Last Updated: April 19, 2026
Minimal Data Footprint
ScanAbility does not store the HTML, text, images, or personal data of scanned websites. Scan reports contain only technical accessibility findings. No AI sub-processors are used — all accessibility analysis runs on our proprietary engine.
This DPA is entered into between ScanAbility ("Processor") and you ("Controller"). It forms part of the ScanAbility Terms of Service.
ScanAbility processes Personal Data on your behalf to:
Categories of Personal Data
Account credentials (email, name, organization name) · Scan URLs (may incidentally contain personal identifiers) · Scan report metadata (timestamps, WCAG issues found, progress history)
Data Subjects
Your team members with ScanAbility accounts.
Encryption at rest
AES-256 (Supabase)
Encryption in transit
TLS 1.3
Access control
Role-based access; MFA for admin accounts
Row-Level Security
Zero cross-tenant data access
No AI sub-processors
Scanning runs on proprietary engine only
| Sub-processor | Location | Purpose | Safeguards |
|---|---|---|---|
| Supabase Inc. | USA (EU available) | Database and authentication | SCCs / DPA at supabase.com/dpa |
| Cloudflare Inc. | USA (global CDN) | Network and CDN | SCCs at cloudflare.com/gdpr |
| Lemon Squeezy LLC | USA | Payment processing (MoR) | PCI-DSS Level 1 |
| Resend Inc. | USA | Transactional email | SCCs / DPA |
We will notify you 14 days before adding or replacing any sub-processor.
ScanAbility is incorporated in Delaware, USA. Transfers of EU/EEA personal data to the US are covered by Standard Contractual Clauses (EU SCCs) with Supabase and other US-based sub-processors.
Upon account termination, Personal Data is deleted within 30 days (billing records retained 7 years per US tax law; aggregated anonymized statistics may be retained indefinitely).
State of Delaware, USA. Part of ScanAbility Terms of Service.
DPA Enquiries
[email protected]