logo Notaku

DATA PROCESSING AGREEMENT (Art. 28 GDPR)

This Data Processing Agreement ("DPA") forms part of the Service Agreement between [Controller legal name, company no., address] ("Controller") and Notaku, Ditta Individuale di Tommaso De Rossi, P.IVA IT02887130991, Chiavari, Italy ("Processor"). Capitalized terms not defined here have the meanings in the Service Agreement or the GDPR.

Background

The parties entered into the Service Agreement under which Processor provides docs website hosting services ("Notaku Service") that transform content from Notion (as CMS) into public documentation websites. Notaku hosts the generated sites and related assets on Vercel as its infrastructure provider. This may involve Processing of Personal Data on behalf of Controller. This DPA sets out the parties' obligations with respect to such Processing in accordance with Article 28 GDPR and related laws.

1. Definitions

“Applicable Data Protection Law” means the GDPR and any applicable Member State laws implementing or supplementing it, the UK GDPR and Data Protection Act 2018 (where applicable), and the Swiss FADP (where applicable). “Sub-processor”, “Personal Data”, “Data Subject”, “Processing”, etc. have the meanings given in the GDPR.

2. Subject Matter, Duration, Nature and Purpose

2.1 Subject Matter & Duration. The subject matter and duration of the Processing are as described in Annex I and continue for the term of the Service Agreement, unless earlier terminated as provided herein.

2.2 Nature & Purpose. The nature and purpose of Processing are to provide the Services described in Annex I strictly on documented instructions from Controller.

3. Roles and Instructions

3.1 Roles. Controller is the Controller and Processor is the Processor of Personal Data under this DPA.

3.2 Instructions. Processor shall Process Personal Data only on documented instructions from Controller (including with respect to international transfers), unless required by EU/Member State law to which Processor is subject; in such a case Processor shall inform Controller of that legal requirement before Processing, unless the law prohibits such information.

3.3 Confidentiality. Processor ensures that persons authorized to Process Personal Data are subject to confidentiality obligations.

4. Security of Processing

4.1 TOMs. Processor implements and maintains appropriate technical and organizational measures (TOMs) described in Annex II. Processor may update TOMs provided they do not materially diminish the level of protection.

4.2 Records. Processor maintains records of Processing activities as required by Art. 30(2) GDPR.

5. Sub-processing

5.1 Authorization. Controller grants general authorization for Processor to engage Sub-processors. The current list is in Annex III.

5.2 Onboarding/Substitution. Processor will notify Controller at their registered email address of intended changes concerning addition or replacement of Sub-processors, thereby giving Controller the opportunity to object on reasonable grounds within 14 days. If Controller objects, the parties will discuss in good faith; if unresolved, Controller may suspend or terminate affected Services.

5.3 Flow-down. Processor shall impose on Sub-processors the same data protection obligations as set out in this DPA, by written contract, including sufficient guarantees of appropriate TOMs. Processor remains fully liable to Controller for Sub-processor performance.

6. International Data Transfers

6.1 EEA/UK/CH Transfers. Processor shall not transfer Personal Data outside the EEA/UK/Switzerland without documented instructions from Controller and appropriate safeguards under Chapter V GDPR (or equivalent under UK/CH law).

6.2 SCCs. Where applicable, the EU Commission Standard Contractual Clauses (SCCs) (2021/914) Module 2 (Controller→Processor) and/or Module 3 (Processor→Processor) are incorporated by reference and form Annex IV. For UK transfers, the ICO International Data Transfer Addendum (IDTA/Addendum) applies; for Swiss transfers, the Swiss FADP variations apply.

6.3 TIA. Where required, Processor will assist Controller with Transfer Impact Assessments relating to Third Country laws and practices.

7. Assistance to Controller

7.1 Data Subject Requests. Taking into account the nature of Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill Controller’s obligations to respond to requests for exercising Data Subject rights.

7.2 DPIA & Consultations. Processor shall provide reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of Processing and information available to Processor.

8. Personal Data Breach

Processor shall notify Controller without undue delay and no later than 48 hours after becoming aware of a Personal Data Breach affecting Controller's Personal Data. Notifications shall be sent to Controller's registered email address. Notification will include at least the information required by Art. 33(3) GDPR to the extent available and will be updated as further information becomes available.

9. Deletion and Return

Upon termination of the Services, at Controller's choice, Processor shall delete or return all Personal Data and delete existing copies within 30 days, unless EU/Member State law requires storage. Backup media will be overwritten in line with standard cycles as set out in Annex II.

10. Audits and Inspections

Processor shall make available to Controller all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, on reasonable prior notice, during business hours, not more than once per 12 months, subject to confidentiality and security obligations. Audit requests should be sent to [email protected]. Third‑party certifications and audit reports (e.g., ISO 27001, SOC 2) may be used to satisfy audit requests where appropriate.

11. Liability and Order of Precedence

Liability is governed by the Service Agreement, except where prohibited by Applicable Data Protection Law. In the event of conflict, the SCCs (where applicable) prevail, then this DPA, then the Service Agreement.

12. Miscellaneous

Nothing in this DPA relieves Processor of its own obligations under the GDPR. If any provision is held invalid, the remainder will continue in full force.

ANNEX I – Details of Processing

  • Subject matter: Processing necessary to provide the Notaku docs website hosting Service and related support.
  • Duration: For the term of the Service Agreement (until deletion/return under Section 9).
  • Nature & purpose: Hosting and delivery of documentation websites and related assets; configuration of domains; caching via CDN; support; security and performance monitoring.
  • Categories of Data Subjects: Controller’s administrators/editors; site visitors/end‑users; support requesters.
  • Categories of Personal Data: Admin account data (name, email), authentication identifiers; configuration metadata (workspace/site settings), content provided by Controller for publication; visitor HTTP requests and logs (IP address, user‑agent, referrer, request path), CDN/cache telemetry; limited support metadata. No special categories are intended to be processed by default.
  • Special categories: None, unless explicitly provided by Controller in published content (Controller responsibility).
  • Frequency: Continuous.
  • Retention: Active site content retained for the subscription term; routine logs retained 30 days; caches are transient; backups retained 30 days (see Annex II).
  • Processing locations: Global content delivery via Vercel Edge Network; function execution regions configurable (EU regions preferred where possible).
  • Controller instructions: As set forth in the Agreement and this DPA; additional instructions require written agreement.

ANNEX II – Technical & Organizational Measures (TOMs)

Governance & Access Control

  • Information security program aligned to ISO/IEC 27001 controls; security roles defined; security awareness; confidentiality undertakings.
  • SSO and MFA for production access; least‑privilege RBAC; quarterly access reviews and just‑in‑time elevation.

Asset & Data Management

  • Data classification; documented data flows; separation of prod/stage/dev.
  • Encryption in transit (TLS 1.2+) and at rest (AES‑256 or cloud‑provider equivalent). Keys managed via cloud provider KMS with restricted access.

Application & Infrastructure Security

  • Secure SDLC, code review, dependency scanning (SCA) and SAST; secrets in environment variables and secure configuration management.
  • Hosting and CDN via Vercel (sub‑processor). Vercel maintains ISO 27001:2022 certification and SOC 2 Type II reports and publishes security measures and sub‑processors (see Annex III). Notaku configures regions for functions close to data sources where supported.
  • Hardened base images; patch SLAs (e.g., high severity ≤ 30 days); vulnerability scanning monthly; security testing as appropriate.
  • Network security: VPC segmentation; firewalls/security groups; WAF/DDoS protections via Cloudflare; restricted admin ingress.

Monitoring & Logging

  • Centralized logging with 30‑day retention; time‑sync; tamper‑evident.
  • Alerting on auth anomalies, privilege changes, and unusual egress; on‑call rotation.

Business Continuity & Backup

  • Daily encrypted backups 30‑day retention; periodic restore tests.
  • High availability via Vercel's global infrastructure; target RPO 4h, RTO 8h.

Privacy by Design & Data Minimization

  • Collect only data necessary for hosting and security; pseudonymize/anonymize where feasible; configurable retention.

Vendor & Sub‑processor Management

  • Risk assessments prior to onboarding; DPAs/SCCs executed; annual reassessments; contractual flow‑down of obligations.

Incident Response

  • Documented plan; triage/containment/eradication; customer notification per Section 8.

Physical Security

  • Data centers operated by certified providers; access controls and monitoring.

Change Management

  • Git‑based change control; CI/CD with approvals; rollbacks tracked.

ANNEX III – Sub‑processor Register

Sub-processor Name Location Purpose of Processing
Vercel, Inc. United States Application hosting and content delivery
Cloudflare, Inc. United States CDN, security, and edge computing services
Paddle.com Market Ltd United Kingdom / Ireland Payment processing and merchant services
Google Cloud Platform United States Cloud infrastructure and storage
PostHog, Inc. United States Product analytics
Bugsnag, Inc. (SmartBear) United States Error monitoring
Amazon Web Services United States Email delivery services (SES)
Stripe, Inc. United States / Ireland Payment processing
Tinybird Inc. United States Real-time data analytics
PlanetScale Inc. United States Database hosting

Notes: Some payment providers (e.g., Paddle, Stripe) may act as independent controllers for certain activities (e.g., fraud prevention, regulatory compliance). They are listed here for transparency as they process Controller contact/billing data in connection with the Notaku Service.

Change Notifications: Processor will notify Controller via email to their registered address 14 days before any changes to Sub-processors.

ANNEX IV – International Transfers (SCCs)

  • The parties agree that the EU Standard Contractual Clauses 2021/914 apply as follows: Module 2 (C→P) between Controller and Processor; Module 3 (P→P) between Processor and each Sub‑processor (where relevant). Append completed Annexes I–II to the SCCs using the information from Annex I–III of this DPA. Clause 9 (Use of sub‑processors): Option 2 – General Authorization with a 14‑day notice period. Clause 17: Governing law Italy. Clause 18: Forum Italy.
  • For UK transfers: the ICO IDTA/Addendum (Version B1.0) is incorporated and completed using the details in this DPA.
  • For Swiss transfers: apply the SCCs with the Swiss FADP variations (references to GDPR mean FADP; competent authority: FDPIC; forum/law: Switzerland).

Contacts for Data Protection

  • Controller contact: [name, email]
  • Processor DPO/Security contact: Tommaso De Rossi, [email protected]

Signatures

Signed for and on behalf of Controller:

Name: __________________ Title: __________________ Date: ____________

Signed for and on behalf of Processor:

Name: Tommaso De Rossi Title: Titolare (Sole Proprietor) Date: [Date of signing]

Company
TwitterStatusTermsPrivacyRefund PolicyAffiliate programMission
Resources
DocsBlogShowcaseNotion image links toolMake ChatGPT undetectableText To SpeechFramer Plugins
Notion templates
Docs templateBlog templateChangelog template
Comparisons
HelpkitFeatherGitBookReadmeSuper