Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (DPA) forms part of your agreement with Rowpa and governs how we process personal data as your Data Processor under GDPR Article 28. By using Rowpa, you agree to the terms of this DPA.

1. Definitions

In this DPA, the following terms have the meanings set out below:

Controller: You, the organisation using Rowpa to manage GDPR compliance
Processor: TeZe Ltd (company number 17137231), operating Rowpa
Services: The Rowpa platform, including AI-powered ROPA generation, compliance analysis, and vendor enrichment
Sub-processor: Third-party services that process personal data on our behalf, including Supabase, Vercel, Anthropic, Resend, and Stripe
Processing: Any operation performed on personal data, including collection, storage, analysis, deletion, and transfers
Personal Data: Any information relating to an identified or identifiable natural person

2. Scope of Processing

As your Processor, we process the following categories of data on your behalf:

Data Category	Purpose	Data Subjects	Legal Basis	Retention
Business profile	Service delivery and account management	Your employees and representatives	Contract (Rowpa Terms of Service)	Duration of agreement plus 30 days
Account data	Authentication and access control	Your users	Contract	Duration of agreement plus 30 days
ROPA content	Generating Records of Processing Activity	Your employees, customers, vendors, and service providers	Legitimate interest (GDPR compliance)	Duration of agreement plus 30 days
DSR metadata	Tracking Data Subject Requests	Your data subjects	Legal obligation (GDPR Article 15-22)	Duration of agreement plus 30 days

You decide what data to input into Rowpa. We only process data you choose to upload or enter. We do not collect data from external sources on your behalf.

3. Processor Obligations

As your Processor, we commit to the following:

Confidentiality: We ensure all personnel with access to your data are bound by confidentiality obligations
Security: We implement technical and organisational security measures (see Section 4 below)
Assistance with rights: We assist you in responding to data subject requests (access, rectification, erasure, portability, objection)
Assistance with compliance: We provide information and evidence necessary for you to demonstrate GDPR compliance
Sub-processor authorisation: We only engage Sub-processors with your prior authorisation and under contracts equivalent to this DPA
Data subject cooperation: We do not engage with your data subjects directly regarding their rights. All requests go through you as Controller
Deletion or return: Upon termination, we delete all your data or return it to you (your choice) within 30 days
Audit rights: We permit you to audit and inspect our processing activities upon reasonable notice

4. Security Measures

We implement comprehensive security controls to protect your data. For a full overview of our security architecture, certifications, and practices, please visit our Security page.

Key measures include:

End-to-end encryption of data in transit (TLS 1.3)
Encryption of data at rest (AES-256)
Role-based access controls (RBAC)
Regular security audits and penetration testing
Employee security training and background checks
Incident response procedures with 48-hour notification

5. Sub-processors

We use the following Sub-processors to deliver Rowpa. You authorise us to engage these Sub-processors:

Supabase Inc. (EU Frankfurt) - Database and authentication
Vercel Inc. (EU London) - Application hosting
Anthropic PBC (San Francisco, CA) - AI inference for ROPA generation
Resend Inc. (San Francisco, CA) - Transactional email
Stripe, Inc. (EU Dublin) - Payment processing

We maintain a complete Sub-processor list with locations, purposes, and data transfer mechanisms. Before adding any new Sub-processor, we notify you in writing with 30 days notice. You may object to new Sub-processors; if you do, you may terminate the Services without penalty.

6. International Data Transfers

EU to UK: Data transferred to UK Sub-processors benefits from the UK Adequacy Decision (UK GDPR Section 17A).

EU to US and beyond: For Sub-processors outside the UK/EU, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented by additional safeguards. Anthropic and Stripe engage US Sub-processors; both have published data processing agreements confirming SCC implementation.

You acknowledge that transfers to the US may carry legal risks due to US surveillance laws. If you require EU-only processing, please contact compliance@rowpa.app.

7. Breach Notification

If we discover a personal data breach, we notify you without undue delay and in any case within 48 hours of discovery. Our notification will include:

Nature and scope of the breach
Likely consequences for your data subjects
Measures taken or proposed to contain and remediate the breach
Name and contact of our Data Protection Officer

You are responsible for notifying your data subjects and supervisory authorities where legally required. We provide all information necessary to assist your notification.

8. Term and Termination

Duration: This DPA applies for the entire duration of the Rowpa Terms of Service.

Data deletion upon termination: Upon termination of your Rowpa account:

All your data is deleted from live systems within 30 days (export period)
Backup copies are purged within 90 days
You may request an export of your data before deletion

You may request deletion sooner; we will comply within 5 business days except where legal obligations require retention.