Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between p15r ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by p15r on behalf of the Customer in connection with the p15r services.

This DPA is designed to meet the requirements of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data protection laws.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, and deletion.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by p15r to process Personal Data.

2. Scope and Purpose

p15r will process Personal Data only:

• For the purpose of providing the p15r services as described in the Terms of Service
• In accordance with the Customer's documented instructions
• In compliance with applicable data protection laws

3. Categories of Data

The types of Personal Data processed may include:

• Contact information (name, email address)
• Account credentials (encrypted)
• Usage data and analytics
• Content uploaded to the service (audit reports, issues)
• Communication records

4. Processor Obligations

p15r shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Notify the Controller of any Personal Data breach without undue delay
• Delete or return all Personal Data upon termination of services
• Make available information necessary to demonstrate compliance

5. Sub-processors

The Customer authorizes p15r to engage Sub-processors to process Personal Data. Current Sub-processors include:

• Supabase - Database and file storage (US/EU)
• Clerk - Authentication services (US)
• Stripe - Payment processing (US/EU)
• Vercel - Hosting and deployment (US/EU)

p15r will inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.

6. International Transfers

Where Personal Data is transferred outside the EEA, p15r ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, or transfers to countries with adequate data protection levels.

7. Security Measures

p15r implements security measures including:

• Encryption of Personal Data at rest and in transit
• Access controls and authentication mechanisms
• Regular security testing and monitoring
• Incident response procedures
• Employee security training
• Physical security of data centers (via Sub-processors)

8. Data Subject Rights

p15r will assist the Controller in fulfilling Data Subject rights requests, including access, rectification, erasure, data portability, and objection to processing. The Controller is responsible for responding to Data Subject requests, and p15r will provide reasonable assistance.

9. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service. Upon termination, p15r will delete or return all Personal Data within 30 days, unless retention is required by law.