Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service and Privacy Policy (collectively, the “Agreement”) between you (“Customer”) and Ecardify (“Processor”).

1. Definitions

  1. Customer: The individual or entity that signs up for the Processor’s service and acts as the Data Controller under GDPR.
  2. End Users: The individuals who create video/audio/text recordings facilitated by the Processor’s service.
  3. Personal Data: Data relating to an identifiable individual, as defined by GDPR. The Processor collects no personal data of End Users.
  4. Processing: Any operation or set of operations performed on Personal Data.
  5. Subprocessor: A third party engaged by the Processor to process data on behalf of the Customer.
  6. Recordings: Video, audio or text recordings that the Customer or the End Users create through the Processor’s service.

2. Roles and Responsibilities

  1. Customer as Controller: The Customer determines the purpose and means of processing End User data and Recordings.
  2. Processor’s Role: The Processor processes data strictly in accordance with the Customer’s instructions and provides tools to enable the Customer to exercise their role as Controller.

3. Data Collection and Retention

  1. Customer Data: The Processor collects the Customer’s email and has access to IP addresses during service use but does not store IP addresses.
  2. End User Data: The Processor does not collect personal information from End Users. Recordings are stored solely to enable delivery to recipients specified by End Users (e.g., via links or QR codes).
  3. Retention: Recordings are retained only for the duration set by the Customer and are deleted per their instructions.

4. Data Transfers Outside the EU

  1. The Processor’s servers are located in the United States, hosted on Google Cloud, a GDPR-compliant third-party subprocessor.
  2. Data transfers outside the EU are governed by Standard Contractual Clauses (SCCs) and supplementary measures such as encryption and strict access controls.

5. Subprocessors

  1. The Processor uses Google Cloud and Cloudflare as subprocessors. These subprocessors implement cutting-edge technologies and comply with GDPR requirements.
  2. A list of subprocessors with no direct access to Recordings and Personal Data is available upon request.

6. Data Security

  1. The Processor employs the security measures provided by Google Cloud and Cloudflare to protect data, including encryption, firewalls, and monitoring systems.
  2. In the event of a data breach, the Processor will promptly notify the Customer and provide all necessary details and support.

7. Customer Rights and Control

  1. The Customer retains full rights to their data and their End Users’ recordings.
  2. The Processor provides tools for the Customer to access, manage, or delete data at any time.

8. Termination

  1. Upon termination of the Agreement, the Processor will securely delete all data related to the Customer and their End Users.

9. Customer Responsibilities

  1. The Customer is responsible for ensuring compliance with GDPR when collecting and processing End User data.
  2. The Customer must obtain appropriate consent from End Users before using the Processor’s service.

10. Miscellaneous

  1. This DPA is governed by the laws applicable to the Agreement.
  2. In case of conflict between the DPA and the Agreement, the terms of this DPA prevail.

By signing up for and using the Processor’s services, the Customer agrees to the terms of this DPA.