← Back to DSFrog

Data Processing Agreement

Standard template, GDPR Article 28 compliant

How to use this document.This DPA is the standard agreement between DSFrog (the "Processor") and a client (the "Controller") when DSFrog processes personal data on behalf of the client — for example, when a dashboard ingests data about the client's customers, employees, or website visitors. It applies in addition to the main service agreement.

How to sign.Request a fillable copy by email — we'll send a Word/PDF document within one business day. Complete Annex A (data categories specific to your case), sign electronically (or wet-ink), and return. We countersign and email both parties a fully signed copy for your records.

Request a fillable DPA copy →

1. Parties

Processor:DSFrog, operated from Poland (the "Processor"). Contact: hello@ds-frog.com.

Controller: The client identified in the main service agreement.

2. Subject matter, duration, nature, and purpose

  • Subject matter: Provision of dashboard / analytics services as described in the main agreement.
  • Duration: Same as the main service agreement; obligations on return/deletion of data survive termination.
  • Nature of processing: Hosting, storing, displaying, aggregating, and visualizing data the Controller provides or imports from third-party sources.
  • Purpose: To enable the Controller to view and analyze its own business data through the dashboard.

3. Categories of personal data and data subjects

The specific categories are listed in Annex A attached to the signed copy of this DPA. Typical examples:

  • Contact details of the Controller's customers (name, email, phone)
  • Transaction data (dates, amounts, products)
  • Behavioral data from analytics platforms (sessions, page views, events)
  • Marketing performance data (impressions, clicks, conversions)

The Processor does not process special categories of data (Art. 9 GDPR) unless explicitly agreed in writing.

4. Controller's instructions

The Processor will process personal data only on documented instructions from the Controller, including with regard to transfers to third countries. Such instructions are given through (a) configuration of the dashboard and connected data sources, (b) the main service agreement, and (c) written communication (email is sufficient).

5. Confidentiality

The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Currently access is limited to a single technical administrator.

6. Security of processing

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The current measures are documented at /security and include, at minimum:

  • TLS 1.2+ encryption in transit (Cloudflare Full Strict; HSTS enabled)
  • Password hashing with bcrypt (cost 12)
  • Mandatory two-factor authentication (TOTP) for all dashboard users
  • Per-user dashboard isolation enforced at the request middleware layer
  • Server access restricted to SSH key authentication only (no password login)
  • Origin server reachable only via Cloudflare (origin lockdown via firewall)
  • Brute-force protection (fail2ban on SSH and HTTP authentication endpoints)
  • Daily encrypted backups with 30-day retention in DigitalOcean Spaces
  • Login audit log capturing IP, user-agent, success/failure, and reason for every authentication attempt
  • Automated health monitoring with operational alerting (Telegram)

7. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

  • DigitalOcean LLC (US, with EU data centers available) — server hosting and encrypted backup storage
  • Cloudflare Inc. (US) — TLS termination, CDN, DDoS protection
  • Resend Inc. (US) — transactional email (password resets, system notifications)

The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object on reasonable grounds. Cross-border transfers to U.S. providers rely on EU Standard Contractual Clauses (SCCs) where required.

8. Assistance to the Controller

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights (access, rectification, erasure, portability, objection).

Standard data exports are provided as JSON or CSV. Deletion requests are processed within 7 calendar days of the Controller's instruction.

9. Personal data breach notification

The Processor will notify the Controller without undue delay, and in any event within 24 hours after becoming aware of a personal data breach involving the Controller's data. The notification will describe, at a minimum:

  • The nature of the breach, including the categories and approximate number of data subjects affected
  • The likely consequences
  • The measures taken or proposed to address the breach and mitigate its possible adverse effects
  • Contact point for further information

10. Audits and inspections

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, with reasonable notice (at least 14 days) and during business hours, no more than once per calendar year except where required by a supervisory authority.

11. Return or deletion of data

At the end of the provision of services, the Processor will, at the choice of the Controller, return or delete all personal data, including all existing copies, within 30 days, unless retention is required by applicable law. Backup copies are automatically deleted within the standard 30-day retention window.

12. International transfers

Where personal data is transferred outside the EEA (e.g., to U.S.-based sub-processors listed in Section 7), the Processor will ensure that appropriate safeguards are in place, primarily through the EU Standard Contractual Clauses adopted by the European Commission.

13. Liability

The liability of the parties under this DPA is governed by the limitations and exclusions set out in the main service agreement. Nothing in this DPA limits liability where it cannot be limited by applicable law (e.g., for fines imposed by supervisory authorities under Art. 83 GDPR).

14. Governing law

This DPA is governed by the laws of Poland, without prejudice to any mandatory provisions of EU data protection law.

Annex A — to be filled in by the Controller

  • Categories of data subjects (e.g., customers, leads, employees)
  • Categories of personal data (e.g., name, email, transaction data)
  • Special categories (if any) — explicit written authorization required
  • Specific data sources connected to the dashboard
  • Retention period requested by the Controller (default: as long as the dashboard is active)

Disclaimer

This template reflects standard GDPR Art. 28 obligations and DSFrog's actual technical setup. It is not legal advice. For high-risk or large-scale processing the Controller should have it reviewed by qualified counsel and may require modifications.