Last updated: March 29, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between AllyShield (Devitus Digital Ltd, "Processor") and the Customer ("Controller"). This DPA sets out the terms that apply when personal data is processed by AllyShield on behalf of the Customer.
"Personal Data", "Processing", "Data Subject", "Controller", "Processor" and "Supervisory Authority" have the meanings given in the EU General Data Protection Regulation (GDPR) 2016/679.
AllyShield processes personal data solely for the purpose of providing the accessibility scanning and compliance monitoring service. Data processed includes website URLs, scan results, user account information, and billing details as described in our Privacy Policy.
The Customer acts as the Data Controller. AllyShield acts as the Data Processor, processing personal data on the Controller's instructions as set out in this DPA and the Terms of Service.
AllyShield uses the following sub-processors to deliver our service:
We will notify the Controller before adding or replacing sub-processors, giving the Controller an opportunity to object.
AllyShield will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by GDPR. Data subjects can exercise their rights through the AllyShield dashboard Privacy settings or by contacting our DPO.
AllyShield will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach. Notification will include the nature of the breach, categories of data affected, approximate number of data subjects affected, and measures taken to address the breach.
Personal data is retained for the duration of the service agreement plus applicable retention periods. Upon account deletion, personal data is erased within 30 days, except where retention is required by law (e.g., invoice records for 7 years). Consent records are anonymized after 3 years.
Where personal data is transferred outside the European Economic Area, AllyShield ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions such as the EU-US Data Privacy Framework.
AllyShield implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit (TLS 1.3), access controls, regular security audits, and employee training.
Data Protection Officer: dpo@allyshield.net
For questions about this DPA, contact us at legal@allyshield.net.