Data Processing Agreement (DPA) Template

Last updated: 2026-05-06 · GDPR Art. 28 aligned

[LAWYER REVIEW NEEDED] — This is a draft template for review by a Polish radca prawny. The final DPA is sent to enterprise B2B Data API customers upon request.

This page is a public template. Active DPA agreements are signed individually with each Vorepo Data API customer. Email [email protected] to request the executable DPA form.

1. Parties

Data Processor: Vorepo (operated by [Tomek's company name TBD], based in Warsaw, Poland).

Data Controller: The customer subscribing to Vorepo Data API (Starter / Pro / Enterprise tier).

2. Subject Matter and Duration

Vorepo provides programmatic access to:

Public GitHub repository metadata (NO personal data of repo authors — only GitHub-public information)
Aggregated trading metrics (NO individual user trades or balances exposed)
Historical OHLC price data per repo ticker

This DPA expires when the underlying API subscription terminates. Data is deleted from Customer's possession within 30 days of termination.

3. Type of Data Processed

3.1 Public data (no personal data implications)

Repository names, descriptions, GitHub URLs (public on github.com)
Star counts, commit counts, contributor counts
Computed momentum scores and price tickers

3.2 Personal data (limited)

The Data API does not expose individual Vorepo end-user data. The only personal data potentially in scope is the Customer's own contact information (email, company, billing) which Vorepo processes for invoicing and account management.

4. Categories of Data Subjects

GitHub repository authors (public-domain data only)
Customer's authorized employees who use the API

5. Processor Obligations (GDPR Art. 28(3))

Process data only on documented instructions from Controller
Ensure persons authorized to process data are bound by confidentiality
Implement appropriate technical + organizational measures (Art. 32)
Engage sub-processors only with prior written authorization
Assist Controller in responding to data subject rights requests
Notify Controller of data breaches within 72 hours
Make available all information necessary to demonstrate compliance
Allow audits, including inspections, conducted by Controller
Delete or return all data at end of contract

6. Sub-Processors

Vorepo uses the following sub-processors:

Contabo GmbH (Germany) — VPS hosting
Cloudflare Inc. (USA, EU presence) — CDN + DDoS protection
Helius Labs (USA) — Solana RPC infrastructure
Stripe Inc. (USA) — payment processing for Plus subscriptions (NOT Data API — those use direct USDC/Stars)

All sub-processors have signed their own DPAs with appropriate safeguards. Customer will be notified of any new sub-processor at least 30 days in advance.

7. International Data Transfers

Some sub-processors are based in the USA (Cloudflare, Helius, Stripe). Data transfers rely on:

EU Standard Contractual Clauses (SCCs)
EU-US Data Privacy Framework certification (where applicable)

Customer is informed and consents to these transfers by signing this DPA.

8. Technical and Organizational Measures (Art. 32)

HTTPS/TLS 1.3 encryption in transit
AES-256 encryption at rest (PostgreSQL + Redis)
Bcrypt rounds=12 password hashing
API key authentication (X-API-Key header) with per-tier rate limiting
Audit logging of all data access
Daily database backups with rotation (30 days)
Quarterly security review
2FA required for admin access
Principle of least privilege for personnel

9. Data Subject Rights

Customer is responsible for handling data subject requests. Vorepo assists with technical implementation:

Access: Vorepo provides API endpoint to export all data we hold for Customer
Rectification: Customer can update via account settings
Erasure: Account deletion endpoint available; backups erased after 30 days
Portability: Customer data exported as JSON via Data API
Objection: Customer can disable data processing at any time

10. Liability and Damages

Each party is liable for their own GDPR violations. Liability is limited to direct damages, capped at the fees paid in the 12 months preceding the incident.

11. Term and Termination

This DPA is in force for the duration of the underlying API subscription. Upon termination, Vorepo deletes all Customer's data within 30 days. Customer can request earlier deletion.

12. Governing Law

This DPA is governed by Polish law. Disputes resolved in Polish courts.

13. Contact

Data Processor: [email protected]
DPO (when appointed): TBD (will be designated upon JDG / sp.z.o.o. registration)

This template is provided in good faith. The final, executable DPA may differ based on jurisdiction, customer requirements, and ongoing legal review. All commercial DPAs are individually negotiated.