Data Processing Agreement (DPA)

This data processing agreement (DPA) is entered into between ProofEU (the processor) and you (the controller) when you sign up to ProofEU. It takes effect as soon as your account is created.

1. Definitions

In this agreement, the following terms have the meaning given to them in the GDPR: « personal data », « processing », « controller », « processor », « data subject ».

2. Subject matter and duration

ProofEU processes personal data on behalf of the controller as part of providing the service for collecting and displaying customer testimonials. Processing lasts for as long as the account is active.

3. Nature and purpose of processing

ProofEU only processes the data necessary to provide the service:

• Storage of customer testimonials (name, role, company, content, rating)
• Display of approved testimonials via the embed widget
• Management of the administrator account (email, hashed password)

4. Processor obligations

ProofEU undertakes to:

• Process personal data only on the documented instructions of the controller (this agreement and the account configuration instructions).
• Ensure that persons authorized to process the data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement the appropriate technical and organizational measures referred to in Article 32 of the GDPR (TLS 1.3 encryption, AES-256 encryption at rest, bcrypt password hashing, restricted access to production data).
• Not engage a sub-processor without first informing the controller. The current list of sub-processors is available at proofeu.com/gdpr.
• Assist the controller in honoring data subject rights (access, rectification, erasure, portability).
• Notify the controller within 72 hours of any personal data breach.
• Delete or return all personal data at the end of the contractual relationship, unless applicable law requires retention.
• Make available to the controller all information necessary to demonstrate compliance with the obligations of this article.

5. Processing location

All personal data is stored and processed within the European Economic Area (EEA), specifically in Dublin, Ireland. No data is transferred to third countries.

6. Sub-processors

ProofEU relies on the following sub-processors, all located within the EEA and GDPR-compliant:

• Turso (ChiselStrike, Inc.): Cloud SQLite database, Dublin, Ireland region. DPA available at turso.tech/privacy.
• Vercel, Inc.: Hosting and CDN, Dublin (Ireland) region. DPA available at vercel.com/legal/dpa.
• Lemon Squeezy: Payment processor (EU merchant of record). DPA available at lemonsqueezy.com/privacy.

7. Liability

Each party is responsible for complying with its own obligations under the GDPR. ProofEU indemnifies the controller for any damage caused by the failure to comply with the processor-specific obligations set out in the GDPR.

8. Governing law

This agreement is governed by French law. Any dispute shall be submitted to the competent court in France.

9. Contact

For any question about this DPA: privacy@proofeu.com