Data Processing Agreement
Last updated: January 22, 2026
Enterprise Customers: If you require a signed Data Processing Agreement or have specific contractual requirements, please contact us at support@digitalcore.app.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between DigitalCore ("Processor", "we", "us") and the Customer ("Controller", "you") who uses our Services.
This DPA reflects the parties' agreement with respect to the processing of personal data by DigitalCore on behalf of the Customer in connection with the Services, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
Terms used in this DPA have the meanings given to them in the GDPR. Additionally:
- "Customer Data" means any personal data that the Customer submits to the Services for processing.
- "Services" means the DigitalCore platform and related services as described in the Agreement.
- "Sub-processor" means any third party engaged by DigitalCore to process Customer Data.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
3. Scope and Roles
3.1 Controller and Processor Roles:
- The Customer acts as the Data Controller, determining the purposes and means of processing Customer Data.
- DigitalCore acts as the Data Processor, processing Customer Data solely on behalf of and in accordance with the Customer's documented instructions.
3.2 Scope of Processing: This DPA applies to Customer Data processed in connection with the Services. It does not apply to personal data for which DigitalCore acts as Controller (such as account registration data), which is governed by our Privacy Policy.
4. Details of Processing
4.1 Subject Matter
The processing concerns the provision of service management, analytics, and operational intelligence platform services.
4.2 Duration
Processing will continue for the duration of the Agreement plus any retention period required by law or specified in this DPA.
4.3 Nature and Purpose
Processing activities include:
- Storing and organizing service portfolio data
- Computing analytics, metrics, and performance indicators
- Generating insights and recommendations using AI
- Providing data visualization and reporting
- Facilitating data export and integration
4.4 Categories of Data Subjects
- Customer's employees and contractors
- Customer's clients and end-users (as determined by Customer)
- Any other individuals whose data the Customer submits to the Services
4.5 Categories of Personal Data
Categories depend on what the Customer uploads to the Services, but may include:
- Names and contact information
- Job titles and organizational roles
- Work-related performance data
- Project and service assignment information
- Any other categories the Customer chooses to process
4.6 Special Categories of Data
The Services are not designed to process special categories of personal data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR). The Customer must not submit such data unless specific arrangements have been made.
5. Processor Obligations
DigitalCore shall:
- Process Customer Data only on documented instructions from the Customer, including transfers to third countries, unless required by EU or Member State law
- Ensure that persons authorized to process Customer Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7)
- Engage Sub-processors only in accordance with Section 8
- Assist the Customer in responding to Data Subject requests (Section 9)
- Assist the Customer in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations
- Delete or return Customer Data at the Customer's choice upon termination of Services (Section 11)
- Make available information necessary to demonstrate compliance and allow for audits (Section 10)
6. Controller Obligations
The Customer shall:
- Ensure it has a lawful basis to process personal data and to engage DigitalCore as Processor
- Provide documented instructions to DigitalCore regarding the processing of Customer Data
- Ensure the accuracy, quality, and legality of Customer Data
- Comply with applicable data protection laws in its use of the Services
- Notify DigitalCore promptly of any changes to processing instructions or relevant compliance matters
7. Security Measures
DigitalCore implements and maintains appropriate technical and organizational security measures, including:
Technical Measures
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Access Control: Role-based access control (RBAC), row-level security (RLS), multi-factor authentication available
- Network Security: Firewalls, intrusion detection, DDoS protection
- Logging: Comprehensive audit logging of system and user activities
- Backup: Automated backups with point-in-time recovery capability
Organizational Measures
- Personnel: Confidentiality agreements, security awareness training
- Access Management: Least privilege principle, regular access reviews
- Incident Response: Documented procedures for security incident handling
- Business Continuity: Disaster recovery and business continuity planning
For more details, see our Security Policy.
8. Sub-processors
8.1 Authorization
The Customer provides general authorization for DigitalCore to engage Sub-processors to process Customer Data, subject to this Section 8.
8.2 Current Sub-processors
The following Sub-processors are engaged as of the date of this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, Authentication | Germany (EU) |
| Vercel | Hosting, CDN | Germany (EU) |
| Hostinger | Additional Hosting | Germany (EU) |
| Stripe | Payment Processing | EU/USA |
| OpenAI | AI Features | USA* |
| Anthropic | AI Features | USA* |
| Loops.so | Email Communications | USA* |
* Transfers to USA-based Sub-processors are made pursuant to Standard Contractual Clauses (SCCs) or equivalent safeguards.
8.3 New Sub-processors
DigitalCore will notify the Customer of any new Sub-processors at least 30 days before authorizing them to process Customer Data. The Customer may object to a new Sub-processor on reasonable grounds related to data protection. If the parties cannot resolve the objection, the Customer may terminate the affected Services.
8.4 Sub-processor Obligations
DigitalCore imposes data protection obligations on Sub-processors that are substantially similar to those in this DPA. DigitalCore remains liable for the acts and omissions of its Sub-processors.
9. Data Subject Rights
DigitalCore will assist the Customer in responding to requests from Data Subjects to exercise their rights under GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
If DigitalCore receives a request directly from a Data Subject, it will promptly redirect the request to the Customer unless prohibited by law.
10. Audits
Upon Customer's reasonable request (not more than once per year under normal circumstances), DigitalCore will:
- Provide relevant documentation, certifications, and audit reports
- Respond to written security questionnaires
- Allow for audits or inspections by the Customer or an independent auditor, subject to reasonable advance notice, confidentiality obligations, and scheduling during normal business hours
The Customer bears the costs of any audit, unless the audit reveals material non-compliance by DigitalCore.
11. Data Deletion and Return
Upon termination of the Services or upon Customer's request:
- Data Export: The Customer may export Customer Data using available platform features for a period of 30 days following termination
- Deletion: DigitalCore will delete Customer Data within 90 days of termination, unless retention is required by applicable law
- Certification: Upon request, DigitalCore will provide written confirmation of deletion
12. Data Breach Notification
In the event of a personal data breach affecting Customer Data, DigitalCore will:
- Notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of the breach
- Provide reasonable assistance in the Customer's investigation and notification obligations
- Take reasonable steps to mitigate the effects and prevent recurrence
Notification will include, to the extent known: nature of the breach, categories and approximate numbers of Data Subjects and records concerned, likely consequences, and measures taken or proposed.
13. International Transfers
Customer Data is primarily stored in Germany (EU). Where transfers to countries outside the EU/EEA are necessary (e.g., for AI processing), DigitalCore ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU Commission-approved clauses for Controller-to-Processor transfers
- EU-U.S. Data Privacy Framework: Where applicable
- Supplementary Measures: Additional technical and organizational measures as appropriate
The SCCs are incorporated into this DPA by reference. A copy is available upon request.
14. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.
15. Term and Termination
This DPA will remain in effect for the duration of the Agreement. Provisions that by their nature should survive termination (including Sections 11, 12, and 14) will survive.
16. Contact
For questions about this DPA or to exercise rights under it, contact:
- Email: support@digitalcore.app
- Address: Barcelona, Spain
Last updated: January 22, 2026
This DPA is incorporated into and forms part of the DigitalCore Terms and Conditions.