivalent to those described in this section.
6. Sub-processors
The Controller provides general authorisation for Admiresty to engage the following sub-processors. We will notify the Controller at least 30 days in advance of adding or replacing any sub-processor by updating this page and/or sending email notice to the Controller's account email address.
| Sub-processor |
Purpose |
Location |
| Amazon Web Services |
Cloud infrastructure, database, DNS resolver hosting, encrypted backups |
US, Singapore, Ireland |
| Stripe, Inc. |
Payment processing and subscription management |
US |
| Google LLC (reCAPTCHA) |
Bot and fraud detection on authentication pages |
US |
The Controller may object to a new sub-processor within 30 days of notice. If the objection cannot be resolved, the Controller may terminate the Service without penalty, subject to the Refund Policy.
7. Data Breach Notification
In the event of a Personal Data breach affecting the Controller's data, Admiresty Corporation will:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
- Provide, to the extent known at the time, a description of the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
- Cooperate with the Controller and take reasonable steps to mitigate and remediate the breach.
We will not make any public statement about a breach affecting the Controller's data without the Controller's prior consent, unless required to do so by law.
8. Data Subject Rights
If Admiresty receives a request directly from a Data Subject exercising rights under Applicable Data Protection Law (access, erasure, restriction, portability, objection), we will promptly forward it to the Controller and will not respond on the Controller's behalf without the Controller's instruction, except where required by law.
We will assist the Controller, using appropriate technical and organisational measures, to fulfil its obligations to respond to Data Subject rights requests within the legally required timeframes.
9. International Transfers
Personal Data processed under this DPA may be transferred to and processed in the United States and other countries where Admiresty's infrastructure or sub-processors are located. For transfers from the EEA or UK to the US, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Customers may request a copy of applicable SCCs by emailing legal@dnsafe.net.
10. Return and Deletion of Data
Upon termination of the Service, Admiresty will, at the Controller's choice:
- Delete all Personal Data within 90 days of account closure, unless applicable law requires longer retention; or
- Export the Controller's query logs in CSV format upon written request submitted within 30 days of account closure.
Requests for data export must be submitted to privacy@dnsafe.net before account deletion.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. To the extent required by Applicable Data Protection Law, the parties may each be held liable for their own non-compliance with obligations under this DPA and Applicable Data Protection Law.
12. Term and Termination
This DPA is effective for the duration of the Customer's subscription and terminates automatically upon the Customer's account closure. Obligations relating to confidentiality, data deletion, breach notification, and international transfer safeguards survive termination.
13. Governing Law
This DPA is governed by the laws of the State of Delaware, USA, without regard to its conflict of law principles, except to the extent that Applicable Data Protection Law (such as GDPR) requires otherwise.
14. Requesting a Countersigned DPA
This DPA is automatically incorporated into your Terms of Service. If you require a signed copy for your compliance records or vendor management process, email legal@dnsafe.net with the subject line "DPA Request" and include your company name and account email address. We will return an executed copy within 5 business days.
15. Contact
Admiresty Corporation
Data Privacy โ DNSAFE
legal@dnsafe.net