Data Processing Agreement
GDPR Article 28 compliant.
Effective date: 10 July 2026
This DPA forms part of the Terms of Service between Pragma ("Processor") and each customer ("Controller"), under Article 28 UK GDPR / EU GDPR.
1. Definitions
"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have meanings per UK GDPR / EU GDPR.
2. Roles
Controller determines purposes. Processor processes Customer Data only on Controller's documented instructions.
3. Nature of Processing
Processing necessary to provide the Pragma App platform — storing, retrieving, displaying, and transmitting Customer Data as directed.
4. Data Categories and Subjects
Determined by Controller. May include employees, customers, suppliers. Categories may include identifiers, contact data, financial records, employment information.
5. Duration
Subscription term plus 30 days after termination, then permanently deleted unless law requires retention.
6. Processor Obligations
Process only on Controller instructions; bind personnel to confidentiality; implement security measures; assist with data subject rights; assist with breach notification and DPIAs; delete or return data on termination; make compliance information available.
7. Controller Obligations
Warrants lawful basis for all data transferred and has provided required notices and obtained consents.
8. Sub-processors
Controller grants general authorisation. 30 days' notice of changes.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | SCCs / UK IDTA |
| Mailgun Technologies | Email delivery | USA | SCCs / UK IDTA |
| Plausible Analytics | Cookieless analytics | EU — Germany | Intra-EU |
| Amazon Web Services | Infrastructure | EU / USA | SCCs / UK IDTA |
9. Security Measures
- TLS 1.2+ in transit, AES-256 at rest
- Role-based access controls
- Regular patching and vulnerability management
- Admin access audit logging
- Employee security training
- Incident response procedures
10–15. Rights, Breaches, DPIAs, Transfers, Audit, Deletion
Processor assists with data subject rights. Breaches notified within 72 hours. DPIAs supported. Transfers protected by SCCs/IDTAs. Audits supported with notice. Data deleted or returned within 30 days of termination.
16. Liability
Subject to Terms of Service limitations. GDPR infringement liability per Article 82 GDPR.
17. Governing Law
England and Wales. Exclusive jurisdiction of the courts of England and Wales.
Pragma · DPO: privacy@usepragma.app