Data Processing Agreement (DPA)
Last updated: 2026-06-05
This DPA forms part of the Terms of Service between you ("Controller") and Yas (sole proprietor, eenmanszaak, NL), operating StoreLingo ("Processor"). It applies whenever Customer Personal Data is processed under the Terms.
1. Subject matter and duration
Processor processes Personal Data on behalf of Controller for the duration of the Terms and as required for the Services described therein.
2. Nature and purpose
| Item | Detail |
|---|---|
| Processing activities | Storing OAuth tokens, reading Webflow product content, sending content to DeepL for translation, storing translations, sending transactional email, taking Stripe payments. |
| Categories of data subjects | The Controller (you), end-users of Controller's Webflow site (whose names may appear in product reviews or similar fields if Controller stores such data in Webflow). |
| Categories of Personal Data | Name and email of Controller; product content potentially containing personal data if Controller stores such content. |
| Special categories | None expected; Controller agrees not to submit special-category data without prior written agreement. |
3. Sub-processors
Controller authorizes the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | US, with EU representation |
| DeepL SE | AI translation | Germany |
| Hetzner Online GmbH | Hosting | Germany |
| Supabase Inc. | Managed Postgres (if used) | EU region |
| Resend, Inc. | Transactional email | US, with EU adequacy mechanism |
| Sentry, Inc. | Error tracking (optional) | US, with SCCs |
Processor will notify Controller at least 30 days in advance of any change to the sub-processor list. Controller may object on reasonable grounds.
4. Processor obligations
Processor will:
- Process Personal Data only on documented instructions from Controller.
- Ensure persons authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational measures (TOMs; see section 5).
- Assist Controller in responding to data-subject requests and in fulfilling Controller's obligations under GDPR articles 32-36.
- Notify Controller without undue delay (within 72 hours) of a personal-data breach.
- Delete or return all Personal Data at the end of the Services, save for legal retention obligations.
- Make available all information necessary to demonstrate compliance and allow audits, on reasonable notice and at Controller's cost.
5. Technical and organizational measures
- Encryption of OAuth tokens at rest (AES-256-GCM).
- Encryption in transit (TLS 1.2+).
- Database backups, encrypted, rotated every 30 days.
- Access control: production access limited to the sole operator (Yas) via SSH key + 2FA on critical accounts.
- Logging of administrative actions.
- Incident response procedure documented internally.
- Annual review of security posture.
6. International transfers
Where data is transferred outside the EEA (e.g., to Stripe, Resend, Sentry in the US), Standard Contractual Clauses (SCCs) are in place with those sub-processors.
7. Liability
Liability under this DPA is subject to the limitation of liability in the Terms.
8. Term and termination
This DPA terminates automatically when the Terms terminate or when Processor ceases processing Personal Data on Controller's behalf, whichever is later.
9. Governing law
Dutch law governs this DPA. Disputes are subject to the competent court in the Netherlands.