Data Processing Agreement

This DPA applies where we process personal data on behalf of a business customer (for example through the API or Bulk Check) and forms part of the Terms of Service between us and that customer.

Last updated: 6 July 2026

1. Definitions

1.1. "Processor", "we", "us" — a registered company with number 12101959, registered office at 2 Thomas More St, London, United Kingdom, E1W 1WY.

1.2. "Controller", "Customer", "you" — the business customer that determines the purposes and means of processing the personal data submitted to the Service.

1.3. "Data Protection Law" — the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR, together with any other applicable data protection laws.

1.4. "Customer Personal Data" — personal data that we process on your behalf under the Terms of Service. Terms such as "personal data", "processing", "data subject", "controller" and "processor" have the meanings given in Data Protection Law.

2. Roles & scope

2.1. In respect of Customer Personal Data, you are the controller and we are the processor. Each party will comply with its obligations under Data Protection Law.

2.2. This DPA applies only where we process Customer Personal Data on your behalf. Where we act as controller of personal data (for example, account, billing and breach data), our Privacy Policy applies instead.

2.3. The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in the Annex.

3. Our obligations

3.1. We will process Customer Personal Data only on your documented instructions, including as set out in the Terms of Service and this DPA, unless required to do otherwise by law (in which case we will inform you, unless the law prohibits it).

3.2. We will ensure that persons authorised to process Customer Personal Data are bound by confidentiality and process it only as instructed.

3.3. Taking into account the nature of the processing and the information available to us, we will assist you in complying with your obligations regarding security, breach notification, data protection impact assessments and prior consultation.

4. Confidentiality

4.1. We will keep Customer Personal Data confidential and will not disclose it except as permitted by this DPA or required by law.

5. Security

5.1. We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. A summary of these measures is set out in the Annex.

6. Sub-processors

6.1. You give general authorisation for us to engage sub-processors (such as hosting and payment providers) to process Customer Personal Data, provided we impose data protection obligations on them that are no less protective than those in this DPA and remain responsible for their performance.

6.2. We will inform you of any intended addition or replacement of a sub-processor and give you a reasonable opportunity to object on reasonable data protection grounds.

6.3. The current list of sub-processors is available on request at the@leakcheck.net.

7. Data subject requests

7.1. Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Data Protection Law.

7.2. If we receive such a request directly, we will, unless legally required to act, advise the data subject to submit it to you and will not otherwise respond except on your instructions.

8. Personal data breaches

8.1. We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your notification obligations.

9. Deletion & return

9.1. On termination of the Service, we will, at your choice, delete or return Customer Personal Data and delete existing copies, unless retention is required by law.

10. Audits

10.1. We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality and frequency limits.

11. International transfers

11.1. Where processing involves transferring Customer Personal Data outside the United Kingdom or the EEA, we will ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum.

12. Liability & term

12.1. This DPA takes effect when you begin using the Service to process Customer Personal Data and continues for as long as we carry out that processing.

12.2. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. In the event of a conflict on data protection matters, this DPA prevails.

Annex — Processing details

Subject matter: provision of breach-lookup and monitoring services via the API, Bulk Check and web interface.

Duration: the term of the Service plus any legally required retention period.

Nature & purpose: querying our database for exposure of identifiers you submit and returning matching records to you.

Types of personal data: the identifiers you submit (such as email addresses, usernames, phone numbers, domains or hashes) and the fields returned in results (such as names, contact details and credentials).

Categories of data subjects: the individuals whose identifiers you choose to check (for example your employees, users or customers).

Security measures: encryption in transit, access controls and least-privilege access, network protection, logging and monitoring, and staff confidentiality obligations.