Data Processing Agreement
Last updated: February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Ambit Labs Ltd (company number 16980164), trading as usability.cat ("Processor"), and governs how we process data on your behalf.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable individual.
- Processing: Any operation performed on Personal Data, including collection, storage, analysis, and deletion.
- Sub-processor: A third party engaged by the Processor to assist with data processing.
2. Scope of Processing
usability.cat processes data as follows:
- Data subjects: Website visitors whose pages are audited; account holders.
- Data types: URLs, page content (HTML, DOM structure), screenshots, JavaScript bundle content, HTTP headers, SSL/TLS configuration, performance metrics, accessibility data, and resulting audit scores and findings.
- Purpose: Generating usability and security audit reports.
- Duration: For the term of your account plus 30 days, unless otherwise required by law.
3. Processor Obligations
We commit to:
- Process Personal Data only on your documented instructions.
- Ensure personnel authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational security measures.
- Assist you in responding to data subject rights requests.
- Delete or return all Personal Data upon termination of the agreement, unless retention is required by law.
- Make available information necessary to demonstrate compliance.
4. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Convex, Inc. | Backend infrastructure, database, real-time data processing | United States |
| Vercel, Inc. | Frontend hosting, edge functions, CDN | Global |
| Stripe, Inc. | Payment processing | United States / EU |
| Resend, Inc. | Transactional email delivery | United States |
| Anthropic, PBC | AI-powered analysis and report generation | United States |
| Firecrawl (Mendable, Inc.) | Web page crawling and content extraction | United States |
| Browserbase, Inc. | Headless browser for screenshots and JS extraction | United States |
| GitHub, Inc. (Microsoft) | OAuth authentication | United States |
| PostHog, Inc. | Product analytics | European Union |
We will notify you of any new sub-processors with reasonable advance notice (minimum 14 days). You may object to a new sub-processor by contacting us within 14 days of notification. If we cannot reasonably accommodate your objection, you may terminate the agreement.
5. Security Measures
We maintain security measures including:
- Encryption of data in transit (TLS) and at rest.
- Access controls and authentication for all systems (OAuth-based authentication).
- Rate limiting on all user-facing endpoints to prevent abuse.
- Regular security assessments of our own infrastructure.
- Incident response procedures.
- Separation of production and development environments.
6. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay and no later than 72 hours after becoming aware.
- Provide details of the breach, affected data, likely consequences, and remedial actions taken.
- Cooperate with your obligations to notify supervisory authorities (the ICO) or data subjects.
7. International Transfers
Data is transferred to sub-processors located outside the United Kingdom, primarily in the United States. We ensure appropriate safeguards are in place for all international transfers, including:
- Standard Contractual Clauses (SCCs) approved by the ICO.
- UK International Data Transfer Agreement (IDTA) where applicable.
- Assessment of the legal framework in the recipient country.
8. Security Scanning Data
When security scans (Shield) are conducted, we additionally process:
- HTTP response headers and security configuration.
- Client-side JavaScript bundle content for secret detection and code pattern analysis.
- SSL/TLS certificate details and configuration.
- Authentication surface characteristics.
This data is processed solely for the purpose of generating security audit reports. JavaScript bundles are analysed for secrets and vulnerability patterns only — we do not retain or redistribute the source code of scanned applications beyond what is necessary for report generation.
9. Audits
You may request information about our data processing practices. We will cooperate with reasonable audit requests, provided they are conducted with reasonable notice (minimum 30 days) and do not disrupt operations. Audits shall be limited to once per year unless a data breach has occurred.
10. Term and Termination
This DPA remains in effect for the duration of your use of usability.cat. Upon termination, we will delete your data in accordance with our retention policy (account data within 30 days, payment records retained for 7 years per UK tax requirements) unless otherwise required by law.
11. Contact
For data processing enquiries, contact us at meow@usability.cat.
Processor: Ambit Labs Ltd Company number: 16980164 Registered in England and Wales