Data Processing Agreement

1. Definitions

"Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given in Regulation (EU) 2016/679 (GDPR) and, where applicable, the UK Data Protection Act 2018 (UK DPA 2018).

"Services" means the software-as-a-service platform and related services provided by the Processor to the Controller under the applicable service agreement.

"Sub-processor" means any third-party processor engaged by the Processor to process Personal Data on behalf of the Controller.

• "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Standard Contractual Clauses" (SCCs) — the clauses adopted by the European Commission under Decision 2021/914 for international data transfers.
• "WORM" — write-once-read-many; refers to audit chain rows that are hash-linked and protected from deletion at the database level.

2. Roles and Responsibilities

The Controller determines the purposes and means of Processing of Personal Data. The Processor processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law.

The Processor shall promptly inform the Controller if, in its opinion, an instruction from the Controller infringes GDPR or any other applicable data protection law.

• Controller responsibilities: defining lawful purpose, managing data-subject rights requests, providing instructions in writing.
• Processor responsibilities: acting only on documented instructions, maintaining records of processing activities (Art. 30 GDPR), notifying the Controller of breaches within 72 hours.
• Neither party may engage in Processing that exceeds the scope of this DPA without prior written agreement.

3. Subject Matter and Duration

The subject matter of the Processing is the provision of the Services as described in the applicable service agreement. The Processing will continue for the duration of the service agreement, unless otherwise agreed in writing or terminated earlier in accordance with Section 14.

• Processing begins on the date the Controller first submits Personal Data to the Services.
• Processing ends no later than 30 days after termination of the applicable service agreement, subject to Section 13.

4. Nature and Purpose of Processing

The Processor will process Personal Data to provide, maintain, and improve the Services, to comply with legal obligations, and as otherwise instructed by the Controller. The Processing includes: collection, storage, retrieval, use, disclosure, erasure, and destruction of Personal Data.

• Providing and maintaining the SaaS platform: authentication, dashboard, billing, storage, email, and API access.
• Security and abuse prevention: fraud detection, rate limiting, tamper-evident audit chain.
• Legal compliance: responding to lawful requests, maintaining required records.

5. Categories of Data Subjects and Personal Data

The categories of Data Subjects whose Personal Data may be processed include: end users of the Controller's products and services, employees and contractors of the Controller, and any other individuals whose data the Controller submits to the Services.

• Identification data: name, email address, user ID.
• Technical data: IP address, device identifiers, browser type, usage logs.
• Account data: organization membership, subscription tier, billing reference (non-card).
• Content data: any Personal Data contained in files or inputs submitted by the Controller to the Services.

6. Sub-processors

The Controller grants the Processor general authorization to engage the sub-processors listed below. The Processor shall inform the Controller of any intended addition or replacement of sub-processors, giving the Controller a reasonable opportunity to object. The Processor ensures each sub-processor is bound by data protection obligations equivalent to those in this DPA.

• Stripe, Inc. — payment processing (United States). Data: billing contact, payment method token.
• Resend, Inc. — transactional email delivery (United States). Data: recipient email address, email content.
• Sentry (Functional Software, Inc.) — error monitoring (United States). Data: anonymised stack traces, user IDs.
• PostHog, Inc. — product analytics (United States / EU). Data: pseudonymised event data, session identifiers.
• Cloudflare, Inc. (R2) — object storage (United States / EU). Data: user-uploaded files, data export blobs.

7. International Transfers

Where the Processor transfers Personal Data to sub-processors located in countries outside the European Economic Area (EEA) or the United Kingdom, such transfers are made under the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) or the UK International Data Transfer Agreement (IDTA), as applicable.

The Processor maintains an up-to-date record of the legal basis for each international transfer and makes it available to the Controller upon request.

• Stripe, Inc. (US) — SCCs Module 2 (Controller to Processor), supplemented by encryption in transit and at rest.
• Resend, Inc. (US) — SCCs; email content encrypted in transit.
• Sentry / Functional Software, Inc. (US) — SCCs; payloads scrubbed of PII before transmission.
• PostHog, Inc. (US / EU) — EU-hosted deployment available; SCCs where US infrastructure is used.
• Cloudflare, Inc. / R2 (US / EU) — SCCs; EU-region bucket available on request.

8. Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who need it to perform the Services.

• All personnel with access to Personal Data are subject to binding confidentiality obligations.
• Access is granted on the principle of least privilege and reviewed at least annually.
• Contractors and sub-processors are bound by equivalent confidentiality terms.

9. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+).
• Tamper-evident, append-only audit chain (WORM): each compliance event row is hash-linked; RLS policies refuse UPDATE/DELETE at the database layer — the boilerplate stack supports SOC 2 controls through this mechanism, though formal certification is not claimed.
• Role-based access control (RBAC) with principle of least privilege.
• Pseudonymisation and anonymisation where technically feasible.
• Regular testing and evaluation of security measures.
• Incident response and breach notification procedures.

10. Data Subject Rights

The Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subjects' rights under GDPR Chapter III (right of access, rectification, erasure, restriction, portability, and objection).

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject, and shall not respond to such request without the Controller's prior written authorisation unless required to do so by applicable law.

• Access and portability — data export available via /dashboard/settings within 24 hours of request.
• Erasure — account deletion with 30-day grace period; data hard-deleted within 30 days of the grace period end.
• Rectification — profile data (name, email, language) editable directly by the Data Subject.
• Restriction and objection — submit requests to [YOUR-DPO-EMAIL]; acknowledged within 72 hours.

11. Personal Data Breaches

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach likely to result in a risk to the rights and freedoms of natural persons.

The notification shall include: the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.

The Processor shall document all Personal Data breaches, including those not requiring notification to the Supervisory Authority. Documentation shall be made available to the Controller upon request.

Breach notifications shall be sent to: [YOUR-DPO-EMAIL].

• Notification timeline: within 72 hours of the Processor becoming aware of the breach.
• Initial notification may be partial; supplementary information shall follow without undue delay.
• Low-risk breaches (no likely risk to Data Subjects) are documented internally but need not be notified to the Supervisory Authority.

12. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller shall give the Processor reasonable prior written notice (not less than 30 days) of any intended audit. Audits shall be conducted during normal business hours, no more than once per year unless a Personal Data breach has occurred, and in a manner that minimises disruption to the Processor's operations.

• The Processor may satisfy audit rights by providing a current third-party security certification (SOC 2 Type II or equivalent) in lieu of an on-site inspection.
• Costs of on-site audits are borne by the Controller unless the audit reveals a material breach by the Processor.
• The Processor's tamper-evident audit chain (Section 9) is available for inspection at any time via /dashboard/audit-chain.

13. Return and Deletion of Data at Termination

Upon termination or expiry of the service agreement, the Processor shall, at the Controller's choice and within 30 days of written request, either: (a) return all Personal Data to the Controller in a machine-readable format; or (b) securely delete all Personal Data and certify such deletion in writing.

The Processor may retain Personal Data to the extent required by applicable law, in which case the Processor shall inform the Controller of such retention and the legal basis for it, and shall ensure the Personal Data is protected in accordance with this DPA.

• Data export format: JSON (gzip-compressed), delivered via a signed, time-limited download link.
• Deletion certification: provided in writing within 30 days of confirmed deletion.
• WORM audit chain rows retained for the compliance period required by applicable law; the Controller is informed of the legal basis.

14. Liability and Termination

Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the applicable service agreement, to the extent permitted by applicable law. Nothing in this DPA limits either party's liability for fraud, wilful misconduct, or gross negligence.

This DPA shall automatically terminate upon the termination or expiry of all applicable service agreements between the parties. Provisions that by their nature should survive termination (including Sections 8, 11, 13, and this Section 14) shall survive.

This DPA is governed by the laws of [YOUR-JURISDICTION], without regard to its conflict-of-law provisions.

• Sections 8 (Confidentiality), 11 (Breaches), 13 (Return and Deletion), and 14 (Liability) survive termination of this DPA.
• Supervisory authority fines attributable to the Processor's wilful breach of this DPA are not subject to the service agreement cap.
• The Controller indemnifies the Processor against claims arising from the Controller's own unlawful instructions.