Data Processing Agreement

1. Background and Parties

This Data Processing Agreement ("DPA") forms part of the CookieSeal Terms of Service and governs the processing of personal data under the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

This DPA applies when Customer uses CookieSeal to process personal data of EU/EEA data subjects. Customer acts as Data Controller, and CookieSeal acts as Data Processor.

2. Definitions

Terms used in this DPA have the meanings assigned in the GDPR, including:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data
• "Data Controller" means the entity that determines the purposes and means of processing
• "Data Processor" means the entity that processes personal data on behalf of the Controller
• "Data Subject" means the identified or identifiable natural person whose personal data is processed
• "Sub-processor" means any processor engaged by CookieSeal to assist in processing

3. Processing Details

3.1 Subject Matter

Processing of cookie consent data through the CookieSeal service

3.2 Duration

For the duration of the CookieSeal service agreement plus data retention periods

3.3 Nature and Purpose

• Collection and logging of website visitor consent preferences
• Provision of consent banners and preference management
• Analytics and reporting on consent patterns
• Compliance assistance and audit trail maintenance

3.4 Categories of Data Subjects

• Visitors to Customer's websites
• End users interacting with Customer's online services

3.5 Categories of Personal Data

• Hashed IP addresses (SHA-256, non-reversible)
• Consent choices (accepted/rejected cookie categories)
• Timestamps of consent events
• Browser information (user agent strings)
• Website domain where consent was given

Note: CookieSeal does not collect names, email addresses, device IDs, or other directly identifying information from website visitors.

4. Controller and Processor Obligations

4.1 Customer Obligations (Data Controller)

Customer warrants and agrees that:

• It has the legal right to transfer personal data to CookieSeal for processing
• It has provided appropriate privacy notices to data subjects
• It has obtained necessary legal bases for processing (consent, legitimate interest, etc.)
• It will handle data subject requests (access, correction, deletion) as required by law
• It will promptly notify CookieSeal of any data subject requests that require CookieSeal action

4.2 CookieSeal Obligations (Data Processor)

CookieSeal warrants and agrees that:

• It will process personal data only according to Customer's documented instructions
• It will implement appropriate technical and organizational security measures
• It will only engage sub-processors with equivalent data protection obligations
• It will assist Customer in responding to data subject requests
• It will notify Customer of any personal data breaches without undue delay
• It will return or delete personal data upon termination of services

5. Technical and Organizational Measures

CookieSeal implements the following security measures:

5.1 Technical Measures

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest (database-level encryption)
• IP address hashing (SHA-256) before storage
• Access controls and authentication
• Regular security updates and patches
• Network security and firewall protection

5.2 Organizational Measures

• Staff training on data protection principles
• Access control policies (principle of least privilege)
• Incident response procedures
• Regular security assessments
• Data retention and deletion policies
• Vendor management and due diligence

6. Sub-processors

CookieSeal may engage sub-processors to assist in providing the service. Customer provides general authorization for the engagement of sub-processors, subject to CookieSeal's compliance with this section.

6.1 Current Sub-processors

6.2 Sub-processor Requirements

Each sub-processor must:

• Provide sufficient guarantees of appropriate technical and organizational measures
• Be bound by data protection obligations equivalent to those in this DPA
• Process personal data only for the purposes instructed by CookieSeal

6.3 Changes to Sub-processors

CookieSeal will notify Customer at least 30 days before adding or changing sub-processors. Customer may object to changes by terminating the affected services.

7. International Data Transfers

Personal data may be transferred to and processed in countries outside the EU/EEA, including the United States. CookieSeal ensures adequate protection through:

• Standard Contractual Clauses (SCCs) with sub-processors where applicable
• Adequacy decisions by the European Commission where available
• Additional safeguards as required by applicable law

Customer may request EU-region hosting for an additional fee to minimize international transfers.

8. Data Subject Rights

CookieSeal will assist Customer in fulfilling data subject rights requests, including:

8.1 Right of Access

Providing copies of personal data upon verified request

8.2 Right of Rectification

Correcting inaccurate personal data

8.3 Right of Erasure

Deleting personal data when legally required

8.4 Right to Data Portability

Providing data in a machine-readable format

9. Data Retention and Deletion

9.1 Retention Periods

• Free plan: 30 days
• Pro plan: 1 year
• Business plan: Indefinitely or as instructed by Customer

9.2 Deletion Process

Upon termination of services, CookieSeal will:

• Delete all personal data within 30 days unless legally required to retain
• Provide confirmation of deletion upon request
• Return personal data to Customer if requested before deletion

10. Data Breach Notification

In the event of a personal data breach affecting Customer data, CookieSeal will:

• Notify Customer without undue delay and within 72 hours when feasible
• Provide details of the breach, affected data, and potential consequences
• Describe measures taken to address the breach and prevent recurrence
• Provide regular updates on investigation and remediation efforts
• Assist Customer in breach notifications to supervisory authorities if required

11. Audits and Compliance

Customer has the right to audit CookieSeal's compliance with this DPA through:

• Review of third-party security certifications and audit reports
• Written questionnaires regarding security and privacy practices
• On-site audits with reasonable notice and at Customer's expense (Business plan only)

CookieSeal will provide reasonable assistance and access to information necessary for compliance audits.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the CookieSeal Terms of Service. Each party will indemnify the other against claims arising from its violation of this DPA.

13. Term and Termination

This DPA remains in effect as long as CookieSeal processes personal data on Customer's behalf. Upon termination, the data deletion obligations in Section 9 apply.

14. Governing Law

This DPA is governed by the laws of Wyoming, United States, except where EU data protection law directly applies to the processing activities described herein.

15. Contact Information

For questions regarding this DPA or data protection matters: