For Enterprise Customers: This standard DPA applies to all Pro and Pro+ subscriptions. For custom enterprise agreements, contact enterprise@privacychecker.pro
Data Processing Agreement
Effective Date: January 2025 | Version 1.0
1. Definitions
- "Controller" means the Customer who determines the purposes and means of processing Personal Data.
- "Processor" means PrivacyChecker, which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Sub-processor" means any third party engaged by PrivacyChecker to Process Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
- "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
2. Scope and Purpose
This Data Processing Agreement ("DPA") governs the processing of Personal Data by PrivacyChecker ("Processor") on behalf of the Customer ("Controller") in connection with the PrivacyChecker compliance scanning and cookie consent services.
Categories of Data Processed:
- Website URLs submitted for scanning
- Compliance audit results and reports
- Cookie consent records (if using our banner widget)
- End-user IP addresses (anonymized after 30 days)
- Browser/device information for consent records
3. Controller Obligations
The Controller agrees to:
- Ensure lawful basis for collecting Personal Data from Data Subjects
- Provide transparent privacy notices to Data Subjects
- Ensure data accuracy and relevance
- Respond to Data Subject requests and inform Processor when assistance is needed
- Notify Processor of any changes to data processing requirements
4. Processor Obligations
PrivacyChecker, as Processor, shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures (see Section 6)
- Assist the Controller in responding to Data Subject requests
- Delete or return all Personal Data upon termination of services (within 30 days)
- Make available all information necessary to demonstrate compliance
- Notify the Controller without undue delay of any Personal Data Breach
5. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database & Authentication | EU (Frankfurt) |
| Stripe Inc. | Payment Processing | EU/US (SCCs) |
| Render | Hosting & CDN | EU/US (SCCs) |
| Plausible Analytics | Privacy-friendly Analytics | EU |
The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller a reasonable opportunity to object.
6. Security Measures
PrivacyChecker implements the following technical and organizational measures:
Technical Measures
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Regular security audits
- Automated vulnerability scanning
- Multi-factor authentication
- Role-based access controls
Organizational Measures
- Staff confidentiality agreements
- Data protection training
- Incident response procedures
- Business continuity plans
- Vendor due diligence
- Regular policy reviews
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling Data Subject requests including:
- Right of Access - Provide copies of Personal Data upon request
- Right to Rectification - Correct inaccurate Personal Data
- Right to Erasure - Delete Personal Data ("Right to be Forgotten")
- Right to Portability - Export Personal Data in machine-readable format
- Right to Restriction - Limit processing in certain circumstances
- Right to Object - Object to processing based on legitimate interests
Response timeframe: Within 30 days of receiving a valid request.
8. Data Breach Notification
In the event of a Personal Data Breach, the Processor shall:
- Notify the Controller within 24 hours of becoming aware of the breach
- Provide details of the nature of the breach, categories of data affected, and approximate number of Data Subjects
- Describe likely consequences and measures taken or proposed to address the breach
- Cooperate with the Controller in notifying supervisory authorities and Data Subjects as required
9. International Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for destination countries where applicable
- Additional supplementary measures as required by EDPB guidance
10. Duration and Termination
This DPA is effective for the duration of the service agreement. Upon termination:
- Personal Data will be deleted within 30 days
- Upon request, data will be exported before deletion
- Backup copies are purged within 90 days
- A written confirmation of deletion will be provided upon request
11. Liability
Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 of the GDPR. The Processor's liability is limited to the fees paid by the Controller in the 12 months preceding the claim.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of France, without regard to its conflict of law principles. Any disputes shall be submitted to the exclusive jurisdiction of the courts of Paris, France.
Contact Information
Data Protection Officer:
Enterprise Inquiries:
Acceptance: By subscribing to PrivacyChecker Pro or Pro+ plans, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.