Data Processing Agreement
Effective Date: 2026-03-01 Last Updated: 2026-03-01
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between [ADD LEGAL NAME] ("Processor", "we", "us") and the Customer ("Controller", "you") who has accepted the Agreement.
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the PureConsent consent management platform ("Service"), in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
Terms not defined here have the meanings given in the GDPR or the Agreement.
- "Personal Data" — any information relating to an identified or identifiable natural person ("Data Subject") processed by the Processor on behalf of the Controller through the Service.
- "Processing" — any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
- "Sub-processor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor provides a consent management platform that collects, records, and stores consent preferences from the Controller's website visitors (End Users).
2.2 Duration
Processing continues for the duration of the Agreement plus any retention period specified in Section 10.
2.3 Nature and Purpose
The Processor processes Personal Data to:
- Collect and store End User consent preferences.
- Record consent events for compliance and audit purposes.
- Provide analytics on consent rates and usage (aggregated).
- Deliver the consent banner and preferences interface on the Controller's websites.
- Enforce consent choices by communicating categories to the Controller's scripts.
2.4 Types of Personal Data
| Data Category | Examples |
|---|---|
| Identifiers | Visitor ID (pseudonymous UUID), session identifier (hash) |
| Consent records | Category preferences (necessary, functional, analytics, marketing), timestamps, interaction method |
| Technical data | Country (derived at edge from request metadata such as Cloudflare geo headers; full IP addresses are not stored as part of consent records), browser family + major version, page URL |
| Configuration | Language preference |
2.5 Categories of Data Subjects
- End Users / website visitors of the Controller's websites.
3. Controller Obligations
The Controller shall:
- Ensure a lawful basis exists for the processing of Personal Data through the Service.
- Provide clear and transparent privacy notices to End Users.
- Configure the Service in accordance with applicable data protection laws.
- Not instruct the Processor to process Personal Data in a manner that violates applicable laws.
- Respond to Data Subject requests (with the Processor's assistance as described in Section 7).
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (as configured through the Service dashboard and API).
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (Section 5).
- Engage Sub-processors only as permitted in Section 6.
- Assist the Controller in responding to Data Subject requests (Section 7).
- Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations (GDPR Articles 32-36).
- Delete or return Personal Data upon termination (Section 10).
- Make available information necessary to demonstrate compliance and allow for audits (Section 8).
- Inform the Controller if an instruction infringes the GDPR or other applicable data protection law.
5. Security Measures
The Processor implements the following technical and organizational measures:
Technical Measures
- Encryption in transit: All data transmitted via TLS/HTTPS.
- Encryption at rest: Database encryption provided by Cloudflare D1.
- Access control: Role-based access, session-based authentication with rate limiting.
- Password security: Passwords hashed using industry-standard algorithms.
- Edge architecture: Data processed at the nearest Cloudflare edge node, minimizing data exposure.
- Data minimization: Visitor IDs are pseudonymous UUIDs; session analytics use hashing techniques that reduce identifiability and are treated as pseudonymous data under GDPR.
- Secure cookie handling: Secure (when served over HTTPS), SameSite=Lax attributes on session cookies.
Organizational Measures
- Access to production systems limited to authorized personnel.
- Regular dependency updates and security patches.
- Internal processes for responding to Data Breaches.
6. Sub-processors
6.1 Authorized Sub-processors
The Controller authorizes the use of the following Sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Cloudflare, Inc. | Infrastructure hosting, CDN, edge compute, database (D1), Analytics Engine | All service data | Global (processing may occur at the nearest edge location, including within the EU) |
| Stripe, Inc. | Payment processing for Controller's subscription | Controller billing data (not End User data) | USA (SCCs) |
| Resend, Inc. | Transactional email delivery | Controller email address (not End User data) | USA (SCCs) |
6.2 Sub-processor Changes
The Processor will notify the Controller by email at least 30 days before adding or replacing a Sub-processor that processes End User Personal Data. The Controller may object within that period. Any objection must be based on reasonable and documented data protection grounds. If the Controller objects and the parties cannot resolve the matter, either party may terminate the Agreement.
6.3 Sub-processor Agreements
The Processor ensures that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability, objection) by:
- Providing the Controller with access to consent event data through the Service dashboard and API.
- Implementing technical measures to delete or export End User data upon the Controller's instruction.
- Responding to the Controller's assistance requests without undue delay and, where reasonably possible, within 10 business days.
Data Subjects should direct their requests to the Controller. If the Processor receives a request directly, it will redirect the Data Subject to the Controller, unless legally required to respond.
8. Audits
The Processor will:
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
- Allow and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
- Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and no more than once per year (unless required by a supervisory authority or following a material Data Breach).
- The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor.
- Audits shall be conducted primarily through documentation review and remote assessment unless otherwise required by a supervisory authority.
- The Processor shall not be required to disclose information relating to other customers.
- The Controller shall enter into a confidentiality agreement before conducting an audit.
9. Data Breach Notification
In the event of a Data Breach involving Personal Data processed under this DPA, the Processor will:
- Notify the Controller without undue delay after becoming aware of the breach.
- Provide the Controller with the following information (to the extent available):
- Nature of the breach, including categories and approximate number of Data Subjects affected.
- Name and contact details of the Processor's point of contact.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate adverse effects.
- Cooperate with the Controller in investigating and remediating the breach.
- Assist the Controller in fulfilling its notification obligations to supervisory authorities and Data Subjects (GDPR Articles 33-34).
10. Data Deletion and Return
Upon termination or expiration of the Agreement:
- The Processor will delete all Personal Data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.
- Upon request (before the 30-day period expires), the Processor will make the Controller's data available in a structured, commonly used, machine-readable format (JSON or CSV) through available export mechanisms or direct provision.
- The Processor will certify deletion upon the Controller's written request, unless retention is required by applicable law.
- Aggregated data that no longer relates to an identified or identifiable natural person may be retained for statistical purposes.
11. International Data Transfers
Personal Data may be transferred to and processed in countries outside the EEA by the Sub-processors listed in Section 6.
For each transfer, appropriate safeguards are in place:
- Cloudflare: Processing may occur at the nearest edge location, which may be within or outside the EU. Cloudflare maintains SCCs and is committed to GDPR compliance.
- Stripe: USA-based. Transfers governed by Standard Contractual Clauses (SCCs).
- Resend: USA-based. Transfers governed by Standard Contractual Clauses (SCCs).
The Processor will not transfer Personal Data to a country without an adequate level of protection unless appropriate safeguards under GDPR Article 46 are in place.
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Agreement (Terms of Service). Nothing in this DPA excludes or limits liability where such limitation is prohibited under applicable data protection law.
13. Governing Law
This DPA is governed by the laws of Spain and the GDPR. Disputes shall be resolved in accordance with the dispute resolution provisions of the Agreement.
14. Contact
For questions about this DPA:
- Email: legal@pureconsent.com
- Address: [ADD REGISTERED ADDRESS], Spain