DPA — GDPR Article 28

1 · Parties

Controller: the paid subscriber identified on the relevant Stripe invoice. Processor: VC Deal Flow Signal (GitDealFlow), operating signals.gitdealflow.com. Contact: signal@gitdealflow.com.

2 · Subject matter & duration

The Processor will process Personal Data on behalf of the Controller for the lifetime of the paid subscription, plus a 12-month retention window for audit and reactivation. After that window the Processor will delete the Personal Data, subject to legal retention obligations (Stripe records retained 7 years for tax purposes).

3 · Nature & purpose of processing

• Hosting (Vercel EU primary, US failover) and edge compute.
• Subscription billing, refunds, and tax reporting (Stripe).
• Transactional email — onboarding, weekly digest, drip sequences (Resend).
• Subscriber records and share tokens (PocketBase on Hetzner Helsinki).
• Pseudonymous product analytics, no PII (PostHog EU).

4 · Data categories & subjects

• Categories: email address, Stripe customer ID, share-token records, server-log metadata.
• Subjects: paid and free subscribers of the Controller's organisation.
• No special categories under GDPR Art. 9 are processed.

5 · Processor obligations

1. Process Personal Data only on documented instructions from the Controller (the subscription contract is the documented instruction).
2. Ensure persons authorised to process the data have committed themselves to confidentiality.
3. Implement appropriate technical and organisational measures (TOMs) — see /security and security-policy.json.
4. Engage subprocessors only with prior general authorisation and 30-day notice of additions — see /.well-known/subprocessors.json.
5. Assist the Controller in responding to data-subject requests (access, deletion, portability, etc.).
6. Notify the Controller without undue delay (within 72 hours) of becoming aware of a Personal Data breach.
7. At the Controller's choice, delete or return Personal Data after the end of services and delete existing copies, unless EU or Member State law requires retention.
8. Make available all information necessary to demonstrate compliance with Art. 28; allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

6 · Subprocessors & international transfers

Current subprocessor list at /subprocessors. Non-EEA transfers (Stripe US, Resend US, GitHub US, Coinbase US, Anthropic US) operate under EU Standard Contractual Clauses Module Two (Controller-to-Processor), Decision (EU) 2021/914.

7 · Audit rights

The Controller may audit the Processor's GDPR compliance once per calendar year on 30 days' notice. The Processor will respond to written audit questionnaires within 30 days; on-site audits are available on commercially reasonable terms. Subprocessor SOC 2 / ISO 27001 reports satisfy audit obligations for the relevant subprocessor scope.

8 · Liability

Liability for breaches of this DPA is governed by the Terms of Service liability cap at /terms §6. Nothing in this DPA limits the Processor's direct liability under Art. 82 GDPR.

9 · Termination & deletion

On termination of the subscription, the Processor will delete or return the Personal Data within 30 days, except for billing records that must be retained for tax purposes (7 years per Greek and EU tax law). The Controller may request a deletion certificate.

10 · Governing law

This DPA is governed by Greek law and the EU GDPR. Disputes are subject to /terms §9.