Liigu sisuni
Legal Documentation

Data Processing Agreement (DPA)

ReflectHub OÜ — English

All Documents

ReflectHub OÜ

Effective Date2026-06-18
Controller (Customer)The Customer entity identified in the applicable Terms of Service / Order Form
ProcessorReflectHub OÜ (Estonian Commercial Register code 14010143)
IncorporationThis DPA is incorporated into and forms part of the Terms of Service and/or Order Form

This Data Processing Agreement ("DPA") sets out the terms under which ReflectHub OÜ ("Processor") processes Personal Data on behalf of the Customer ("Controller") in connection with the ReflectHub services.

01.

Definitions

"Applicable Data Protection Law" means GDPR and any applicable laws implementing or supplementing it.
"Customer Data" means any data (including Personal Data) submitted to the Services by or on behalf of Customer.
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings given in Applicable Data Protection Law.
"Sub-processor" means any third party engaged by Processor to Process Personal Data on behalf of Customer.

02.

Scope and Roles

2.1 The parties acknowledge that, with respect to Customer Personal Data processed through the Services, Customer is the Controller and ReflectHub OÜ is the Processor.
2.2 Processor will Process Personal Data only on documented instructions from Customer, including as reflected through Customer's and its Authorized Users' use of the Services, unless otherwise required by applicable law.
2.3 If Processor is required by law to Process Personal Data other than on Customer's instructions, Processor will inform Customer of that legal requirement before Processing unless prohibited by law.

03.

Details of Processing

Subject matter: Provision of the ReflectHub B2B SaaS platform and related support/maintenance services.
Duration: For the term of the applicable agreement and until deletion/return of Customer Personal Data in accordance with this DPA.
Nature and purpose: Hosting, storage, organization, retrieval, transmission, security monitoring, support, and other processing necessary to provide the Services.
Categories of Data Subjects: Customer personnel, contractors, project participants, end-users, and other individuals whose data Customer uploads or manages in the Services.
Types of Personal Data: Customer determines the types of Personal Data uploaded; examples may include names, contact details, project metadata, communications, and operational records.

04.

Processor Obligations

4.1 Processor shall ensure that persons authorized to Process Personal Data are subject to confidentiality obligations.
4.2 Processor shall implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk.
4.3 Processor shall assist Customer, taking into account the nature of Processing and information available to Processor, with fulfilling Customer's obligations regarding data subject rights requests, security, breach notification, DPIAs, and prior consultations, to the extent required by Applicable Data Protection Law.
4.4 Processor shall maintain records of processing activities where required by law and make available information reasonably necessary to demonstrate compliance with this DPA.
4.5 Processor shall promptly notify Customer if, in Processor's opinion, a Customer instruction infringes Applicable Data Protection Law.

05.

Customer Obligations

5.1 Customer warrants that it has all necessary rights, notices, and lawful bases to collect, upload, and permit Processor to Process Customer Personal Data through the Services.
5.2 Customer is solely responsible for determining the lawfulness of the Processing instructions it provides to Processor.
5.3 Customer shall not instruct Processor to Process Personal Data in violation of Applicable Data Protection Law.
5.4 Customer remains responsible for responding to Data Subject requests relating to Customer Personal Data, except to the extent Processor is required to assist under this DPA.

06.

Security Measures

Processor will maintain and apply commercially reasonable technical and organizational measures appropriate to the risk, which include:

  • Hosting in the European Economic Area (Scaleway, France) with no production storage of Customer Personal Data outside the EEA;
  • Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (managed PostgreSQL and Object Storage encryption provided by the hosting infrastructure);
  • Passwordless authentication for Authorized Users (time-based one-time codes (TOTP) and federated identity via Google and Facebook);
  • Role-based access control with per-tenant role assignments and ability checks enforced in the application layer, combined with database-level tenant isolation;
  • Centralised logging, monitoring and security alerting through Scaleway Cockpit (Grafana, Loki);
  • Routine backups of the production database with point-in-time recovery and a 30-day rolling retention window;
  • Change management, code review and vulnerability management practices for the production environment;
  • Confidentiality obligations binding all personnel with access to Customer Personal Data, and least-privilege access controls on production systems;
  • Vendor due diligence and contractual safeguards (including data processing terms) for all Sub-processors listed in the Sub-Processor List.

A summary of the current technical and organizational measures is set out in Annex A. Processor may update its TOMs from time to time, provided such updates do not materially reduce the overall security of the Services.

07.

Sub-processors

7.1 Customer provides general authorization for Processor to engage Sub-processors to Process Customer Personal Data.
7.2 Processor maintains a current Sub-Processor List at https://reflecthub.com/legal/sub-processors and updates it when Sub-processors are added or replaced.
7.3 Processor shall impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA, to the extent applicable to the services performed by the Sub-processor.
7.4 Processor remains responsible for the performance of its Sub-processors to the extent required by Applicable Data Protection Law.
7.5 Processor will provide prior notice of material additions or replacements of Sub-processors. If Customer reasonably objects on data protection grounds, the parties will work in good faith to address the objection. If no reasonable resolution is possible, Customer's sole remedy is to terminate the affected Services in accordance with the agreement.

08.

International Transfers

8.1 Production storage of Customer Personal Data takes place within the EEA. Limited categories of Personal Data (for example, billing metadata processed by Stripe, transactional email metadata processed by Resend, and edge and bot-protection traffic metadata processed by Cloudflare) may be transferred to or accessed from outside the EEA by the Sub-processors identified in the Sub-Processor List.
8.2 Where personal data is transferred outside the EEA/UK/Switzerland, the parties agree that appropriate safeguards shall apply, including the European Commission's Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (where the recipient is certified), and any required supplementary measures.
8.3 To the extent SCCs are required for a transfer under this DPA, they are incorporated by reference into this DPA and shall apply to that transfer with Customer acting as data exporter and Processor (or the relevant Sub-processor) acting as data importer.

09.

Personal Data Breach

9.1 Processor shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
9.2 Such notification will include, to the extent known and reasonably available, information necessary for Customer to meet its legal obligations, including the nature of the breach, likely consequences, and measures taken or proposed to address it.
9.3 Notification under this section does not constitute an admission of fault or liability by Processor.

10.

Audit and Information Rights

10.1 Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.
10.2 To the extent Customer requires an audit under Article 28 GDPR, the parties shall first seek to satisfy the request through existing documentation (e.g., policies, certifications, summaries, or questionnaires).
10.3 Any on-site audit shall be subject to reasonable prior notice, confidentiality obligations, security requirements, and limitations to avoid disruption, and may be conducted no more than once annually unless required by law or following a confirmed material security incident.

11.

Return and Deletion of Data

11.1 Upon termination or expiry of the Services, Processor shall, at Customer's choice and subject to the agreement and technical feasibility, return Customer Personal Data and/or delete Customer Personal Data from active systems within a reasonable period, in accordance with the retention and deletion provisions of the Terms of Service (including Section 9.2) and typically within sixty (60) days of termination, unless retention is required by law.
11.2 Data in backup or archival systems may be retained until overwritten in the ordinary backup rotation cycle, provided such data remains protected and is not actively processed except as required for backup restoration or legal compliance.
11.3 Customer is responsible for exporting Customer Data prior to termination where export tools are made available.
11.4 Customer acknowledges and instructs that the Services apply retention and deletion schedules to Customer Data, including the deletion of data belonging to projects that have remained archived for a defined period during an active agreement, as described in the Terms of Service (including Section 9.2). Customer's agreement to those Terms and its configuration and use of the Services constitute documented instructions under Section 2.2 for Processor to delete such Customer Personal Data. Before carrying out such deletion, Processor will give Customer advance notice so that Customer may export or unarchive the affected data beforehand. Backup and archival copies are handled in accordance with Section 11.2.

12.

Liability and Conflict

12.1 The liability provisions of the applicable Terms of Service and/or Order Form apply to this DPA unless otherwise expressly stated.
12.2 In the event of conflict between this DPA and the Terms of Service solely with respect to data protection matters, this DPA prevails.

13.

Contact for Data Protection Matters

Privacy contact: privacy@reflecthub.com
Processor contact details may be updated by notice on the website or within the Services.

Annex A.

Security Measures Summary

The following summarises the technical and organizational measures currently in place for the ReflectHub Services. Specific tooling may evolve over time provided the overall level of protection is not materially reduced.

  • Hosting region(s): EEA only. Production hosting, managed database and Object Storage are operated by Scaleway in France (fr-par). Limited metadata may be processed outside the EEA by the Sub-processors listed in the Sub-Processor List.
  • Encryption in transit: Yes — TLS 1.2 or higher for all connections to the Services, including end-user traffic, internal service-to-service traffic and connections to backing data stores.
  • Encryption at rest: Yes — managed PostgreSQL volumes and Object Storage buckets are encrypted at rest by the hosting provider; backups inherit this encryption.
  • Authentication: Passwordless authentication for Authorized Users — time-based one-time codes (TOTP) and federated identity via Google and Facebook. No reusable static passwords are stored by the Services.
  • Access control model: Role-based access control with per-tenant role assignments and application-layer ability checks. Database-level tenant isolation is enforced for multi-tenant data. Production system access by personnel is restricted on a least-privilege basis and subject to confidentiality obligations.
  • Logging and monitoring: Application, access and security logs are centralised in Scaleway Cockpit (Grafana, Loki), with alerting on anomalous events.
  • Logging retention: Up to 12 months, unless longer retention is required for an active security investigation or by law.
  • Backup retention: Rolling backups of the production database with a 30-day retention window.
  • Vulnerability and change management: Code review, dependency scanning and routine patching of the production environment; security-relevant changes follow a documented change management process.
  • Personnel: All personnel with access to Customer Personal Data are bound by confidentiality obligations and onboarded to the access control model on a need-to-know basis.
  • Incident notification target: Without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, with commercially reasonable follow-up updates as additional facts become available.