DeepWeb Platform, LLC
Last Updated: 2026-01-01
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Customer (“Controller”) and DeepWeb Platform, LLC (“Processor”). This DPA governs Deep’s processing of personal data on behalf of the Customer under GDPR, UK GDPR, and equivalent international laws.
1. Definitions
• “Personal Data”: Any information relating to an identified or identifiable natural person.
• “Processing”: Any operation performed on Personal Data.
• “Controller”: Entity determining purposes and means of processing.
• “Processor”: Entity processing Personal Data on behalf of Controller.
• “Subprocessor”: Third party engaged by Processor to process Personal Data.
• “SCCs”: Standard Contractual Clauses issued by the European Commission.
2. Subject Matter and Purpose
Deep processes Personal Data solely to provide the Deep platform, including account management, authentication, support, and security operations.
Deep does not:
• sell Personal Data
• use Personal Data for advertising
• use Personal Data for profiling outside the services provided
3. Duration
Processing continues for the duration of the customer’s use of the Service and until all data is deleted according to this DPA.
4. Obligations of the Processor (Deep)
Deep shall:
1. Process Personal Data only on documented instructions from Customer.
2. Implement appropriate technical and organizational security measures.
3. Ensure personnel with access to data are bound by confidentiality obligations.
4. Assist Customer in fulfilling GDPR obligations regarding data subject rights.
5. Notify Customer without undue delay of any personal data breach.
6. Make available relevant information necessary to demonstrate compliance.
7. Delete or return Personal Data at termination of the Service.
5. Subprocessors
Customer generally authorizes Deep’s use of Subprocessors. Current Subprocessor list is published here: /legal/subprocessors.
Deep shall:
• use only Subprocessors with adequate security measures
• impose equivalent contractual data protection obligations
• notify Customer of additions or replacements (via update to the Subprocessor List)
6. International Transfers
Where Personal Data is transferred outside the EEA, UK, or other regulated regions, Deep uses Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent safeguards where required.
7. Security Measures
Deep implements:
• encryption at rest and in transit
• access controls and authentication
• logging and monitoring
• vulnerability management
• incident response protocols
• physical and network security controls through audited hosting providers
8. Data Subject Requests
Deep assists Customer in responding to access, rectification, erasure, restriction, objection, and portability requests. Deep will not act independently on such requests.
9. Data Deletion
Upon termination of services:
• All Personal Data is deleted from active systems within 90 days
• Backups are overwritten as part of standard rotation
• Customer may request earlier deletion
10. Liability
Liability limits follow those defined in the Terms of Service.
11. Governing Law
This DPA is governed by the same jurisdiction as the Terms of Service.