Data Processing Agreement
Last updated: 2026-06-21
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and
1. Definitions
Terms used in this DPA have the meanings given in the EU General Data Protection Regulation (GDPR) 2016/679.
2. Subject and duration
| Item | Detail |
|---|---|
| Subject matter | Processing of Personal Data by Processor on behalf of Controller in connection with the Service. |
| Duration | For as long as the Service is provided to Controller, plus any post-termination retention period required by law. |
| Nature and purpose | Receiving Webflow Ecommerce and form events on Controller's behalf and delivering the contained contact data to the email service providers Controller connects. |
| Processing activities | Storing encrypted OAuth tokens and API keys, receiving and storing Webflow webhook events, extracting contact data, delivering it to Controller's chosen email tools, sending Controller transactional email, and processing Controller's payments |
| Categories of Data Subjects | Controller's authorized users; Controller's end customers (people who place orders or submit forms on Controller's Webflow site). |
| Categories of Personal Data | Name and email of Controller; names, email addresses, and order or form field values of Controller's end customers as contained in Webflow events. |
3. Processor obligations
Processor agrees to:
- Process Personal Data only on documented instructions from Controller (including those in these Terms and this DPA).
- Ensure persons authorized to process Personal Data are bound by confidentiality.
- Implement appropriate technical and organizational measures (see Section 6).
- Assist Controller in responding to Data Subject requests.
- Notify Controller without undue delay (within 72 hours) of a Personal Data breach.
- Delete or return all Personal Data after the end of the provision of Services.
- Make available all information necessary to demonstrate compliance with GDPR Art. 28.
4. Sub-processors
Controller authorizes Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | EU (Germany or Finland) |
| Cloudflare, Inc. | DNS, email routing, edge cache | Global (data at rest in EU) |
| Resend, Inc. | Transactional email | EU region selected, with EU adequacy mechanism |
| Stripe Payments Europe Ltd. | Payment processing | EU (Ireland) |
| Webflow, Inc. | Source of data Processor processes on Controller's behalf | US, with EU adequacy mechanism |
| Intuit Mailchimp | Email tool Controller may connect; receives synced events | US, with EU adequacy mechanism |
| Sendinblue SAS (Brevo) | Email tool Controller may connect; receives synced events | EU (France) |
Processor will notify Controller of any intended changes concerning the addition or replacement of sub-processors, giving Controller the opportunity to object within 30 days.
5. International transfers
Where Personal Data is transferred outside the EEA, Processor relies on:
- EU Commission adequacy decisions where applicable
- Standard Contractual Clauses (SCCs) for transfers to third countries
- Supplementary measures (encryption in transit and at rest) as recommended by EDPB guidance
6. Technical and organizational measures
Processor implements:
- AES-256-GCM encryption for stored OAuth tokens and other sensitive secrets
- HTTPS-only connections for all data in transit
- SSH key-based access to production infrastructure with multi-factor authentication
- Logical separation of customer data via row-level access controls
- Database backups encrypted at rest, retained 30 days
- Audit logging of administrative actions
- Annual review of access permissions
- Incident response plan with 72-hour breach notification commitment
7. Data Subject rights
Processor assists Controller in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Controller can self-serve most requests via the Service:
- Data export: one-click JSON download from the Account dialog
- Account deletion: one-click from the Account dialog, processed within 30 days
For requests Controller cannot self-serve, email dpa@quilljet.com.
8. Audits
Controller may, no more than once per 12 months and with 30 days written notice, audit Processor's compliance with this DPA. Processor will respond to reasonable written audit questionnaires (e.g., SIG-Lite) within 30 days.
9. Termination
This DPA terminates automatically when the Terms terminate or when Processor ceases processing Personal Data on Controller's behalf, whichever is later.
10. Governing law
Dutch law governs this DPA. Disputes are subject to the competent court in the Netherlands.
Contact
For DPA signature requests, sub-processor questions, and Article 17 deletion requests: dpa@quilljet.com
For everything else: hello@quilljet.com