Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement (DPA) governs how we handle and protect your clients' data as your trusted data processor.
Parties
This DPA forms part of the Terms of Service between BINARY BRAIN TECHNOLOGIES SP. Z O.O. (NIP: 7133142056, REGON: 54334690400000, KRS: 0001207918), based in Poland, with website https://binarybrain.dev ("Processor", "we") and the customer ("Controller", "you") using Convertly.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Sub-processor" means any third party engaged by us to process Personal Data. "Data Subject" means the individual to whom Personal Data relates. "GDPR" means Regulation (EU) 2016/679.
2. Scope and Purpose
We process Personal Data on your behalf to provide the Convertly service. Categories of data: quiz respondent contact information, quiz responses, engagement tracking data. Data subjects: your quiz respondents (leads), your team members. Processing activities: storage, analytics, email notifications, quiz rendering, lead management.
3. Obligations of the Processor
We shall: process Personal Data only on your documented instructions; ensure persons authorized to process data are bound by confidentiality; implement appropriate technical and organizational security measures; assist you in fulfilling data subject rights requests; delete or return Personal Data upon termination of the service; make available all information necessary to demonstrate compliance; allow and contribute to audits conducted by you or your auditor.
4. Security Measures
We implement the following security measures: encryption at rest (AES-256 via Supabase); encryption in transit (TLS 1.2+); row-level security for workspace data isolation; regular access reviews and security updates; incident detection and response procedures; automated backups with point-in-time recovery.
5. Sub-processors
Current sub-processors: Supabase Inc. (EU) — database, authentication, file storage; Vercel Inc. (Global, EU edge) — application hosting; Paddle.com Market Ltd (UK/EU) — payment processing; Resend Inc. (US, SCCs in place) — transactional email delivery; PostHog Inc. (EU) — product analytics; Sentry (US, SCCs in place) — error monitoring; Upstash Inc. (EU) — rate limiting and caching. We will notify you before adding or replacing sub-processors. You may object within 30 days.
6. International Data Transfers
Primary data processing occurs in the EU (Supabase EU region). Data is transferred outside the EU/EEA to: Resend Inc. (US), Sentry (US), and Vercel Inc. (global CDN). For all international transfers, we ensure appropriate safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions where applicable.
7. Data Subject Rights
We will assist you in responding to data subject requests including: right of access (Article 15 GDPR); right to rectification (Article 16); right to erasure (Article 17); right to restriction (Article 18); right to data portability (Article 20); right to object (Article 21). Response timeline: within 72 hours of receiving your request.
8. Data Breach Notification
We will notify you of any Personal Data breach without undue delay, and no later than 48 hours after becoming aware. Notification will include: nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, measures taken.
9. Data Retention and Deletion
We retain Personal Data for the duration of the service agreement. Upon termination: data is deleted within 30 days. Tracking/analytics data: automatically purged after 2 years. Backups: purged within 90 days of account deletion.
10. Audit Rights
You may audit our compliance with this DPA once per year. Audits require 30 days written notice. We will provide reasonable cooperation and access to relevant documentation.
11. Liability
Our liability under this DPA is subject to the limitations set out in the Terms of Service. Each party is liable for damages caused by processing that infringes the GDPR.
12. Term and Termination
This DPA is effective for the duration of your use of Convertly. Obligations regarding data deletion survive termination.
Contact
For data protection inquiries, contact us at support@convertly.buzz