Legal

Data Processing Agreement

Version 2.0 · TemplateEffective 14 June 2026 · Signable annex

Data processor

DFBL Limited
The Tara Building, 11–15 Tara Street
Dublin 2, D02 RY83, Ireland

Registered in Ireland · Company no. 772000 · Lead authority: Irish Data Protection Commission

This Data Processing Agreement ("DPA") supplements the Terms of Service between DFBL Limited (the "Processor") and the Customer (the "Controller"), and forms an integral part of the Order Form. It is entered into under Article 28 of the EU GDPR and the equivalent UK GDPR. Terms defined in the GDPR carry the same meaning here. The countersigned copy on the Order Form prevails over this published template.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely to deliver the DFBL Procure SaaS, for the duration of the subscription plus the 30-day export window described in the Terms.

2. Nature and purpose of processing

Hosting, storing, retrieving, securing and presenting procurement workflow data: projects, suppliers, RFPs, initiatives, contracts, invoices, audit logs and task assignments.

3. Categories of data subjects

  • Customer employees granted access (Users).
  • Customer supplier contacts invited to portals.
  • Other individuals named in Customer-uploaded documents (contracts, invoices).

4. Categories of personal data

  • Identification: name, email, role, organisation.
  • Authentication: password hash, session tokens.
  • Business contact information entered by the Controller.
  • Content of uploaded documents (under the Controller's control).

5. Processor obligations

  1. Process personal data only on documented instructions from the Controller.
  2. Ensure persons authorised to process data are bound by confidentiality.
  3. Implement the security measures listed in Annex 1.
  4. Engage sub-processors only with prior authorisation (Annex 2).
  5. Assist the Controller with data subject rights requests within 5 business days.
  6. Notify the Controller of any personal data breach within 72 hours of detection.
  7. Delete or return personal data within 90 days of the subscription end.
  8. Make available the information necessary to demonstrate compliance with Art. 28.

6. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in Annex 2. Changes require 30 days' notice and a right of objection.

7. International transfers

The Service is hosted in the United Kingdom, which benefits from a European Commission adequacy decision, so transfers from the EEA to the UK require no further safeguards. Transfers to sub-processors outside the UK and the EEA are governed by Standard Contractual Clauses, as marked in Annex 2.

8. Audit rights, liability and term

The Controller may audit Processor compliance once per 12-month period, with 30 days' written notice, at the Controller's cost; annual third-party security reports (when available) satisfy this obligation. Liability is subject to the cap defined in the Terms. This DPA terminates automatically when the underlying subscription ends.

Annex 1 — Technical and organisational measures

  • Access control: server-side RBAC, two-factor authentication mandatory for administrators.
  • Encryption: TLS 1.2+ in transit, encryption at rest for the database.
  • Network isolation: application and database in a private Docker network behind a Traefik reverse proxy with rate limiting.
  • Backup: daily PostgreSQL dump, 7-day rolling window, off-site storage.
  • Logging: application audit log (12 months), request logs (90 days), centralised error reporting.
  • Personnel: confidentiality agreements signed by everyone with Customer Data access.
  • Incident response: detection-to-notification target within 72 hours, documented runbook.
  • Vulnerability management: dependency audits and security patches for High/Critical CVEs within 30 days.

Annex 2 — Authorised sub-processors

NameServiceLocationTransfer
Hostinger International Ltd.Hosting infrastructure (VPS)United Kingdom (Manchester)UK adequacy
Anthropic PBCAI inference (Claude), opt-inUSASCC
Google LLCAI inference (Gemini), opt-inUSA / EUSCC
Perplexity AIWeb grounding for AI, opt-inUSASCC

This DPA is countersigned on the Order Form. For DPA negotiations or custom annexes: dpo@dfbl-solution.com.