Data Processing Agreement
Effective Date: March 26, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between InkReef ("Processor," "we," or "us") and the Tenant ("Controller," "you," or "your") and governs the processing of personal data by InkReef on behalf of the Tenant.
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all personal data processed by InkReef on the Controller's behalf.
1. Definitions
- "Personal Data" has the meaning given in Article 4(1) of the GDPR: any information relating to an identified or identifiable natural person.
- "Processing" has the meaning given in Article 4(2) of the GDPR: any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and erasure.
- "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
- "Sub-Processor" means any third party engaged by InkReef to process personal data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
2. Scope and Purpose of Processing
2.1 Subject Matter
InkReef processes personal data on behalf of the Controller for the purpose of providing the InkReef platform services, as described in the Terms of Service.
2.2 Categories of Data Subjects
- End customers of the Controller (the Tenant's clients)
- Employees and team members of the Controller
2.3 Types of Personal Data
- Contact information (names, email addresses, phone numbers, mailing addresses)
- Order and transaction data (quotes, orders, invoices, payment records)
- Communication data (emails, messages sent through the platform)
- Design and artwork files
- Usage data (platform interactions, timestamps)
2.4 Duration of Processing
Processing will continue for the duration of the Controller's subscription to the Service, plus a 30-day data retention period following account termination.
3. Obligations of the Processor
InkReef shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7).
- Not engage another processor (sub-processor) without prior written authorization from the Controller (see Section 5).
- Assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under GDPR.
- Assist the Controller in ensuring compliance with data breach notification, data protection impact assessments, and prior consultation obligations.
- At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless required by law to retain them.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations.
4. Obligations of the Controller
The Controller shall:
- Ensure it has a lawful basis for processing personal data and that appropriate privacy notices are provided to data subjects.
- Provide documented instructions to the Processor regarding the processing of personal data.
- Ensure compliance with applicable data protection laws in its use of the Service.
- Notify the Processor promptly of any data subject requests that require the Processor's assistance.
5. Sub-Processors
5.1 Authorized Sub-Processors
The Controller authorizes InkReef to engage the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, DDoS protection, database (D1), object storage (R2) | Global (US-headquartered) |
| Stripe, Inc. | Payment processing | United States |
| Resend, Inc. | Transactional email delivery (if configured by Tenant) | United States |
| Brevo (Sendinblue) | Transactional email delivery (if configured by Tenant) | France / EU |
| MailerSend (Mailerlite) | Transactional email delivery (if configured by Tenant) | Lithuania / EU |
| Twilio, Inc. | SMS notifications (if configured by Tenant) | United States |
| MessageBird (Bird) | SMS notifications (if configured by Tenant) | Netherlands / EU |
| Vonage (Sinch) | SMS notifications (if configured by Tenant) | United States |
5.2 Notification of Changes
InkReef will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the affected services without penalty.
5.3 Sub-Processor Obligations
InkReef ensures that each sub-processor is bound by data protection obligations substantially similar to those set out in this DPA. InkReef remains liable for the acts and omissions of its sub-processors.
6. Data Breach Notification
- InkReef will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a data breach affecting the Controller's personal data.
- The notification will include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The name and contact details of InkReef's point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects.
- InkReef will cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
7. Technical and Organizational Measures
InkReef implements the following measures to protect personal data:
7.1 Encryption
- Data in transit: TLS 1.3 encryption for all communications via Cloudflare.
- Data at rest: AES-256-GCM encryption for stored credentials and sensitive configuration.
- Database: Cloudflare D1 with encryption at rest provided by the platform.
7.2 Access Control
- Role-based access control (RBAC) with 8 defined roles and 27 granular permissions.
- Multi-factor authentication (TOTP) available for all accounts.
- Bcrypt password hashing with per-user salts.
- Automatic session expiration and management.
7.3 Data Isolation
- Separate Cloudflare D1 database per tenant.
- Tenant data is logically and physically isolated.
- Cross-tenant data access is architecturally prevented.
7.4 Audit Logging
- All administrative actions are logged with user ID, action, timestamp, and IP address.
- Audit logs are retained for 12 months.
- Logs are tamper-resistant and accessible to authorized administrators.
7.5 Availability and Resilience
- Cloudflare Workers: globally distributed, automatic failover.
- D1 Time Travel: 30-day point-in-time recovery for databases.
- DDoS protection via Cloudflare's network.
8. Data Subject Rights
InkReef will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by:
- Providing data export functionality within the Platform.
- Providing account and data deletion capabilities.
- Providing customer data search and retrieval features.
- Responding to Controller requests for assistance within 10 business days.
9. International Data Transfers
Where personal data is transferred outside the European Economic Area, InkReef ensures appropriate safeguards are in place:
- Cloudflare maintains Standard Contractual Clauses (SCCs) and has been approved under the EU-US Data Privacy Framework.
- Stripe maintains SCCs and participates in the EU-US Data Privacy Framework.
- InkReef will execute SCCs with the Controller upon request.
10. Audits
- The Controller may audit InkReef's compliance with this DPA upon reasonable written notice (at least 30 days).
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt InkReef's operations.
- The Controller bears the cost of any audit. InkReef may charge a reasonable fee for time spent assisting with the audit.
- InkReef may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation.
11. Term and Termination
This DPA remains in effect for the duration of the Terms of Service. Upon termination, InkReef will, at the Controller's election, return or delete all personal data within 30 days, unless retention is required by applicable law.
12. Governing Law
This DPA is governed by the laws of the State of California, United States, except where GDPR mandates the application of EU member state law. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
13. Contact
For questions about this DPA or to request execution of Standard Contractual Clauses, contact:
- Email: [email protected]
- Privacy inquiries: [email protected]