WarDekby OmniRealm
GDPR Art. 28 Framework

Data Processing Agreement (DPA)

Last updated: March 2026

1. Purpose of Processing

This Data Processing Agreement (DPA) is concluded in accordance with Article 28 of the GDPR between the Client (data controller) and OmniRealm SAS (data processor), operating the WarDek service.

WarDek processes personal data on behalf of the Client exclusively for providing security audit and compliance services.

Processing purposes: Security scan execution, audit report generation, user account management, and billing.

2. Types of Data Processed

Categories of personal data processed:

Scanned domains

URLs and domain names submitted for audit

Scan results

Detected vulnerabilities, scores, reports

User emails

Email addresses for authentication

Billing data

Managed by Stripe (PCI-DSS)

Data subjects: WarDek service users and owners of scanned domains.

3. Data Retention

Data is retained according to the following periods:

12 months

Scan results and audit reports

Account lifetime

User profile data

30 days post-deletion

Post-termination data (export available)

6 years

Invoices and accounting data (legal obligation)

Upon expiration, data is deleted or irreversibly anonymized.

4. Security Measures

OmniRealm implements the following technical and organizational measures in accordance with Article 32 of the GDPR:

AES-256 encryption at rest
TLS 1.3 in transit
Multi-factor authentication
Daily encrypted backups
Access logging
Regular penetration testing

5. Sub-processors

Authorized sub-processors for data processing:

VPS Hosting (France / EU)

Infrastructure hosting and PostgreSQL database

Stripe (EU (Ireland))

Payment processing (PCI-DSS Level 1 certified)

Resend (EU)

Transactional email delivery

Any sub-processor change is notified to the Client with 30 days' notice. The Client may object within this period.

6. Controller Rights

The Client, as data controller, has the following rights:

  • Audit - Right to audit processor compliance (by appointment)
  • Instructions - Provide documented processing instructions
  • Deletion - Request deletion or return of data
  • Notification - Be notified within 48h of any data breach
  • Portability - Data export in structured format (JSON/CSV)

7. International Transfers

Data is hosted and processed exclusively within the European Union.

No data transfers outside the EU are performed. If needed in the future, Standard Contractual Clauses (SCCs) from the European Commission would be implemented.

Legal basis: GDPR Article 28 (processing) and Article 46 (transfer safeguards, if applicable).

8. DPO Contact

For any questions about this agreement or the processing of your data:

Data Protection Officer

[email protected]

OmniRealm SAS - France

Other legal documents

Privacy Policy-Terms of Service