Data Processing Addendum
Last updated: January 15, 2026
1. Introduction
This Data Processing Addendum ("DPA") forms part of the Terms of Service between GPSR Kit ("Processor," "we," or "us") and you ("Controller" or "Customer") for the GPSR Kit service.
This DPA applies when we process personal data on your behalf as a data processor under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Note: This is a simplified DPA for our SaaS service. If your organization requires a more comprehensive agreement, please contact us at gpsrhelp@gmail.com.
2. Definitions
- "Personal Data"
- Any information relating to an identified or identifiable natural person that you provide to us through the Service.
- "Processing"
- Any operation performed on Personal Data, including storage, retrieval, use, or deletion.
- "Data Subject"
- The individual to whom Personal Data relates.
- "Sub-processor"
- A third party engaged by us to process Personal Data on your behalf.
3. Scope of Processing
3.1 Categories of Data Subjects
The Personal Data processed concerns the following categories of data subjects:
- Your employees and representatives (names, contact details on GPSR documents)
- Your customers (if you include their information in product documentation)
- Manufacturers and suppliers (contact information for compliance documents)
3.2 Types of Personal Data
We may process the following types of Personal Data:
- Names and business titles
- Business email addresses and phone numbers
- Business addresses
- Any other personal data you include in your product documentation
3.3 Purpose of Processing
We process Personal Data solely to:
- Provide the GPSR Kit service to you
- Generate compliance documentation as instructed by you
- Store and manage your product data
- Provide customer support
4. Our Obligations as Processor
We commit to:
4.1 Processing Instructions
Process Personal Data only on your documented instructions, unless required by applicable law. The use of our Service constitutes your instructions to process data.
4.2 Confidentiality
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
4.3 Security Measures
Implement appropriate technical and organizational measures to protect Personal Data, including encryption, access controls, and regular security reviews.
4.4 Sub-processor Management
Only engage sub-processors with your authorization (see Section 6) and ensure they are bound by equivalent data protection obligations.
4.5 Data Subject Rights
Assist you in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, etc.).
4.6 Data Breach Notification
Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach affecting your data.
4.7 Data Deletion
Delete or return all Personal Data at the end of our service relationship, at your choice, unless retention is required by law.
5. Your Obligations as Controller
You are responsible for:
- Lawful Basis: Ensuring you have a lawful basis for processing Personal Data and sharing it with us
- Data Subject Information: Informing data subjects about the processing of their Personal Data
- Data Subject Rights: Handling data subject requests, with our assistance as needed
- Accuracy: Ensuring Personal Data provided to us is accurate and up-to-date
- Instructions: Providing lawful processing instructions
6. Sub-processors
6.1 Authorized Sub-processors
By accepting this DPA, you authorize us to use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| MongoDB, Inc. | Database hosting (MongoDB Atlas) | EU (Frankfurt) |
| Vercel Inc. | Application hosting | EU/US |
| Stripe, Inc. | Payment processing | US (with EU SCCs) |
6.2 New Sub-processors
We will notify you before adding new sub-processors by:
- Updating the list on this page
- Sending an email notification to your account email (for significant changes)
You may object to a new sub-processor within 30 days. If we cannot address your objection, you may terminate the affected services.
7. International Data Transfers
When Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- EU-approved data centers: Our primary database is hosted in the EU
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with sub-processors that process data outside the EEA
- Adequacy decisions: Where applicable, we rely on EU adequacy decisions
8. Security Measures
We implement the following security measures:
Encryption
TLS 1.3 for data in transit; AES-256 encryption for data at rest
Access Control
Role-based access control; multi-factor authentication for admin access
Monitoring
Continuous security monitoring; regular vulnerability assessments
Backups
Regular encrypted backups; point-in-time recovery capabilities
9. Audit Rights
You have the right to audit our compliance with this DPA. We will:
- Make available information reasonably necessary to demonstrate compliance
- Allow for and contribute to audits conducted by you or an auditor you appoint
- Provide copies of relevant certifications or audit reports upon request
Audits must be conducted with reasonable notice, during business hours, and must not disrupt our operations. You bear the cost of any audits you request.
10. Term and Termination
This DPA remains in effect for as long as we process Personal Data on your behalf. Upon termination:
- We will delete or return Personal Data within 30 days, at your choice
- We may retain data required by law for the legally required period
- Confidentiality obligations survive termination
11. Contact
For questions about this DPA or to exercise your rights:
GPSR Kit
Data Protection Contact
Email: gpsrhelp@gmail.com
Agreement
By using GPSR Kit, you agree to this Data Processing Addendum. This DPA is incorporated into and forms part of our Terms of Service. If there is any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.