Last Updated: May 3, 2026
Parties
Data Controller: {{CUSTOMER_NAME}} ("Portal")
Data Processor: Starter ("Processor")
Background
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Portal and Processor. It governs the processing of personal data by Processor on behalf of Portal in connection with the Service.
This DPA is designed to comply with:
- General Data Protection Regulation (GDPR) (EU) 2016/679
- UK GDPR
- Other applicable data protection laws
Definitions
- "Personal Data": Any information relating to an identified or identifiable natural person
- "Processing": Any operation performed on Personal Data (collection, storage, use, etc.)
- "Data Subject": The natural person to whom Personal Data relates
- "Data Controller": The entity that determines the purposes and means of processing
- "Data Processor": The entity that processes Personal Data on behalf of the Controller
- "Sub-processor": A third party engaged by Processor to process Personal Data
Scope and Purpose
Processing Activities
Processor processes Personal Data on behalf of Portal for the following purposes:
- Providing the Service as described in the Terms of Service
- Managing user accounts and organizations
- Processing payments and subscriptions
- Providing portal support
- Ensuring security and preventing fraud
- Complying with legal obligations
Types of Personal Data
Processor may process the following categories of Personal Data:
- Identity Data: Name, username, email address
- Contact Data: Email, phone number, address
- Account Data: Account settings, preferences, authentication data
- Organization Data: Organization information, staff data, content
- Payment Data: Billing information (processed securely through payment processor)
- Usage Data: Service usage, analytics (with consent)
- Technical Data: IP address, device information, logs
Categories of Data Subjects
Personal Data relates to:
- Portal's employees and authorized users
- Portal's end users (if applicable)
- Other individuals whose data Portal processes through the Service
Processor Obligations
Processing Instructions
Processor agrees to:
- Process Personal Data only in accordance with Portal's documented instructions
- Not process Personal Data for any purpose other than providing the Service
- Notify Portal if Processor believes an instruction violates data protection laws
- Assist Portal in responding to Data Subject requests
Security Measures
Processor implements appropriate technical and organizational measures to protect Personal Data, including:
- Encryption: Data encrypted in transit (TLS/SSL) and at rest
- Access Controls: Role-based access control and authentication
- Security Monitoring: Regular security assessments and monitoring
- Incident Response: Procedures for detecting and responding to security incidents
- Data Backup: Regular backups and disaster recovery procedures
- Staff Training: Security awareness training for personnel
Confidentiality
Processor ensures that personnel authorized to process Personal Data:
- Are subject to confidentiality obligations
- Process Personal Data only as necessary for their duties
- Are informed of their data protection obligations
Data Subject Rights
Processor will assist Portal in responding to Data Subject requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
Processor will respond to such requests within a reasonable timeframe and in accordance with applicable law.
Data Breach Notification
Processor will:
- Notify Portal without undue delay (within 72 hours) of any Personal Data breach
- Provide all information reasonably necessary to assist Portal in meeting breach notification obligations
- Take reasonable steps to mitigate the effects of the breach
Records and Audits
Processor will:
- Maintain records of processing activities as required by GDPR Article 30
- Allow Portal to audit Processor's compliance with this DPA (subject to reasonable notice and confidentiality obligations)
- Provide reasonable cooperation and information for audits
Data Retention and Deletion
Processor will:
- Retain Personal Data only as long as necessary to provide the Service
- Delete or return Personal Data upon termination of the Service (unless retention is required by law)
- Delete Personal Data within 30 days of Portal's request (unless retention is required by law)
Sub-processors
Authorization
Portal authorizes Processor to engage Sub-processors to process Personal Data, provided that:
- Processor maintains a list of Sub-processors (available upon request)
- Processor provides at least 30 days' notice of new Sub-processors
- Portal may object to new Sub-processors (if objection is reasonable, Processor will work to find alternative solutions)
Current Sub-processors
Processor currently uses the following Sub-processors:
- Convex: Backend infrastructure and database hosting
- Polar.sh: Payment processing and subscription management
- OpenPanel: Analytics (only with consent)
- Sentry: Error monitoring (only with consent)
- Resend: Email delivery
Sub-processor Obligations
Processor will:
- Ensure Sub-processors are bound by data protection obligations equivalent to this DPA
- Remain liable for Sub-processor compliance
- Terminate Sub-processor agreements if they fail to meet obligations
International Transfers
Transfer Mechanisms
If Personal Data is transferred outside the European Economic Area (EEA) or UK, Processor will ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions
- Other approved transfer mechanisms
Transfer Information
Processor's Sub-processors may be located outside the EEA. Processor will provide information about transfer mechanisms upon request.
Portal Obligations
Portal agrees to:
- Provide accurate and complete instructions for processing Personal Data
- Ensure it has a lawful basis for processing Personal Data
- Obtain necessary consents from Data Subjects
- Comply with applicable data protection laws
- Notify Processor of any changes that may affect processing
Liability and Indemnification
Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
Indemnification
Portal will indemnify Processor against claims arising from:
- Portal's violation of data protection laws
- Portal's instructions that violate data protection laws
- Portal's failure to obtain necessary consents
Term and Termination
This DPA:
- Takes effect on the date both parties agree to it
- Remains in effect for as long as Processor processes Personal Data on behalf of Portal
- Survives termination of the Terms of Service to the extent necessary to comply with obligations
Upon termination, Processor will:
- Cease processing Personal Data (except as required by law)
- Delete or return Personal Data to Portal within 30 days
- Delete existing copies unless storage is required by law
General Provisions
Governing Law
This DPA is governed by the laws specified in the Terms of Service.
Dispute Resolution
Disputes under this DPA are subject to the dispute resolution provisions in the Terms of Service.
Severability
If any provision of this DPA is found to be unenforceable, the remaining provisions will remain in effect.
Amendments
This DPA may be amended by mutual written agreement of both parties.
Entire Agreement
This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding data processing.
Contact Information
For questions about this DPA, contact:
Processor:
Email: [email protected]
Address: 123 Main St, City, State 12345
Portal:
[Portal Contact Information]
Note: This is a template Data Processing Agreement. You should review and customize it with your specific practices and consult with legal counsel before use. This DPA should be executed as a separate agreement or incorporated into your Terms of Service.