Data Processing Agreement
Effective Date: December 1, 2025
This DPA applies when we process personal data on your behalf, particularly where GDPR or similar data protection laws apply. It forms part of our Terms of Service.
1. Definitions
- "Personal Data" — Any information relating to an identified or identifiable natural person
- "Processing" — Any operation performed on Personal Data (collection, storage, use, disclosure, deletion)
- "Data Subject" — The individual to whom Personal Data relates
- "Sub-processor" — Any third party we engage to process Personal Data on your behalf
- "Data Protection Laws" — GDPR, CCPA, and other applicable data protection legislation
2. Scope and Roles
2.1 Controller and Processor
For the purposes of this DPA, you are the Controller and we are the Processorof Personal Data processed through our services. You determine the purposes and means of processing; we process data only on your documented instructions.
2.2 Types of Data Processed
We may process the following categories of Personal Data on your behalf:
- Contact information (names, email addresses, phone numbers)
- Account credentials (usernames, hashed passwords)
- User-generated content submitted through your website
- Transaction data (orders, payments, invoices)
- Usage data (IP addresses, browser information, page views)
- Any other data you collect through your website
2.3 Data Subjects
Data Subjects may include your customers, website visitors, employees, contractors, and any individuals whose data you collect through our services.
3. Processing Instructions
We will process Personal Data only in accordance with your documented instructions, unless required by law. The services described in our Terms of Service constitute your initial instructions. You may provide additional processing instructions in writing.
4. Security Measures
We implement appropriate technical and organizational measures:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Control: Role-based access, multi-factor authentication
- Infrastructure: Secure cloud hosting with SOC 2 certified providers
- Monitoring: Continuous security monitoring and logging
- Backups: Regular encrypted backups with secure storage
- Incident Response: Documented procedures for security incidents
5. Sub-processors
5.1 Authorized Sub-processors
You authorize us to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, CDN, Edge Functions | USA (Global Edge) |
| Supabase Inc. | Database, Authentication | USA (AWS) |
| Stripe Inc. | Payment Processing | USA |
| Resend Inc. | Transactional Email | USA |
| GitHub Inc. | Code Repository (if applicable) | USA |
5.2 New Sub-processors
We will notify you before engaging new sub-processors. You may object within 14 days if you have reasonable grounds.
6. Data Subject Rights
We will assist you in responding to Data Subject requests to exercise their rights under Data Protection Laws:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
7. Data Breach Notification
72-Hour Notice: We will notify you without undue delay (within 72 hours) upon becoming aware of a Personal Data breach affecting data we process on your behalf.
Our notification will include:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. International Transfers
Personal Data may be transferred to countries outside the EEA, including the United States. We ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Selection of providers with appropriate certifications (SOC 2, ISO 27001)
9. Audits and Compliance
We maintain records of processing activities and will make information available to demonstrate compliance. Upon reasonable notice, you may audit our compliance (no more than once per year, during business hours, at your expense).
10. Data Retention and Deletion
We retain Personal Data only as long as necessary. Upon termination or your written request, we will delete or return all Personal Data within 90 days, unless legally required to retain. We will certify deletion upon request.
11. Liability
Liability under this DPA is subject to the limitations in our Terms of Service. Nothing limits liability for breaches of Data Protection Laws where such limitation is not permitted.
12. Term and Termination
This DPA remains in effect for the duration of our service agreement and automatically terminates when we no longer process Personal Data on your behalf.
13. Contact
For questions about this DPA or to exercise your rights:
- Email: privacy@greeneville.dev
- Address: Greeneville, TN, United States
By using our services, you agree to this DPA. For a signed copy or modifications, contact legal@greeneville.dev.
Last updated: December 1, 2025