EasyConsent
Privacy Policy Terms of Service Login

Data Processing Agreement

Last updated: February 12, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between EasyConsent ("Processor") and you, the customer ("Controller"), and governs the processing of Personal Data by the Processor on behalf of the Controller.

This DPA complies with the requirements of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

  • "Controller" means you, the customer, who determines the purposes and means of processing Personal Data.
  • "Processor" means EasyConsent, who processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, or disclosure.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Services" means the EasyConsent cookie consent management platform and related services.

3. Scope and Applicability

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services.

3.1 Processing Activities: The Processor will process Personal Data for the following purposes:

  • Storing and managing consent records
  • Transmitting consent data to integrated platforms (Google Analytics, etc.)
  • Displaying consent history and analytics in the Controller's dashboard
  • Analyzing consent patterns for compliance reporting

3.2 Categories of Personal Data: The following categories of Personal Data may be processed:

  • User consent choices (accept, decline, customize)
  • IP addresses (hashed/anonymized)
  • Device type, browser, and operating system information
  • Timestamp of consent action

4. Processor Obligations

4.1 General Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure data security
  • Only engage sub-processors with prior authorization from the Controller
  • Assist the Controller in responding to data subject rights requests
  • Notify the Controller without undue delay of any personal data breach
  • Make available all information necessary to demonstrate compliance and allow audits

4.2 Security Measures

The Processor implements the following security measures:

  • Encryption of Personal Data in transit (TLS/SSL) and at rest (AES-256)
  • Role-based access controls and multi-factor authentication
  • Regular automated backups with encryption
  • Continuous security monitoring and intrusion detection
  • Documented incident response procedures

5. Sub-Processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

Current Sub-Processors:

Sub-Processor Service Provided Data Location
Amazon Web Services (AWS) Cloud hosting and infrastructure EU (Frankfurt)
Stripe, Inc. Payment processing USA (GDPR-compliant)
Cloudflare, Inc. Content delivery network Global (EU storage)

The Processor ensures that all sub-processors are bound by data protection obligations equivalent to those in this DPA.

6. International Data Transfers

Personal Data is primarily stored and processed within the European Economic Area (EEA).

6.1 Primary Storage Location: All Personal Data is stored on servers located in the EU (Frankfurt, Germany) operated by Amazon Web Services.

6.2 Transfers Outside the EEA: In the event that Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for certain countries
  • Strong encryption during transfer and storage

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR, including:

  • Right of Access: Provide access to Personal Data upon request
  • Right to Rectification: Correct inaccurate Personal Data
  • Right to Erasure: Delete Personal Data ("right to be forgotten")
  • Right to Restriction: Restrict processing in certain circumstances
  • Right to Data Portability: Provide Personal Data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests

The Processor will respond to such requests within 30 days and provide the Controller with necessary information and cooperation.

8. Personal Data Breach

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.

8.1 Breach Notification Details: The notification shall include:

  • The nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8.2 Cooperation: The Processor shall cooperate with the Controller and provide all necessary assistance in investigating the breach and complying with notification obligations to supervisory authorities and data subjects.

9. Audits and Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

9.1 Controller Audits: The Controller may conduct audits or inspections of the Processor's data processing activities upon reasonable notice and during normal business hours.

9.2 Certifications: The Processor is committed to the highest security standards and plans to obtain ISO 27001 certification. Details about security practices are available upon request.

10. Return or Deletion of Data

Upon termination of the Services or upon request, the Processor shall, at the Controller's choice:

10.1 Data Handling Options:

  • Return all Personal Data to the Controller in a commonly used format
  • Delete all Personal Data and certify deletion

10.2 Retention Requirements: The Processor may retain Personal Data to the extent required by applicable law, provided such data remains subject to confidentiality obligations.

11. Liability and Indemnification

Each party shall be liable under this DPA in accordance with the liability provisions set forth in the Terms of Service.

The Processor shall indemnify the Controller against any claims, fines, or penalties imposed by supervisory authorities arising from the Processor's breach of this DPA or GDPR obligations.

12. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination, the provisions regarding data return/deletion, confidentiality, and audit rights shall survive.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Sweden and the applicable provisions of GDPR.

14. Contact Information

For any questions regarding this DPA or data processing activities, please contact:

  • Email: dpo@easyconsent.com
  • Data Protection Officer: privacy@easyconsent.com
  • Company: EasyConsent (by Guillermo Eduardo Gallego Pagella)
  • Address: Helsingborg, Sweden