Data Processing Agreement
Last updated: February 15, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between ProofRepo ("Processor") and the entity or individual using the ProofRepo platform ("Controller") and governs the processing of personal data by Processor on behalf of Controller.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by ProofRepo in connection with the services.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, and deletion.
"Services" means the ProofRepo evidence collection platform as described in the Terms of Service.
2. Scope and Purpose of Processing
The Controller uses ProofRepo to collect compliance evidence from the Controller's clients. In providing the Services, the Processor may process the following categories of Personal Data:
| Data Category | Examples |
|---|---|
| Contact information | Names, email addresses of auditors and their clients |
| Business information | Company names, engagement details, framework selections |
| Uploaded evidence files | Documents, screenshots, policies, configurations uploaded by clients |
| Usage data | Request timestamps, upload timestamps, delivery confirmations |
Processing is performed solely for the purpose of providing the Services — specifically, delivering evidence request emails, receiving and storing uploaded files, organizing evidence into ProofPacks, and sending automated reminders and notifications.
3. Controller Obligations
The Controller is responsible for:
- Ensuring a lawful basis exists for the processing of Personal Data through the Services
- Informing their clients that evidence will be collected and stored via ProofRepo
- Ensuring that any Personal Data provided to ProofRepo is accurate and current
- Not uploading data subject to heightened regulatory restrictions (e.g., protected health information under HIPAA) unless the Controller has independently ensured compliance with applicable laws
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (i.e., through normal use of the platform)
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures to protect Personal Data (see Security)
- Not engage sub-processors without prior notification to the Controller (see Section 6)
- Assist the Controller in responding to data subject requests where technically feasible
- Delete or return all Personal Data upon termination of the Services, at the Controller's election
- Make available to the Controller information necessary to demonstrate compliance with this DPA
5. Security Measures
ProofRepo implements the following technical and organizational measures:
- Encryption in transit: All data transmitted via TLS 1.2+
- Encryption at rest: Files stored in Cloudflare R2 with server-side encryption
- Access controls: Token-based authentication; magic links for client access scoped to individual requests
- Data isolation: Each evidence request is stored with unique tokens; no cross-request data access
- Infrastructure: Hosted on Cloudflare Workers (edge computing) with no persistent server access
- Retention: Evidence files retained for the duration of the engagement plus 90 days, then automatically deleted unless the Controller requests earlier deletion
6. Sub-processors
The Processor currently uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure (Workers, R2 storage, KV database) | United States (global edge network) |
| Resend, Inc. | Transactional email delivery | United States |
| Stripe, Inc. | Payment processing | United States |
The Processor will notify the Controller of any intended changes to sub-processors by updating this page. The Controller may object to a new sub-processor by contacting the Processor within 30 days of notification.
7. Data Transfers
Personal Data may be processed in locations where Cloudflare operates edge infrastructure. To the extent that processing involves transfers outside the Controller's jurisdiction, the Processor relies on Cloudflare's data processing agreements and standard contractual clauses.
8. Data Subject Rights
If the Processor receives a request from a data subject regarding their Personal Data, the Processor will promptly notify the Controller. The Processor will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability) to the extent technically feasible within the platform.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. Notification will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address the breach.
10. Term and Termination
This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the Services, the Processor will delete all Personal Data within 90 days unless legally required to retain it, or the Controller requests earlier deletion.
11. Governing Law
This DPA is governed by the same governing law as the Terms of Service.
12. Contact
For questions about this DPA or to exercise any rights under it, contact: [email protected]