Data Processing Agreement
Last updated: 15 March 2026
Download as PDF
A signed copy of this DPA is available on request. Email legal@dpokit.com with your company name and licence key.
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service between you (“Controller”) and DPOKit Ltd (“Processor”). It governs the processing of personal data carried out by DPOKit on your behalf in connection with the DPOKit licence API.
This DPA is entered into in accordance with Article 28 of the GDPR and UK GDPR and applies wherever you are established in the EU, the UK, or another jurisdiction with equivalent data protection requirements.
1. Definitions
Terms used but not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018):
- “Personal Data” — any information relating to an identified or identifiable natural person transmitted to the Processor in the course of licence activation or validation (primarily: site URL, where it constitutes personal data under applicable law).
- “Processing” — any operation performed on Personal Data, including storage, retrieval, and deletion.
- “Sub-processor” — any third party engaged by DPOKit to process Personal Data on the Controller’s behalf.
2. Subject matter and duration
DPOKit processes Personal Data on your behalf solely to provide the licence validation, activation, and update distribution services described in the Terms of Service. Processing continues for the duration of your licence subscription and ceases upon termination, after which Personal Data will be deleted or anonymised within 90 days unless a longer retention period is required by law.
3. Nature and purpose of processing
| Category | Data elements | Purpose | Retention |
|---|---|---|---|
| Licence activation data | Site URL, activation timestamp | Enforce per-licence site limits; provide activation history in customer dashboard | Duration of licence + 90 days |
| Licence validation data | Licence key (hashed), request timestamp, IP address | Validate licence status; rate-limit abuse prevention | 30 days (rolling log) |
| Update request data | Plugin version, site URL, licence key (hashed) | Deliver Plugin updates to authorised licence holders | 30 days (rolling log) |
4. Controller obligations
You agree to:
- Ensure that any Personal Data transmitted to DPOKit is done lawfully and with a valid legal basis under applicable data protection law.
- Provide any required notices to data subjects whose data is transmitted to DPOKit.
- Promptly notify DPOKit of any applicable legal requirement that would prevent DPOKit from complying with this DPA.
5. Processor obligations
DPOKit agrees to:
- Process Personal Data only on documented instructions from the Controller (i.e. the operation of the licence API as described in §3) unless required to do otherwise by applicable law.
- Ensure that persons authorised to process Personal Data are under appropriate confidentiality obligations.
- Implement appropriate technical and organisational measures as described in §7.
- Respect the conditions for engaging Sub-processors as described in §6.
- Assist the Controller, to the extent reasonably possible, in fulfilling its obligations regarding data subject rights requests and data protection impact assessments.
- Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA.
- Delete or return all Personal Data upon termination, at the Controller’s choice, subject to any retention obligations under applicable law.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
6. Sub-processors
The Controller grants DPOKit general authorisation to engage the Sub-processors listed below. DPOKit will inform the Controller of any intended changes to this list (additions or replacements) with at least 14 days’ notice, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH / Railway | VPS hosting for API and database | EU (Germany / Finland) |
| Resend Inc. | Transactional email delivery | USA (SCCs / adequacy decision) |
| Stripe Inc. | Payment processing (customer billing data only) | USA (SCCs / adequacy decision) |
DPOKit ensures that Sub-processors are bound by data protection obligations at least equivalent to those in this DPA.
7. Technical and organisational security measures
DPOKit implements and maintains the following measures to protect Personal Data:
- Encryption in transit: all API communication is over TLS 1.2 or higher.
- Encryption at rest: database volumes are encrypted using AES-256.
- Access control: database and server access is restricted to authorised personnel via SSH key authentication and role-based permissions.
- Pseudonymisation: licence keys stored in logs are hashed; IP addresses in validation logs are not stored beyond the 30-day retention window.
- Vulnerability management: dependencies are reviewed for known CVEs on each release; security patches are prioritised.
- Backups: database backups are taken daily and stored encrypted for 30 days.
8. International data transfers
Where Personal Data is transferred outside the UK or EEA (for example, to Sub-processors located in the USA), DPOKit relies on Standard Contractual Clauses (SCCs) approved by the European Commission and the ICO’s International Data Transfer Agreement (IDTA) as the appropriate transfer mechanism. Copies of applicable SCCs or IDTAs are available on request.
9. Audit rights
The Controller may, upon reasonable written notice (at least 30 days) and no more than once per calendar year, request an audit of DPOKit’s data processing activities relevant to this DPA. DPOKit may satisfy this obligation by providing a third-party audit report or certification in lieu of an on-site audit.
10. Liability
Each party is responsible for its own compliance with applicable data protection law. DPOKit’s liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party’s liability to data subjects or supervisory authorities.
11. Governing law
This DPA is governed by the laws of England and Wales, consistent with the Terms of Service.
12. Contact and signed copies
For questions about this DPA or to request a countersigned copy, email legal@dpokit.com with your company name and licence key reference.