Data Processing Agreement

1. Purpose and Scope

This Data Processing Agreement (“DPA”) forms part of the agreement between ProofBeer (“Processor”) and you, the customer (“Controller”), and governs ProofBeer's processing of personal data on your behalf in connection with your use of the ProofBeer platform.

This DPA applies where ProofBeer processes personal data on behalf of a Controller that is subject to the General Data Protection Regulation (GDPR), UK GDPR, or other applicable data protection legislation.

2. Roles and Responsibilities

3. What Personal Data We Process

The categories of personal data ProofBeer may process on your behalf include:

• Names and email addresses of form respondents
• Form responses, feedback, and testimonial content submitted by your customers
• IP addresses and browser metadata associated with form submissions
• Partial form data collected through the Abandoned Data feature
• Review content imported from connected third-party platforms (Google, Facebook)
• Any other data fields you configure within your ProofBeer forms

You are responsible for ensuring that the personal data you collect through ProofBeer forms does not include special category data (health, biometric, financial) unless you have appropriate legal basis and have implemented suitable safeguards.

4. Security Measures

ProofBeer implements and maintains appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest
• Access controls limiting data access to authorised personnel only
• Regular security assessments and vulnerability monitoring
• Secure credential storage using bcrypt hashing

For full details see our Security page.

5. Sub-processors

ProofBeer uses the following sub-processors to operate the platform. By agreeing to this DPA, you authorise ProofBeer's use of these sub-processors:

We will notify you of any changes to our sub-processor list with reasonable advance notice to allow you to object if required.

6. Data Subject Rights

ProofBeer will assist you in responding to data subject requests (access, correction, deletion, portability) to the extent technically possible. If one of your respondents contacts ProofBeer directly with a data subject request, we will direct them to you as the Controller and notify you promptly.

7. Data Breach Notification

ProofBeer will notify you without undue delay, and in any case within 72 hours of becoming aware of a personal data breach that affects your data. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address it.

8. Data Retention and Deletion

Personal data is retained for as long as your account is active or as needed to provide the service. Upon account deletion or termination, personal data collected through your forms will be permanently deleted within 30 days, except where retention is required by applicable law. Backup copies may persist for up to an additional 90 days before being purged.

9. International Data Transfers

ProofBeer primarily stores and processes data in the United States. Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to the US or other countries, such transfers are carried out under the EU Standard Contractual Clauses (SCCs) or equivalent safeguards as required by applicable law.

10. Contact

For DPA-related enquiries, data protection questions, or to request a countersigned DPA, contact us at hello@proofbeer.com.