Article 28 GDPR terms that govern Disclos when we process personal data on behalf of our business customers.
Effective June 1, 2026 · Version 1.0.0
This Data Processing Agreement (“DPA”) forms part of, and supplements, the agreement between Disclos (the “Processor”) and the customer organisation accepting these terms (the “Controller”).
It applies whenever Disclos processes personal data on behalf of the Controller in connection with the Disclos service. To the extent there is a conflict with the main Terms of Service, this DPA prevails for data-protection matters.
Subject matter: the processing of personal data necessary to provide the Disclos service — namely runtime audit logging, transparency notice rendering and compliance document generation.
Duration: this DPA remains in force for as long as Disclos processes personal data on behalf of the Controller and survives termination to the extent processing continues (for example, during the export window).
Processing operations carried out by Disclos include:
The Controller determines what personal data flows through the SDK. In typical deployments the data is limited to:
Disclos does not require, and does not knowingly store, special categories of personal data under GDPR Article 9. The Controller is responsible for ensuring that the SDK is not configured to transmit such data.
Categories of data subjects: end-users of the Controller’s applications, the Controller’s own personnel using the dashboard.
Disclos processes personal data only on documented instructions from the Controller, including with regard to transfers, unless required by EU or Member-State law. In that case Disclos will inform the Controller of the legal requirement before processing, unless the law prohibits such notice.
The main agreement and the documentation at disclos.dev/docs constitute the Controller’s complete and final instructions at the time of execution.
Disclos ensures that everyone authorised to process personal data is bound by a written confidentiality obligation that survives the end of their engagement.
Disclos implements appropriate technical and organisational measures (Article 32 GDPR), which are described in detail in Annex II to this DPA and summarised here:
The Controller authorises Disclos to engage the sub-processors listed below to perform parts of the processing. Disclos imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Frontend hosting, CDN | USA, EU edges | SCCs 2021 |
| Render Services Inc. | Backend hosting | USA | SCCs 2021 |
| Cloudflare Inc. | Edge network, R2 object storage, KV | Global · EU regions | SCCs 2021 |
| Neon Inc. | Managed Postgres (eu-central-1) | EU (Frankfurt) | EEA-only |
| Clerk Inc. | Authentication | USA | SCCs 2021 |
| Stripe Payments Europe Ltd. | Billing & payments | Ireland | EEA-only |
| Upstash Inc. | Redis cache & QStash queue | EU + USA | SCCs 2021 |
| Resend Inc. | Transactional email | USA | SCCs 2021 |
| Functional Software Inc. (Sentry) | Error monitoring | EU (Frankfurt) | EEA-only |
| Anthropic PBC | LLM inference for classifier features | USA | SCCs 2021 |
Disclos will give the Controller at least 30 days’ prior written notice of any intended addition or replacement of a sub-processor. The Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; failing resolution, the Controller may terminate the affected part of the service.
Taking into account the nature of the processing, Disclos assists the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to data-subject requests under Chapter III of GDPR. The dashboard exposes tooling for access, rectification, erasure and export.
If a data subject contacts Disclos directly, Disclos will, without responding to the request, refer the data subject to the Controller without undue delay.
Disclos will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Controller data. The notification will include, where reasonably available, the information required by Article 33(3) GDPR.
Where personal data is transferred outside the EEA, the parties rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) (Module Two: Controller-to-Processor), incorporated into this DPA by reference. The relevant docking clauses are populated as follows: data exporter — the Controller; data importer — Disclos; supervisory authority — the Irish Data Protection Commission.
Disclos will make available all information necessary to demonstrate compliance with Article 28 GDPR. The Controller may, on at least 30 days’ written notice and no more than once per calendar year, conduct an audit through an independent qualified auditor under reasonable confidentiality. Disclos will support the audit at its published professional-services rate.
On termination, Disclos will, at the Controller’s choice, return all personal data to the Controller or delete it within 30 days, including by destroying all copies, unless retention is required by Union or Member-State law.
Each party’s liability under this DPA is subject to the limitations of liability set out in the main Terms of Service, subject to mandatory law.
This DPA takes effect for every Controller who accepts the Disclos Terms of Service. A countersigned PDF is available on request — email official00980+compliance@gmail.com with your legal name, address and the name of the dashboard signatory.