Data Processing Agreement
Last updated: February 1, 2026
Effective Date: February 1, 2026
What this is: This Data Processing Agreement ("DPA") governs the relationship between ShadowPhone Inc. ("Processor") and customers ("Controller") where ShadowPhone processes personal data on behalf of customers as part of providing the service. This DPA forms part of and is incorporated into the ShadowPhone Terms of Service. It is required where customers are subject to GDPR and process personal data of EU/EEA data subjects through the ShadowPhone platform (GDPR Article 28).
1. Definitions
"Controller" means the customer who determines the purposes and means of processing personal data using ShadowPhone.
"Processor" means ShadowPhone Inc., which processes personal data on behalf of the Controller.
"Personal Data" has the meaning given in GDPR Article 4(1): any information relating to an identified or identifiable natural person.
"Processing" has the meaning given in GDPR Article 4(2).
"Sub-processor" means any third party appointed by ShadowPhone to process personal data on the Controller's behalf.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Processing Details
3. Processor Obligations
ShadowPhone, as Processor, agrees to:
- Process personal data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service)
- Ensure all personnel processing personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures under GDPR Article 32
- Not engage sub-processors without the Controller's prior authorisation (general authorisation is granted by accepting these terms, subject to the sub-processor list in Section 5)
- Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection)
- Delete or return all personal data at the end of the service relationship, at the Controller's election
- Provide the Controller with all information reasonably necessary to demonstrate compliance with Article 28 obligations
- Notify the Controller without undue delay (and within 72 hours where feasible) on becoming aware of a personal data breach
4. Controller Obligations
The Controller agrees to:
- Ensure there is a lawful basis for processing personal data under GDPR before instructing ShadowPhone to process it
- Provide any necessary privacy notices to data subjects
- Ensure that personal data provided to ShadowPhone is accurate and up to date
- Not instruct ShadowPhone to process personal data in a way that violates applicable law
5. Sub-processors
The Controller grants ShadowPhone general authorisation to engage the following sub-processors. ShadowPhone will notify the Controller of any intended change to this list (addition or replacement) with at least 30 days' notice, giving the Controller the opportunity to object.
6. International Transfers
Where personal data is transferred from the EEA to a third country (such as the United States), ShadowPhone ensures appropriate safeguards are in place, primarily via EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module 2 Controller-to-Processor or Module 3 Processor-to-Processor as applicable). A copy of the applicable SCCs is available on request at privacy@shadowphone.io.
7. Security Measures
ShadowPhone implements the following technical and organisational measures under GDPR Article 32:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Row Level Security (RLS) on all database tables
- Token-based authentication with short session expiry
- API key hashing — keys are never stored in plaintext
- Dependency pinning and regular CVE review
- Error monitoring with PII scrubbing before log ingestion
For a full description of our security practices, see our Security page.
8. Data Breach Notification
In the event of a personal data breach affecting data processed under this DPA, ShadowPhone will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will be sent to the Controller's account email address and will include the nature of the breach, categories of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
9. Audit Rights
The Controller may, upon reasonable notice (not less than 30 days) and no more than once per 12-month period, request an audit of ShadowPhone's data processing activities under this DPA. ShadowPhone will cooperate with such audits and provide documentation of relevant technical and organisational measures. Audit costs are borne by the Controller unless a breach of this DPA is identified.
10. Governing Law and Contact
This DPA is governed by the same law as the Terms of Service. Disputes arising under this DPA are subject to the same dispute resolution mechanism as the Terms of Service.