Data Processing Agreement (DPA)

Between
Controller: Customer of the “URLIFY” service
Processor: Byteman UG (haftungsbeschränkt), Platzl 1a, 80331 Munich, Germany

Effective date: 24 Aug 2025

1. Subject matter, duration, nature and purpose of processing

1.1 Subject matter: Processing of personal data in the context of URL shortening, redirection and analytics (click/usage data), as well as account and billing management.
1.2 Duration: For the term of the contract as per the Terms, including post‑termination periods for backups/logs in line with deletion periods.
1.3 Nature & purpose: Collection, storage, organization, analysis, transmission/redirection and logging — to the extent necessary to provide the service, ensure security, billing and support.

2. Categories of data subjects and data types

2.1 Data subjects: End users (clickers), customers and their users (admins/teams), communication partners.
2.2 Data types (typical): IP address, timestamps, requested short URL and target URL, referrer, user agent, device/browser information, approximate geolocation (derived from IP), UTM parameters/tags, internal IDs, log data, account/contract data, payment metadata (no full payment data — handled via Stripe), support content.
2.3 Special categories: Not intentionally processed; the Controller undertakes not to collect such data via the service, or only with an appropriate legal basis and safeguards.

3. Instructions

Processing only on documented instructions from the Controller (Terms, this DPA, admin functions, tickets).

4. Confidentiality

Persons authorised to process personal data are bound by confidentiality and are adequately trained.

5. Technical and organisational measures (TOMs)

The Processor implements and maintains, inter alia: access controls (MFA, roles, least privilege), encryption in transit (TLS) and at rest, separated environments (prod/staging), firewalls/WAF, DDoS protection, rate limiting, monitoring/alerting, regular backups and restore tests, security/access logging, privacy by design (pseudonymisation/minimisation), processes for deletion/anonymisation and export, and supply‑chain controls (DPAs/SCCs). A detailed TOM overview is provided in Annex 2.

6. Subprocessors

Permitted where a data processing agreement under Art. 28(4) GDPR is in place and equivalent obligations are imposed. The current list (including purpose and location) is published at urlify.eu/subprocessors; material changes are announced in advance with reasonable notice. The Controller may object for good cause; failing agreement, a special termination right applies.

7. Third‑country transfers

Where transfers outside the EU/EEA occur, the Processor provides appropriate safeguards (notably the EU Standard Contractual Clauses) and supplemental measures.

8. Assistance

Reasonable assistance with data subject requests (Arts. 12–23 GDPR), DPIAs (Art. 35), notifications (Arts. 33/34) and security measures (Art. 32); reasonable fees may apply.

9. Personal data breach notification

Notification without undue delay, at the latest within 48 hours after becoming aware, providing the available information under Art. 33(3) GDPR, with rolling updates.

10. Deletion and return of data

Upon termination: deletion/anonymisation after 30 days; before that, export via the customer account where available. Statutory retention obligations remain unaffected.

11. Evidence and audits

Provision of necessary information (policies, certifications, redacted pen‑test excerpts). Audits/inspections on reasonable prior notice; confidentiality/trade secrets preserved; no more than once per year, except for cause.

12. Liability

The liability provisions of the Terms apply accordingly; mandatory statutory liability remains unaffected.

13. Miscellaneous; order of precedence and venue

In case of conflict, this DPA prevails over the Terms. Venue: Munich, Germany.

Annex 1 – List of subprocessors (as of 24 Aug 2025)

  • Vercel, Inc. — Hosting/edge/CDN & serverless runtimes; Location: EU/EEA (preferred), possibly global; Safeguards: DPA, SCC as applicable.
  • Neon (Neon Tech, Inc.) — PostgreSQL database as a service; Location: EU region; Safeguards: DPA, SCC as applicable.
  • Tinybird (Tinybird Data, S.L.) — Realtime analytics/streaming/OLAP; Location: EU; Safeguards: DPA.
  • Upstash, Inc. — Serverless Redis/Kafka/queues; Location: EU region; Safeguards: DPA, SCC as applicable.
  • Resend, Inc. — Transactional email; Location: EU data residency where available; possibly global; Safeguards: DPA, SCC as applicable.
  • Stripe Payments Europe, Ltd. — Payment processing; Location: EU (primary), group‑wide possible; Safeguards: DPA, SCC as applicable.
  • Google Ireland Limited - Website-Analytics; Location: EU (primary), group-wide possible; Safeguards: DPA, as applicable SCC.

Annex 2 – Technical and organisational measures (short form)

Organisation/policies; roles/permissions (least privilege), MFA/SSO; logging/review; infrastructure: Vercel, Neon DB, Tinybird, Upstash, Resend (EU/EEA, SCC fallback); encryption (TLS 1.2+) in transit and at rest; tenant separation/minimisation; firewalls/WAF, DDoS protection, rate limits; monitoring/alerting; regular backups and restore tests (Neon/Upstash/Tinybird); versioned deployments (Vercel), code reviews, CI/CD, rollback; secrets management and rotation; short retention for personally identifiable logs, longer retention for anonymised aggregates; 30‑day export window after termination; supply chain with DPA/SCC and ongoing evaluation.

Annex 3 – Instruction channel & contacts

Instructions via the admin console or contact@urlify.eu. Privacy contact: privacy@urlify.eu (if different).