Data Processing Agreement — DHCP Shield Pro

Version: 1.0 · Last updated: 2026-06-12

Detachable Article 28 artifact. This DPA mirrors EULA Chapter 15 so the two cannot contradict; the EULA remains authoritative. It is provided as a separately-signable artifact for procurement and customer-side legal review — for a countersigned copy, contact sales@dhcpshield.com.

1. Authoritativeness and precedence

This Data Processing Agreement (“DPA”) implements the data-processing terms required under Article 28(3) of the GDPR for the processing described below. The End-User License Agreement (EULA) remains authoritative: this DPA gives effect to EULA Chapter 15 (Data Protection and GDPR Allocation) and does not modify the EULA’s Limited Warranty, AS-IS Disclaimer, or Limitation of Liability (EULA ch.15.3.11 / 29.6). Until a separate, more detailed processing agreement is executed in writing, EULA §15.3 governs; once executed, this DPA is the detachable artifact that implements it (EULA ch.15.3.1). Nothing here expands the Licensor’s aggregate liability beyond the cap in EULA Chapter 12 (EULA ch.15.3.11).

2. Scope — three data categories, and what this DPA covers

EULA §15.1 distinguishes three categories of personal data. This DPA’s processor terms apply to Support Data and Feedback Data only; Operational Data is expressly out of scope (see §3).

Operational Data — personal data the Customer inputs, captures, processes, or stores using the software in the ordinary course of its operation on its own infrastructure (MAC addresses, IP addresses, hostnames, vendor identifiers, DHCP option content, and derived analytics). Out of scope of these processor terms (EULA ch.15.1(a), 15.2).
Support Data — personal data transmitted from the Customer’s instance to the Licensor through the support backchannel or any other support channel (chat messages, screen casts/captures, command output and shell session content, machine-adapter requests and responses, configuration excerpts, logs, diagnostic information). Covered by these processor terms (EULA ch.15.1(b), 15.3).
Feedback Data — personal data contained in Feedback voluntarily submitted through the in-product feedback function. Covered on the same terms as Support Data, as adapted by §11 (EULA ch.15.1(c), 15.4).

3. Operational Data — Customer is sole controller; no DPA required

The software is delivered for installation and operation on infrastructure controlled by the Customer. The Customer installs, configures, deploys, and operates it on its own or its customers’ networks. With respect to Operational Data, the Licensor does not access, receive, or process such data in the ordinary course of operation. Accordingly, for Operational Data:

the Customer is the sole controller within the meaning of Article 4(7) GDPR;
the Licensor is neither a controller, joint controller, nor a processor (Articles 4(7), 26, and 28 GDPR); and
no Article 28 DPA is required between the parties for the ordinary operation of the software.

This is why the DPA below covers only the support and feedback channel — it is the one context in which personal data leaves the Customer’s deployment and reaches the Licensor (EULA ch.15.2.1–15.2.2).

4. Roles, instructions, and purpose (Support Data)

For Support Data, the Customer is the controller and the Licensor acts as an Article 28 processor, strictly on the Customer’s documented instructions and solely for the purposes set out below (EULA ch.15.3.1).

Documented instructions consist of, and are limited to: (i) the per-session opt-in flags and per-channel approvals the Customer grants through the software’s support-session controls (chat, screen sharing, machine-adapter access, shell access); (ii) requests the Customer expressly submits through the support function; and (iii) any further written instructions the Customer issues. The Licensor processes Support Data for no other purpose (EULA ch.15.3.2).

Purpose limitation. The Licensor processes Support Data solely to:

respond to and resolve the Customer’s support request;
diagnose, reproduce, and fix defects in the software;
maintain records of support activity for security, accountability, and quality assurance; and
comply with the Licensor’s own legal obligations (EULA ch.15.3.3).

5. Categories of data subjects and personal data

The categories of data subjects are determined by the Customer and typically include the Customer’s network users, administrators, and operators. The categories of personal data may include identifiers (MAC addresses, IP addresses, hostnames), device and vendor information, account identifiers visible in the user interface, free text entered by the Customer, and any other personal data the Customer chooses to disclose through the support channel (EULA ch.15.3.4).

6. Duration and retention

The Licensor retains Support Data for a maximum of 90 days (ninety days) following the end of the support session in which it was received, after which the Licensor deletes or irreversibly anonymises it — save where a longer retention period is required by applicable law or is necessary for the establishment, exercise, or defence of legal claims (EULA ch.15.3.5).

7. Sub-processors

The Licensor processes Support Data on infrastructure it controls and does not engage any sub-processor for the processing of Support Data as at the Effective Date. The Licensor will notify the Customer in advance of any intended addition of a Support-Data sub-processor and give the Customer a reasonable opportunity to object on reasonable data-protection grounds; the Licensor is not required to seek prior consent (EULA ch.15.3.6).

Marketing-site processing is out of scope of this Article 28 DPA. Processing that happens on the public website — the contact/demo/sales forms and any cookies or analytics — is a separate context in which we act as controller of visitor data; it and any providers involved in it are disclosed in the privacy policy, not here.

8. Confidentiality and security (Article 32)

Personnel authorised to process Support Data are bound by an appropriate obligation of confidentiality (EULA ch.15.3.7). The Licensor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate, the measures referred to in Article 32(1) GDPR; in particular, support sessions are transport-encrypted and gated by per-channel Customer approvals (EULA ch.15.3.8). A formal security-measures annex (in the style of Annex II to the EU Standard Contractual Clauses) is provided with the countersigned DPA on request.

9. Assistance to the Customer

Taking into account the nature of the processing and the information available to it, the Licensor provides reasonable assistance to the Customer with: (i) responding to data-subject requests under Chapter III GDPR; (ii) the obligations under Articles 32–36 GDPR; and (iii) audits and inspections to the extent required under Article 28(3)(h) GDPR. The Licensor may charge its reasonable costs for assistance that exceeds routine support, save where applicable law prohibits such charging (EULA ch.15.3.9).

10. Return or deletion of data

On termination of the agreement or earlier on the Customer’s written request, the Licensor will, at the Customer’s choice, delete or return all Support Data then in its possession, save where applicable law requires continued storage (EULA ch.15.3.10). Data residing on the Customer’s appliance is under the Customer’s operational control and is not affected by this provision.

11. Feedback Data

Feedback Data is processed by the Licensor as a processor on behalf of the Customer as controller, on the same terms as Support Data, save that: (i) the Customer is solely responsible for ensuring the Feedback it transmits does not contain personal data it is not authorised to disclose, and for redacting, masking, or removing such data before submission — the Licensor does not redact on the Customer’s behalf; and (ii) the substantive, non-personal-data content of Feedback may be used by the Licensor under the Feedback licence in EULA Chapter 8, while any personal data incidentally contained in it is processed only under these terms (EULA ch.15.4.1–15.4.3).

12. Customer responsibilities as controller

Across all three data categories, the Customer is solely responsible for: (i) determining the lawful basis for any processing carried out using the software or through the support and feedback functions; (ii) providing required notices to data subjects, including notice that the Customer may transmit personal data to the Licensor through support sessions or Feedback; (iii) handling data-subject requests and complaints, with the Licensor’s assistance under §9 as applicable; (iv) implementing appropriate Article 32 measures within its own deployment; (v) maintaining the Article 30 records of processing activities; and (vi) complying with all other applicable data-protection laws (EULA ch.15.5).

13. Breach notification

The Licensor will notify the Customer without undue delay of any personal-data breach affecting Support Data or Feedback Data processed by the Licensor, to enable the Customer (as controller) to meet its own Article 33/34 GDPR obligations. The notification will describe, to the extent then known, the nature of the breach, the categories of data concerned, and the measures taken or proposed to address it.

14. Data flow diagram

The canonical data-flow diagram for the marketing site and the shield-api backend lives at /trust/data-flow (TRUST-03). Procurement reviewers should consult that page alongside this DPA.

15. Contact

DPA questions and signed-DPA requests: sales@dhcpshield.com. The legal entity and authorised representative are disclosed at /company/contact.