Data Processing Agreement

Effective: July 24, 2026
Version 1.0

For customers acting as controllers

This Data Processing Agreement governs our processing of personal data that you, as a customer, upload to or process through PrivacyForge. It forms part of our Terms of Service; a counter-signed copy is available on request at hello@privacyforge.io.

Key Points Summary

  • You are the controller; we are your processor
  • We only process on your documented instructions
  • Sub-processors are listed and notified before changes
  • Breaches are reported without undue delay
  • Transfers use EU SCCs / UK IDTA safeguards
  • Data is returned or deleted at the end of the term

1. Parties, Roles & Definitions

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service (the "Agreement") between PrivacyForge, a service operated by Mariyan Valev, a sole trader established in the United Kingdom ("PrivacyForge", "we", "us", the "Processor") and the customer that accepts the Agreement (the "Customer", "you", the "Controller"). Where the Customer is itself a processor acting for a third-party controller, references to "Controller" apply to that relationship and the Customer warrants it has authority to instruct us on the controller's behalf.

Data Protection Laws means, as applicable: (a) the UK GDPR and the Data Protection Act 2018; and (b) Regulation (EU) 2016/679 ("EU GDPR") and its member-state implementing laws. Terms such as "controller", "processor", "personal data", "processing", "data subject" and "personal data breach" have the meanings given in the Data Protection Laws.

The parties agree that, with respect to the processing of personal data through the Service, the Customer is the controller and PrivacyForge is the processor. This DPA satisfies Article 28(3) UK GDPR and EU GDPR.

2. Scope & Instructions

We will process personal data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by law that applies to us — in which case we will inform the Customer of that legal requirement before processing, unless the law prohibits it.

The Agreement, this DPA (including Annex 1), the Customer's use and configuration of the Service, and any instructions given through the Service's features, together constitute the Customer's complete and documented instructions. We will inform the Customer if, in our opinion, an instruction infringes the Data Protection Laws (without obligation to provide legal advice).

The Customer is responsible for the lawfulness of the personal data it provides and of the instructions it gives, including establishing a valid lawful basis, providing required transparency notices to data subjects, and obtaining any necessary consents.

3. Confidentiality

We ensure that personnel authorised to process the personal data are bound by appropriate confidentiality obligations (whether contractual or statutory) and are trained on their data-protection responsibilities. Access to personal data is limited to personnel who need it to provide, secure, or support the Service.

4. Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk to data subjects, we implement appropriate technical and organisational measures under Article 32 to ensure a level of security appropriate to the risk. Our current measures are summarised in Annex 2. We may update these measures provided the level of protection is not materially reduced.

5. Sub-processors

The Customer provides general written authorisation for us to engage sub-processors to support the Service. Our current sub-processors are listed at privacyforge.io/subprocessors (Annex 3).

We will give the Customer at least 30 days' notice (by email and/or by updating the sub-processor page, where the Customer may subscribe to notifications) before adding or replacing a sub-processor. The Customer may object on reasonable, data-protection-related grounds within that period; the parties will work in good faith to resolve the objection, and if they cannot, the Customer may terminate the affected part of the Service.

We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable to the Customer for each sub-processor's performance of its obligations.

6. International Data Transfers

Where processing involves a transfer of personal data to a country that does not benefit from an adequacy decision, we will ensure an appropriate transfer mechanism is in place, which may include:

  • The European Commission's Standard Contractual Clauses (2021/914) for transfers subject to the EU GDPR; and
  • The UK International Data Transfer Addendum (or IDTA) to those Clauses for transfers subject to the UK GDPR.

Where required, the relevant Clauses are incorporated into this DPA by reference, with the Customer as data exporter and PrivacyForge (or the relevant sub-processor) as data importer, and the Annexes populated by Annex 1, Annex 2 and Annex 3 of this DPA. Current hosting regions are described on the sub-processor page.

7. Assistance to the Controller

Taking into account the nature of the processing, we will assist the Customer by:

  • Providing appropriate technical and organisational measures to help the Customer respond to data-subject requests (access, rectification, erasure, restriction, portability and objection), insofar as possible — primarily through the Service's self-service features;
  • Assisting the Customer in ensuring compliance with its security, breach-notification, data-protection-impact-assessment (Art. 35) and prior-consultation (Art. 36) obligations, taking into account the information available to us; and
  • Making available the information necessary to demonstrate compliance with Article 28.

8. Personal Data Breaches

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data. The notification will, to the extent known, describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it, and will be supplemented as further information becomes available so the Customer can meet its own notification obligations (including the 72-hour deadline where applicable). This obligation is not an acknowledgement of fault or liability.

Breach notifications and data-protection queries should be sent to and will be sent from hello@privacyforge.io.

9. Return & Deletion of Data

The Customer may export its data at any time through the Service. On termination or expiry of the Agreement, the Customer has a window of 30 days to export its data, after which we will delete or return the personal data and delete existing copies, unless storage is required by law.

Residual copies may persist in routine backups for a limited period before being overwritten on our standard backup cycle; such copies remain protected by this DPA and are not actively processed.

10. Audits & Compliance

We will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To minimise disruption, we may satisfy audit requests by providing relevant certifications, third-party audit reports, or completed security questionnaires. On-site audits, where justified, will be on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a breach), during business hours, and subject to confidentiality.

11. Liability & Order of Precedence

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement, and any reference to a party's liability means aggregate liability under the Agreement and this DPA combined. Nothing in this DPA limits either party's liability to a data subject or to a supervisory authority where such limitation is prohibited by the Data Protection Laws.

In the event of a conflict between this DPA and the Agreement on the subject of personal-data processing, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses or UK IDTA, those Clauses prevail.

12. Annex 1 — Details of Processing

Subject matterProvision of the PrivacyForge privacy-compliance platform (consent management, data mapping, DSAR handling, compliance monitoring, reporting and related services).
DurationFor the term of the Customer’s subscription, plus the post-termination export and deletion period set out in Section 9.
Nature & purposeHosting, storage, organisation, retrieval, transmission and deletion of personal data so that the Customer can operate its own privacy-compliance programme.
Types of personal dataAccount and contact details of the Customer’s staff; and, depending on how the Customer configures the Service, the Customer’s own end users’ identifiers, consent records, data-subject-request contents, and any personal data the Customer chooses to upload. The Customer controls what is uploaded.
Categories of data subjectsThe Customer’s authorised users; and the Customer’s own customers, end users, employees, or other individuals whose personal data the Customer processes through the Service.
Special category dataThe Service is not intended for processing special-category data (Art. 9) or criminal-offence data (Art. 10). The Customer must not upload such data unless expressly agreed in writing and subject to appropriate safeguards.

13. Annex 2 — Security Measures

We maintain the following technical and organisational measures (Article 32). This list describes our current approach and may evolve provided protection is not materially reduced:

  • Encryption of personal data in transit (TLS) and at rest
  • Row-Level Security and least-privilege access controls on the production database
  • Role-based access control and audit logging of privileged actions
  • Network isolation, firewalling and DDoS mitigation at the hosting layer
  • Regular automated backups with tested restore procedures
  • Secure software development lifecycle, dependency scanning and code review
  • Multi-factor authentication for administrative and staff access
  • Ongoing vulnerability monitoring and error/anomaly detection
  • Pseudonymisation and data minimisation where compatible with the Service
  • Documented incident-response and breach-notification procedures

14. Annex 3 — Sub-processors

Our current sub-processors, their purposes, processing locations and transfer mechanisms are maintained at privacyforge.io/subprocessors, which forms part of this DPA and is updated in accordance with Section 5.

Contact & Signature

To request a counter-signed copy of this DPA, raise a data-protection query, or exercise audit rights, contact us:

Data Protection Contact

  • Email: hello@privacyforge.io

Entity & Representatives

  • Processor: Mariyan Valev, sole trader operating as PrivacyForge (United Kingdom)
  • ICO registration: In progress
  • EU Art. 27 representative: Not currently appointed (under assessment)

Last updated: June 24, 2026 | Version: 1.0