This Data Processing Agreement ("DPA") forms part of the SaaSBoost Terms of Service and applies when SaaSBoost processes personal data on your behalf as a processor under GDPR Article 28. If you operate as a founder using the saasboost SDK to process conversion data, you are the controller and SaaSBoost is your processor for that data.
1. Subject matter and duration
SaaSBoost processes personal data only to provide the services described in the Terms, for the duration of the contractual relationship plus any legally required retention period.
2. Nature and purpose of processing
Receiving click and conversion events, attributing them to sellers, calculating payouts, and surfacing aggregate analytics back to the controller.
3. Categories of data and data subjects
- Categories of data: referral IDs, conversion amounts, timestamps, hashed user identifiers.
- Categories of data subjects: end users of the controller's product.
The saasboost SDK does not collect names, emails, IPs, or device fingerprints.
4. Sub-processors
Current sub-processors:
- AWS (eu-central-1) — infrastructure
- Stripe — payment processing
- Postmark — transactional email (covered by SCCs)
We will give 30 days' notice before adding or replacing a sub-processor. You may object in writing within that period.
5. Security measures
- TLS 1.3 in transit, AES-256 at rest.
- Encrypted database backups, retained 30 days.
- Role-based access control; production access logged and audited monthly.
- Annual penetration test by an independent third party.
- Mandatory 2FA for all employees.
6. Data subject requests
If a data subject contacts SaaSBoost directly, we will forward the request to you within five business days. We will assist you in responding to access, correction, deletion, and portability requests at no additional cost.
7. Data breach notification
We will notify you of a personal data breach without undue delay and in any event within 72 hours of becoming aware of it. Notification will include the nature of the breach, affected data categories, likely consequences, and mitigation measures.
8. International transfers
Data is processed in the EU. The Postmark sub-processor in the US is covered by Standard Contractual Clauses (Commission Decision 2021/914) with supplementary technical and organizational measures.
9. Audits
Upon reasonable request, SaaSBoost will provide a SOC 2 Type II report (or equivalent) and respond to written security questionnaires. On-site audits are available for enterprise customers under a separate agreement.
10. Return or deletion of data
On termination, you can export your data via the API or have it deleted. Unless legally required to retain it, we will delete personal data within 30 days of your request.
11. Signing this DPA
This DPA is automatically incorporated into the Terms when you create a founder account. For a counter-signed paper version, email legal@saasboost.app.