Last reviewed 2026-05-06

Data Processing Agreement

This DPA forms part of the Terms of Service between you (the Controller) and the Processor identified in the imprint. It applies whenever the Processor processes personal data on behalf of the Controller in the course of delivering the Service.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679). Service has the meaning given in the Terms.

2. Subject matter, duration, nature, purpose

  • Subject matter: processing personal data in connection with running the ECGT Ready platform on behalf of the Controller.
  • Duration: the term of the Terms of Service plus a 30-day return-or-delete window.
  • Nature and purpose: hosting customer data, running compliance scans, generating reports, supporting the Controller's users.

3. Categories of data and data subjects

Category of dataData subjectsSource
Identification (name, email, role)Controller's usersProvided at sign-up
Authentication (hashed password, MFA factors)Controller's usersProvided at sign-up
Workspace and scan data (URLs, page text, scan results)Controller's store and its visitors where applicableProvided through the service
Support correspondenceController's usersEmail
Audit logsController's usersGenerated by the service

4. Controller and Processor obligations

4.1 Controller

  • Has a lawful basis for the processing.
  • Issues documented instructions, primarily through the configuration of the Service.
  • Provides notices and rights to its end users.

4.2 Processor

  • Processes only on documented instructions.
  • Ensures persons with access are bound by confidentiality.
  • Implements the security measures in Annex II.
  • Assists the Controller with data subject requests, DPIAs, and breach notifications.
  • Returns or deletes data at the end of the term.
  • Makes information available so the Controller can demonstrate compliance.

5. Sub-processors

The Controller authorises the use of the sub-processors listed at /legal/subprocessors. Where practicable, the Processor aims to give reasonable prior notice before adding or replacing a sub-processor by updating that page and emailing the privacy contact on file. Faster changes may be made where required by law, a binding order, a security incident, or to keep the service running. The Controller may object on reasonable data-protection grounds; if the objection cannot be resolved, the Controller may terminate the affected service for convenience.

6. International transfers

Where personal data is transferred outside the EEA, the Processor implements the Standard Contractual Clauses (Decision 2021/914), applies supplementary measures (encryption, access control, data minimisation), and where applicable relies on the EU-US Data Privacy Framework certification of the receiving party.

7. Data subject requests

Where the Processor receives a data subject request relating to the Controller's users, it forwards the request to the privacy contact and assists with the response, taking into account the nature of the processing and the information available.

8. Breach notification

The Processor notifies the Controller without undue delay and no later than 48 hours after becoming aware of a personal data breach affecting the Controller's data. The notice contains the information needed for the Controller to comply with GDPR Articles 33 and 34.

9. Audit

The Controller may, no more than once per year on 30 days notice, request information needed to demonstrate compliance. Where the Processor holds independent audit reports or certifications, sharing those is treated as fulfilment of the audit obligation.

10. Return or deletion

On termination, the Controller has 30 days to export data through the Service. The Processor then deletes customer data in production within 30 days and from backups within the standard backup rotation (currently 30 days), unless retention is required by law.

11. Liability

The liability provisions of the Terms of Service apply to this DPA.

Annex I - Description of processing

See sections 2-4 above. Roles: Controller is the customer named in the ECGT Ready account. Processor is the entity in the imprint.

Annex II - Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (managed by Supabase).
  • Authentication via Supabase Auth, hashed passwords, optional MFA.
  • Database row-level security (RLS) and least-privilege GRANTs per role.
  • Access logs and audit trail of admin actions.
  • Backups: Supabase point-in-time recovery (PITR).
  • Hosting in EU regions (Supabase eu-central-1, Vercel EU edge).
  • Incident response: documented runbook, breach notification SLA above.
  • Personnel: confidentiality obligation, principle of least privilege.

Annex III - Sub-processor list

See /legal/subprocessors.

All legal pages

Questions about this page? contact@ecgtready.eu