Data Processing Agreement (DPA)

This is our offered DPA. To accept it on behalf of your organization:

• Send an email to legal@plauditly.app from a corporate domain that matches your billing email.
• Subject: DPA acceptance — [Your company name].
• Body: "We accept the Plauditly DPA dated [last-updated date above] for processing of personal data through our account." Include your billing email + company legal name.
• We'll reply within 2 business days confirming execution and attaching a PDF copy with both signatures.

If you need redlines, custom terms, or your own DPA paper, we'll review. For most SaaS customers, this standard DPA is acceptable to procurement.

Terms used here have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR / Data Protection Act 2018, the Swiss FADP, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), or other applicable data-protection law (collectively, "Data Protection Laws").

"Customer Data" means any personal data you provide to Plauditly through your account or that your end-users submit through your collection links. "You" is the controller / business; "Plauditly" is the processor / service provider acting on your documented instructions.

Plauditly processes Customer Data only as your processor (under GDPR) or service provider (under CCPA/CPRA), strictly for the purposes of:

• Operating the Plauditly service as described in our Terms of Service.
• Providing the dashboard, embed widgets, public API, and support.
• Complying with our legal obligations.
• Other written instructions from you that we agree to in writing.

We do not sell Customer Data and do not share it for cross-context behavioral advertising or any other purpose outside the service.

We will:

• Process Customer Data only on your documented instructions (the Terms of Service plus your dashboard configurations constitute documented instructions).
• Ensure persons authorized to process Customer Data are bound by confidentiality.
• Implement appropriate technical and organizational measures (see §6 below and /legal/security).
• Engage subprocessors only on terms substantially the same as this DPA — list maintained at /legal/subprocessors.
• Notify you of any new subprocessor with at least 30 days' advance notice; you may object on reasonable grounds, in which case we'll either resolve the concern or you may terminate without penalty.
• Assist you in responding to data-subject requests (access, deletion, etc.) within the timelines you require, using the tools we provide.
• Notify you of any personal data breach affecting your Customer Data without undue delay, and in any event within 72 hours.
• Assist you with data-protection impact assessments and prior consultations with supervisory authorities where reasonably required.
• On termination, delete or return all Customer Data within 30 days (your choice), except where retention is required by law.
• Make available all information reasonably necessary to demonstrate compliance and allow for audits as described in §8.

You confirm and agree that:

• You have a valid legal basis under Data Protection Laws for the processing you instruct us to perform.
• You will obtain valid consent (or rely on another lawful basis) for any testimonial author whose data you collect.
• You will respond to data-subject requests you receive directly; we will assist with requests directed to us.
• You will not submit special-category data, criminal-conviction data, or data of children under 13 (or under 16 where local law applies) without a written addendum.
• You will comply with applicable advertising disclosure laws (FTC, UCPD, equivalents) regarding the testimonials you publish.

Plauditly implements the following technical and organizational measures — see /legal/security for the full detail. Summary:

• Encryption: TLS 1.2+ in transit, AES-256 at rest.
• Access control: row-level security at the database; per-request authentication; secrets stored only in Vercel environment variables.
• Network: HTTP Strict Transport Security with preload, Content-Security-Policy, X-Frame-Options DENY (except embed iframe), Permissions-Policy.
• Application: webhook signature verification, honeypot + rate limiting on public POST endpoints, privacy-by-design column-level isolation of testimonial author emails.
• Personnel: role-restricted access; confidentiality obligations.
• Incident response: 72-hour notification process (see §7).
• Resilience: automated daily backups; documented RPO 24h / RTO 4h.

The current sub-processors are listed at /legal/subprocessors. We give 30 days' notice before adding a new sub-processor that will handle personal data. You can subscribe to updates by emailing legal@plauditly.app with subject "sub-processor notifications".

For transfers of Customer Data outside the EEA / UK / Switzerland, we rely on (in order of preference): the EU-US Data Privacy Framework where the recipient is certified, and the European Commission Standard Contractual Clauses (Decision 2021/914) Module 2 (controller-to-processor) and Module 3 (processor-to-processor) where they are not. UK transfers use the UK International Data Transfer Addendum to the SCCs. Swiss transfers use the Swiss-US DPF where applicable, with SCCs as a fallback.

The relevant supplementary measures (encryption, role-restricted access, transparency about US legal access) are documented in our Transfer Impact Assessment, available on request from legal@plauditly.app.

You may audit our compliance with this DPA once per year, on reasonable advance notice (typically 30 days), under a mutually- agreed scope and confidentiality terms. We can usually satisfy audit requests by sharing:

• Our /legal/security page and incident playbook.
• Supabase, Stripe, and Vercel SOC 2 Type II reports (we are a sub-processor of these and pass the underlying audits through where contractually permitted).
• Written responses to your security questionnaire.
• Sub-processor list and transfer-impact summary.

Onsite audits or live access to production systems are evaluated case-by-case and may require additional fees and a separate audit agreement.

This DPA is effective from the date of your acceptance email and continues for as long as you have an active Plauditly account. Termination follows the rules in our Terms of Service. Deletion obligations under §4 survive termination.

Each party's liability under this DPA is subject to the limitations in our Terms of Service, except that this DPA's allocation of responsibility under Data Protection Laws is not itself limited by those caps where Data Protection Law requires otherwise.

Governing law and forum follow the Terms of Service, except where mandatory rules of your local consumer-protection or data-protection law preserve a different forum or applicable law.

DPA acceptance and questions: legal@plauditly.app.

This DPA is a template offered in good faith. Consult counsel for your specific situation; we'll work with you to address any material gaps in writing.