Data Processing Agreement
DPA — GDPR Article 28
Effective 2026-05-08 · Version 2026-05-08.f38
For the buyer doing diligence
Need a signed DPA before your firm can pay an invoice? That's this page. The version a non-lawyer can hand to legal: we process your subscribers' email and billing record and nothing sensitive — no GDPR Art. 9 special categories. Email us and a counter-signed PDF comes back within five business days.
Start with the most-requested trust routes
Legal reviewers reading the DPA usually want the processor list, the privacy summary, and the main security controls next.
Need a counter-signed copy?
Email signal@gitdealflow.com with your company legal name, billing entity, and the email address of the signatory. We return a PDF counter-signed by the operator within 5 business days. Machine-readable pointer: /.well-known/dpa.json.
1 · Parties
Controller: the paid subscriber identified on the relevant Stripe invoice. Processor: VC Deal Flow Signal (GitDealFlow), operating signals.gitdealflow.com. Contact: signal@gitdealflow.com.
2 · Subject matter & duration
The Processor will process Personal Data on behalf of the Controller for the lifetime of the paid subscription, plus a 12-month retention window for audit and reactivation. After that window the Processor will delete the Personal Data, subject to legal retention obligations (Stripe records retained 7 years for tax purposes).
3 · Nature & purpose of processing
- Hosting (Vercel EU primary, US failover) and edge compute.
- Subscription billing, refunds, and tax reporting (Stripe).
- Transactional email — onboarding, weekly digest, drip sequences (Resend).
- Subscriber records and share tokens (PocketBase on Hetzner Helsinki).
- Pseudonymous product analytics, no PII (PostHog EU).
4 · Data categories & subjects
- Categories: email address, Stripe customer ID, share-token records, server-log metadata.
- Subjects: paid and free subscribers of the Controller's organisation.
- No special categories under GDPR Art. 9 are processed.
5 · Processor obligations
- Process Personal Data only on documented instructions from the Controller (the subscription contract is the documented instruction).
- Ensure persons authorised to process the data have committed themselves to confidentiality.
- Implement appropriate technical and organisational measures (TOMs) — see /security and security-policy.json.
- Engage subprocessors only with prior general authorisation and 30-day notice of additions — see /.well-known/subprocessors.json.
- Assist the Controller in responding to data-subject requests (access, deletion, portability, etc.).
- Notify the Controller without undue delay (within 72 hours) of becoming aware of a Personal Data breach.
- At the Controller's choice, delete or return Personal Data after the end of services and delete existing copies, unless EU or Member State law requires retention.
- Make available all information necessary to demonstrate compliance with Art. 28; allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
6 · Subprocessors & international transfers
Current subprocessor list at /subprocessors. Non-EEA transfers (Stripe US, Resend US, GitHub US, Coinbase US, Anthropic US) operate under EU Standard Contractual Clauses Module Two (Controller-to-Processor), Decision (EU) 2021/914.
7 · Audit rights
The Controller may audit the Processor's GDPR compliance once per calendar year on 30 days' notice. The Processor will respond to written audit questionnaires within 30 days; on-site audits are available on commercially reasonable terms. Subprocessor SOC 2 / ISO 27001 reports satisfy audit obligations for the relevant subprocessor scope.
8 · Liability
Liability for breaches of this DPA is governed by the Terms of Service liability cap at /terms §6. Nothing in this DPA limits the Processor's direct liability under Art. 82 GDPR.
9 · Termination & deletion
On termination of the subscription, the Processor will delete or return the Personal Data within 30 days, except for billing records that must be retained for tax purposes (7 years per Greek and EU tax law). The Controller may request a deletion certificate.
10 · Governing law
This DPA is governed by Greek law and the EU GDPR. Disputes are subject to /terms §9.
Clearing this for a fund? Here’s the path — and the no-card way to start.
Your legal or IC team can clear this page without an engineer in the room — that’s the point. When they’re done, most funds start on the free Sunday digest to pressure-test the signal, then move to the application-gated Sharp tier once it’s earning its seat. No card to read the digest, and nothing on this site auto-charges.