Data Processing Agreement

Last updated: January 15, 2024

Data Processor: Hostao LLC, 30 N Gould St, Ste 4000, Sheridan, Wyoming 82801, USA
Data Controller: You (the CookieSeal customer)
Effective: Upon acceptance of CookieSeal Terms of Service

1. Definitions

"Controller" means you, the CookieSeal customer, who determines the purposes and means of processing visitor consent data. "Processor" means Hostao LLC, acting on your instructions. "Personal Data" means consent records collected via CookieSeal banners on your website.

2. Scope of Processing

Hostao LLC processes visitor consent data on your behalf to: record consent choices; serve the appropriate cookie categories based on consent; generate compliance reports; maintain audit logs. Processing is limited to these purposes.

3. Data Processor Obligations

Hostao LLC will: only process data on your documented instructions; ensure persons authorized to process data are bound by confidentiality; implement appropriate technical and organizational security measures; assist you in fulfilling data subject rights requests; delete or return data upon termination; provide audit cooperation.

4. Sub-processors

Hostao LLC uses the following sub-processors: Vercel, Inc. (hosting, USA); Amazon Web Services (cloud infrastructure, USA); Stripe, Inc. (payments, USA — does not process visitor consent data). We will notify you of sub-processor changes with 30 days notice.

5. Security Measures

We implement: TLS 1.3 encryption in transit; AES-256 encryption at rest; access controls and audit logging; regular penetration testing; incident response procedures; 72-hour breach notification.

6. International Transfers

Visitor consent data may be processed in the USA and EU. All transfers are covered by Standard Contractual Clauses (EU Commission Decision 2021/914) or equivalent safeguards for DPDPA transfers.

7. Data Retention

We retain visitor consent logs per your plan: Free plan: 30 days; Pro plan: 1 year; Business plan: indefinite (until deleted by you). Upon contract termination, data is deleted within 90 days.

8. Audit Rights

You may request information to demonstrate compliance with this DPA. We will cooperate with reasonable audit requests upon 30 days notice, at your cost.

9. Governing Law

This DPA is governed by the laws of Wyoming, USA, and is subject to the General Data Protection Regulation (GDPR) for EU/UK data and India's DPDPA 2023 for Indian data.

10. Contact

DPA inquiries: [email protected] · Hostao LLC, 30 N Gould St, Ste 4000, Sheridan, Wyoming 82801, USA