DomainCare.
Start free trial
What breaksCoverageDocsBlogPricing
ToolsDomain health checkDNS propagation checkerSitemap validatorBlacklistsOpen ports
Sign in
Legal

Data Processing Agreement

Last updated: 2026-05-18

This Data Processing Agreement ("DPA") forms part of the agreement between Artificial Systems SRL ("DomainCare") and the customer ("Customer") for the use of the DomainCare service.

This DPA applies where the Customer processes personal data through DomainCare for which the Customer is the data controller. Where the Customer uses DomainCare solely to monitor their own domains and does not process personal data of their employees, contractors, or other individuals through the platform, the privacy policy is sufficient and this DPA may not apply.

If you require a counter-signed copy of this DPA on company letterhead, contact legal@domaincare.io.

1. Definitions

  • "Personal data," "controller," "processor," "data subject," "processing," and "supervisory authority" have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR").
  • "Customer" means the entity entering into the agreement with DomainCare.
  • "DomainCare" means Artificial Systems SRL.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

2. Roles and scope

For personal data processed through DomainCare on behalf of the Customer, the Customer is the controller and DomainCare is the processor. The processing is carried out for the purpose of providing the DomainCare service to the Customer.

3. Customer instructions

DomainCare will process personal data only on documented instructions from the Customer. The Customer's instructions are set out in:

  • The DomainCare Terms of Service
  • The configuration options the Customer chooses within the dashboard
  • Any additional written instructions the Customer provides to DomainCare

DomainCare will inform the Customer if any instruction would infringe GDPR or other applicable data protection law.

4. Categories of personal data and data subjects

Personal data processed through DomainCare may include:

  • Email addresses, names, and contact details of the Customer's authorised users
  • Domain configuration and monitoring data
  • Notification routing data

Data subjects may include the Customer's employees, contractors, or any individuals identified through the Customer's use of the service.

5. Duration

This DPA is effective for the duration of the agreement between the Customer and DomainCare. Sections relating to confidentiality, security obligations, return or deletion of data, and audit rights survive termination.

6. Security measures

DomainCare implements appropriate technical and organisational measures to protect personal data, including:

  • TLS 1.2+ encryption for all traffic in transit
  • Encryption at rest for backups and authentication credentials
  • Hardened application containers
  • Principle of least privilege between services and personnel
  • Rate limits on authentication and API endpoints
  • Regular review of subprocessors and dependencies
  • Logging of access to production systems

A current description of our security measures is available in our privacy policy.

7. Subprocessors

The Customer authorises DomainCare to engage subprocessors as listed in our privacy policy. DomainCare ensures that subprocessors are bound by contractual terms equivalent to those in this DPA.

DomainCare will provide at least 14 days' advance notice of any material change to the subprocessor list. The Customer may object to a new subprocessor within that period. If the parties cannot agree on an alternative, the Customer may terminate the agreement.

8. Confidentiality

DomainCare ensures that personnel authorised to process personal data are subject to confidentiality obligations.

9. Data subject rights

DomainCare will provide reasonable assistance, taking into account the nature of the processing, to enable the Customer to respond to data subject requests (access, rectification, erasure, restriction, portability, objection, withdrawal of consent).

The Customer is responsible for verifying data subject identity and determining whether requests are valid. DomainCare will not respond directly to data subjects of the Customer unless instructed by the Customer or required by law.

10. Personal data breach notification

DomainCare will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the Customer's personal data. The notification will include the information required under Article 33(3) GDPR, to the extent available.

11. Data protection impact assessments and prior consultations

DomainCare will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, where applicable.

12. International data transfers

Where personal data is transferred outside the European Economic Area:

  • For transfers from the EEA, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference. The Customer is the data exporter; DomainCare is the data importer.
  • For transfers from the United Kingdom, the UK Addendum to the EU SCCs is incorporated into this DPA by reference.
  • For transfers from Switzerland, the EU SCCs apply with references to Swiss law where appropriate.

The technical and organisational measures required under Clause 14 of the SCCs are those described in section 6 above.

13. Audit rights

DomainCare will make available to the Customer information necessary to demonstrate compliance with this DPA. This obligation is normally satisfied by:

  • A written attestation of compliance, and
  • A summary of relevant security certifications and audits, where available

If the Customer reasonably requires additional information, the parties will discuss in good faith. Any on-site audit must be scheduled at least 30 days in advance, conducted during business hours, by a mutually acceptable independent auditor, and at the Customer's cost.

14. Return or deletion of data

On termination of the agreement, DomainCare will, at the Customer's choice, delete or return all personal data processed on the Customer's behalf, within 30 days, except where retention is required by applicable law.

15. Liability

The liability provisions of the Terms of Service apply to this DPA. Nothing in this DPA limits a data subject's rights under GDPR.

16. Conflict

In case of conflict between the Terms of Service and this DPA, this DPA prevails with respect to personal data processing matters.

17. Governing law and jurisdiction

This DPA is governed by the laws of Romania. Disputes are subject to the jurisdiction provisions of the Terms of Service.

18. How to execute this DPA

This DPA is published at /legal/dpa and is automatically incorporated into the Customer's agreement with DomainCare where personal data is processed on the Customer's behalf.

If a counter-signed version is required, contact legal@domaincare.io.