Scope
This Data Processing Agreement (DPA) applies where ProjoMania acts as a processor on behalf of a client (controller) in the context of a service-delivery engagement. It supplements the Master Services Agreement or Statement of Work between us.
Subject matter & duration
Subject matter: processing of personal data as necessary to deliver the services described in the engagement. Duration: for the length of the engagement and for 30 days after completion for secure deletion.
Nature & purpose of processing
Technology-services delivery — migrations, implementations, custom development, support — as described in the engaging contract.
Types of personal data
Typically: customer, supplier, employee, and user records stored in the systems we operate on (contact details, identifiers, transactional records). Exact scope is defined per engagement.
Categories of data subjects
Client’s customers, suppliers, employees, and end-users as relevant to the engagement.
Controller rights & obligations
- Client is the controller and remains responsible for lawful processing under GDPR or applicable law.
- Client provides lawful instructions and ensures the legal basis for processing.
- Client handles data-subject requests; ProjoMania assists as outlined below.
Processor obligations
- Process personal data only on documented instructions from the controller.
- Keep personal data confidential — our staff are under NDA, access is least-privilege.
- Implement appropriate technical and organizational measures (see the Security page).
- Assist the controller with data-subject access requests and regulatory enquiries.
- Notify the controller of any personal data breach without undue delay and no later than 72 hours after becoming aware.
- Delete or return personal data at the end of the engagement, per client’s election.
- Submit to audits on reasonable notice.
Sub-processors
We use the following sub-processors for common service delivery; any additional sub-processors required for a specific engagement are listed in the SOW.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel / Cloudflare Pages | Hosting | Global edge |
| Cloudflare | CDN, DNS, DDoS protection | Global edge |
| Resend | Transactional email | EU / US |
| Sanity | CMS | EU |
| Cal.com | Scheduling | EU / US |
| AWS (as applicable) | Backups, temporary storage during migrations | Client-chosen region |
Sub-processor changes are notified with a 30-day objection window.
International transfers
Transfers outside the EU are covered by Standard Contractual Clauses or equivalent legal mechanism.
Liability
Subject to the limits set in the engagement contract.