Data Processing Agreement

Effective: 8 April 2026 · Last updated: 8 April 2026

This Data Processing Agreement ("DPA") forms part of the EntryGuard Terms of Service ("Terms") between Entropy Lab SRL ("Entropy Lab", "we", "Processor") and the customer organization identified in the applicable Order Form or invoice ("Customer", "you", "Controller").

This DPA sets out the obligations of the parties when Entropy Lab processes personal data on behalf of the Customer in connection with the EntryGuard service ("the Service"). It is intended to comply with Article 28 of Regulation (EU) 2016/679 (the "GDPR") and Moldovan Law No. 133/2011 on Personal Data Protection.

In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of personal data.

1. Definitions

Terms used but not defined in this DPA shall have the meaning given in the GDPR. For convenience:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• "Controller" means the entity that determines the purposes and means of processing Personal Data — in this DPA, the Customer.
• "Processor" means the entity that processes Personal Data on behalf of the Controller — in this DPA, Entropy Lab.
• "Sub-processor" means any third party that processes Personal Data on behalf of the Processor.
• "Data Subject" means an individual whose Personal Data is processed.
• "Processing" has the meaning given in Article 4(2) GDPR.
• "Personal Data Breach" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Roles and Responsibilities

2.1 Controller and Processor

The Customer acts as Controller of Personal Data processed in the Service. Entropy Lab acts as Processor and processes Personal Data only on behalf of the Customer and according to the Customer's documented instructions.

2.2 Customer's instructions

The Customer's instructions to Entropy Lab to process Personal Data are set out in:

• The Terms of Service
• This DPA
• The Customer's use of the Service through its dashboard, API, and configuration

The Customer may issue additional instructions in writing to [email protected]. Entropy Lab will inform the Customer if it believes an instruction violates GDPR or other data protection law.

2.3 Customer obligations

The Customer represents and warrants that:

• It has obtained all necessary rights, consents, and legal bases to process the Personal Data and to instruct Entropy Lab to process it
• It has informed Data Subjects about the processing as required by law
• The Customer's use of the Service complies with applicable data protection law

3. Subject Matter and Details of Processing

3.1 Subject matter

The processing of Personal Data by Entropy Lab is performed solely for the purpose of providing the EntryGuard service to the Customer.

3.2 Duration

Processing continues for the duration of the Customer's subscription to the Service, plus any additional retention period set out in the Privacy Policy.

3.3 Nature and purpose of processing

Entropy Lab processes Personal Data for the following purposes:

• Creating and managing user accounts
• Authenticating users
• Managing IP whitelisting sessions, tunnels, and access rules
• Recording audit logs of access events
• Providing customer support
• Billing and invoicing
• Securing the Service against abuse and unauthorized access

3.4 Categories of Data Subjects

• Employees, contractors, and authorized agents of the Customer who use the Service
• Administrators of the Customer's account
• Billing contacts of the Customer

3.5 Categories of Personal Data

• Identification data: full name, email address
• Authentication data: hashed passwords, MFA secrets, session tokens
• Contact data: phone number (optional), preferred language
• Technical data: IP addresses (login and whitelisted), browser, OS, country code derived from IP
• Usage data: timestamps of logins and actions, sessions started and stopped, resources accessed
• Audit data: records of administrative actions, configuration changes, security events

Entropy Lab does not intentionally process special categories of personal data (Article 9 GDPR) such as health data, racial or ethnic origin, religious beliefs, or data concerning sexual orientation.

4. Sub-processors

4.1 General authorization

The Customer authorizes Entropy Lab to engage Sub-processors to process Personal Data, subject to the conditions in this section.

4.2 Current Sub-processors

The list of current Sub-processors is available at entryguard.io/subprocessors and is incorporated into this DPA by reference. As of the effective date, the list includes:

Sub-processor	Purpose	Location
Oracle Cloud Infrastructure	Hosting, storage, and email delivery	EU (Germany — eu-frankfurt-1)
MAIB	Payment processing	Republic of Moldova
Cloudflare	CDN, DNS, and DDoS protection	Global (primarily EU)

4.3 Notification of new Sub-processors

Entropy Lab will give the Customer at least 30 days' prior notice before adding or replacing a Sub-processor. Notice will be given by email to the Customer's billing contact and by updating entryguard.io/subprocessors.

4.4 Right to object

The Customer may object to the addition or replacement of a Sub-processor on reasonable grounds related to data protection. If the parties cannot resolve the objection within 30 days of the notice, the Customer may terminate the affected portion of the Service without penalty by giving written notice to Entropy Lab.

4.5 Sub-processor contracts

Entropy Lab will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Entropy Lab remains fully liable to the Customer for the acts and omissions of its Sub-processors with respect to Personal Data.

5. International Transfers

All Personal Data is currently processed within the European Union. Entropy Lab will not transfer Personal Data outside the EU/EEA without the Customer's prior consent or unless an appropriate transfer mechanism is in place (such as Standard Contractual Clauses adopted by the European Commission).

If a transfer becomes necessary in the future, Entropy Lab will give the Customer reasonable notice and implement appropriate safeguards as required by GDPR Chapter V.

6. Security of Processing

6.1 Technical and organizational measures

Entropy Lab will implement and maintain appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Current measures include:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256-GCM for cloud credentials, MFA secrets, and other sensitive data
• Hashed passwords using bcrypt with strong work factors
• Access control: role-based access for staff, multi-factor authentication required for administrative access
• Audit logging of all access to Personal Data by staff
• Regular backups with 14-day retention, encrypted at rest
• Network segmentation between customer environments
• Vulnerability management: regular dependency updates and security patches
• Incident response procedures with defined escalation paths
• Principle of least privilege for staff access to systems and data
• Secure software development practices including code review and testing
• Physical security of infrastructure provided by Sub-processors meeting industry standards

6.2 Updates to security measures

Entropy Lab may update its security measures from time to time, provided that such updates do not materially decrease the level of protection.

6.3 Confidentiality of personnel

Entropy Lab ensures that any personnel authorized to process Personal Data are bound by confidentiality obligations.

7. Data Subject Rights

7.1 Assistance

Entropy Lab will, to the extent reasonably possible, assist the Customer with appropriate technical and organizational measures to fulfill the Customer's obligations to respond to Data Subject requests under Articles 12-23 GDPR, including requests for access, rectification, erasure, restriction, portability, and objection.

7.2 Forwarding requests

If a Data Subject contacts Entropy Lab directly with a request related to their data processed on behalf of the Customer, Entropy Lab will:

• Not respond to the request directly (except to acknowledge receipt and direct the Data Subject to the Customer)
• Notify the Customer without undue delay
• Forward the request to the Customer's designated contact

7.3 Self-service

Where reasonable, Entropy Lab provides functionality in the Service that allows the Customer to fulfill Data Subject requests directly (such as deleting users, exporting audit logs, or updating user information).

8. Personal Data Breaches

8.1 Notification

Entropy Lab will notify the Customer without undue delay and within 72 hours of becoming aware of a Personal Data Breach affecting the Customer's data. The notification will include, to the extent known:

• The nature of the breach
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects
• Contact details for further information

8.2 Cooperation

Entropy Lab will cooperate with the Customer in investigating and remediating Personal Data Breaches, including providing information needed for the Customer to notify supervisory authorities and Data Subjects as required by law.

8.3 Records

Entropy Lab will maintain records of all Personal Data Breaches and corrective actions taken.

9. Audits and Inspections

9.1 Audit rights

The Customer has the right to audit Entropy Lab's compliance with this DPA. Audits will be conducted at the Customer's expense and at reasonable intervals (no more than once per calendar year unless required by a supervisory authority or following a Personal Data Breach).

9.2 Audit process

Audits may be conducted by the Customer or by an independent auditor appointed by the Customer. The Customer will give Entropy Lab at least 30 days' prior written notice of any audit, except in case of a Personal Data Breach or supervisory authority requirement.

Entropy Lab will provide reasonable cooperation, including making relevant documentation, information, and personnel available to the auditor. The audit must not unreasonably interfere with Entropy Lab's business operations.

9.3 Documentation in lieu of audit

To minimize disruption, Entropy Lab may satisfy audit requests by providing copies of relevant security documentation, such as security policies, incident reports, sub-processor agreements, and (where available) third-party certifications or audit reports (such as ISO 27001, SOC 2).

9.4 Confidentiality

All information obtained during an audit is confidential and may only be used for the purpose of verifying compliance with this DPA.

10. Return and Deletion of Personal Data

10.1 During the term

The Customer may export Personal Data at any time through the Service's dashboard, API, or by request to [email protected].

10.2 On termination

Within 30 days of termination of the Service, Entropy Lab will, at the Customer's choice:

• Return all Personal Data to the Customer in a structured, commonly used format, or
• Permanently delete all Personal Data from its systems and instruct Sub-processors to do the same

If the Customer does not make a choice within 30 days, Entropy Lab will permanently delete the data.

10.3 Backups

Personal Data may persist in encrypted backups for up to 14 days after deletion. Backups are not actively used and are deleted on the standard rotation schedule.

10.4 Legal retention

Entropy Lab may retain Personal Data after termination only to the extent required by applicable law (for example, accounting and tax records). In such cases, the data will be subject to the same protections as during the term of the agreement.

11. Liability

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service.

12. Term and Termination

This DPA takes effect on the date the Customer accepts the Terms of Service or signs an Order Form, whichever is earlier. It remains in effect for the duration of the Customer's subscription to the Service, plus any post-termination obligations described in Section 10.

13. Governing Law

This DPA is governed by the same law as the Terms of Service. Where required by GDPR, EU law and the data protection laws of the relevant Member State will apply to the processing of Personal Data of EU Data Subjects.

14. Changes to This DPA

Entropy Lab may update this DPA from time to time. If we make material changes, we will notify the Customer at least 30 days in advance via email or in-app notification. The Customer may terminate the Service without penalty if it does not accept the changes.

15. Contact

For questions about this DPA or to issue documented instructions:

Email: [email protected]
Postal address: Entropy Lab SRL, Alba Iulia 21, ap. 33, Chișinău, MD-2051, Republic of Moldova