Data Processing Agreement

In Plain Language

Before the legal text, here's what this agreement means:

We process consent data on your behalf. When visitors interact with your consent banner, we collect and store their consent choices for you. You decide what data to collect and how to use it — we follow your instructions.
We don't store IP addresses or directly identifiable information about your visitors. Consent records are pseudonymous by design. Visitor identifiers are hashed before storage, and we can't reverse them.
We can't track visitors across your site and other customers' sites. Each visitor identifier is unique to your site and meaningless outside of it.
Your data is yours. You can export or delete your consent data at any time. If you stop using ConsentStack, you have 30 days to export your data before we delete it.
We use a small number of sub-processors to provide the service. They're listed on our Sub-processor List page. We'll notify you 30 days before adding a new one.
If something goes wrong, we'll tell you fast. We commit to notifying you of any data breach within 72 hours.

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Service ("Agreement").

"Controller" means the entity that determines the purposes and means of the processing of Personal Data — in this DPA, that is the Customer.

"Processor" means the entity that processes Personal Data on behalf of the Controller — in this DPA, that is ConsentStack LLC ("ConsentStack").

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in applicable Data Protection Laws.

"Consent Data" means Personal Data processed by ConsentStack in the course of providing the Service, including: pseudonymous visitor identifiers, consent states, timestamps, page URLs, browser and device metadata, country or region codes, and related technical information.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and UK Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (e) any other applicable US state privacy laws, in each case as amended, superseded, or replaced from time to time.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates — in the context of this DPA, the End Users who interact with the Customer's consent banner.

"End User" means a visitor to the Customer's website who is presented with or interacts with a consent banner powered by ConsentStack.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, erasure, or destruction.

"Sub-processor" means any third party engaged by ConsentStack to process Personal Data on behalf of the Customer.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914, as may be amended or replaced.

"Service" means the ConsentStack consent management platform as described in the Agreement.

"Technical and Organizational Measures" or "TOMs" means the security measures described in Annex 1 to this DPA.

2. Scope and Duration

2.1 This DPA applies to all Processing of Personal Data by ConsentStack on behalf of the Customer in connection with the provision of the Service.

2.2 The subject matter, nature, purpose, and duration of Processing, the categories of Personal Data, and the categories of Data Subjects are described in Annex 3 (Processing Description).

2.3 This DPA is effective for the duration of the Agreement. Upon termination of the Agreement, Section 11 (Data Deletion and Return) applies.

2.4 This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA will prevail.

3. Roles and Responsibilities

3.1 The Customer is the Controller of End User Personal Data. ConsentStack is the Processor.

3.2 The Customer is responsible for ensuring that it has a lawful basis for the collection of Personal Data from End Users and that the processing instructions given to ConsentStack comply with applicable Data Protection Laws.

3.3 ConsentStack is responsible for processing Personal Data only in accordance with the Customer's documented instructions and applicable Data Protection Laws.

4. Processing Instructions

4.1 ConsentStack will process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law to which ConsentStack is subject. In such a case, ConsentStack will inform the Customer of that legal requirement before Processing, unless prohibited by law from doing so.

4.2 The Customer's instructions for Processing are determined by:

(a) This DPA and its Annexes;
(b) The Agreement;
(c) The Customer's configuration of the Service through the ConsentStack dashboard (including consent categories, regions, banner settings, and domain configuration); and
(d) Any additional written instructions agreed upon by the parties.

4.3 If ConsentStack believes that an instruction from the Customer infringes Data Protection Laws, ConsentStack will promptly inform the Customer and may suspend execution of the instruction until the Customer confirms, amends, or withdraws it.

5. Confidentiality

5.1 ConsentStack will ensure that all persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2 ConsentStack will ensure that access to Personal Data is limited to those personnel who require access to perform the obligations under this DPA.

5.3 The confidentiality obligations in this Section survive the termination of this DPA.

6. Security Measures

6.1 ConsentStack will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures are described in Annex 1 (Technical and Organizational Measures).

6.2 ConsentStack will regularly test, assess, and evaluate the effectiveness of its security measures and may update them from time to time. Any updates will not materially reduce the overall level of protection.

6.3 ConsentStack implements privacy-by-design principles in its Processing of Consent Data, including:

(a) Pseudonymization: Visitor identifiers (anonymous IDs) are hashed using SHA-256 on our servers before storage. The original identifiers are discarded immediately after hashing and cannot be reversed.
(b) No IP address retention: IP addresses are used transiently by our infrastructure provider for geolocation (country and region detection) and network routing, but are not stored in consent records. Only the derived country code is retained.
(c) No cross-site tracking: Visitor identifiers are scoped to each Customer's site and are never reused, correlated, or shared across different Customers. ConsentStack cannot identify or track End Users across multiple Customers' websites.
(d) Data minimization: Consent records contain only the data necessary to provide proof of consent and consent analytics. No names, email addresses, or other directly identifiable information is collected from End Users.

7. Sub-processors

7.1 The Customer provides general authorization for ConsentStack to engage the Sub-processors listed on the Sub-processor List page.

7.2 ConsentStack will notify the Customer at least 30 days before engaging any new Sub-processor or replacing an existing one, by email to the Customer's billing email address and by updating the Sub-processor List.

7.3 The Customer may object to a new Sub-processor by notifying ConsentStack in writing within 30 days of receiving notice. If the Customer objects on reasonable grounds related to data protection, the parties will discuss the objection in good faith. If the parties cannot resolve the objection within 30 days, the Customer may terminate the Agreement by providing written notice, and ConsentStack will refund any prepaid fees covering the remainder of the subscription term.

7.4 If the Customer does not object within 30 days of receiving notice, the Customer is deemed to have accepted the new Sub-processor.

7.5 ConsentStack will:

(a) Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA;
(b) Remain fully liable to the Customer for the performance of each Sub-processor's obligations; and
(c) Conduct appropriate due diligence on each Sub-processor's data protection practices before engagement and on an ongoing basis.

7.6 For the avoidance of doubt, ancillary services that do not involve the Processing of Personal Data on behalf of the Customer (such as telecommunications providers, postal services, and general business tools that do not access Consent Data) are not considered Sub-processors under this DPA.

8. Data Subject Rights

8.1 ConsentStack will assist the Customer in fulfilling its obligations to respond to Data Subject requests under applicable Data Protection Laws, taking into account the nature of the Processing.

8.2 The ConsentStack consent banner serves as the primary mechanism for End Users to exercise their right to withdraw or modify consent. End Users can re-open the banner at any time to change their preferences.

8.3 For other Data Subject rights (access, deletion, rectification, portability, restriction, and objection), ConsentStack will:

(a) Provide the Customer with the ability to access and export consent records through the ConsentStack dashboard;
(b) Promptly forward any Data Subject request received directly by ConsentStack to the Customer, without responding to the Data Subject directly unless instructed by the Customer; and
(c) Provide reasonable technical assistance to the Customer in responding to such requests, to the extent the Customer is unable to do so independently using the Service.

9. Data Breach Notification

9.1 ConsentStack will notify the Customer of any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data ("Data Breach") within 72 hours of becoming aware of the Data Breach.

9.2 The notification will include, to the extent reasonably available:

(a) A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned;
(b) The likely consequences of the Data Breach;
(c) A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its adverse effects; and
(d) The name and contact details of ConsentStack's point of contact for further information.

9.3 ConsentStack will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

9.4 Notifications to supervisory authorities under Article 33 GDPR or to Data Subjects under Article 34 GDPR are the responsibility of the Customer. ConsentStack will provide reasonable assistance to the Customer in making such notifications.

9.5 ConsentStack will bear the costs of breach investigation and remediation where the Data Breach resulted from ConsentStack's failure to comply with its obligations under this DPA. The Customer will bear such costs where the Data Breach resulted from the Customer's instructions or configuration.

10. Data Protection Impact Assessments

10.1 ConsentStack will provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Articles 35 and 36 of the GDPR, taking into account the nature of the Processing and the information available to ConsentStack.

11. Data Deletion and Return

11.1 Upon termination of the Agreement, the Customer may request export of its Consent Data through the ConsentStack dashboard within 30 days of termination.

11.2 After the 30-day export period, ConsentStack will delete all Consent Data within 60 days, unless retention is required by applicable law.

11.3 ConsentStack may retain Consent Data in encrypted backups for up to an additional 30 days following the deletion period, after which all backup copies will be permanently deleted.

11.4 ConsentStack will provide written certification of deletion upon the Customer's request.

11.5 The Customer may request deletion of specific Consent Data at any time during the term of the Agreement by contacting ConsentStack at [email protected] or using the deletion functionality available in the dashboard. ConsentStack will process such requests within 30 days.

12. Audit Rights

12.1 ConsentStack will make available to the Customer all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.

12.2 ConsentStack will satisfy audit requests by providing compliance documentation, including:

(a) This DPA and its Annexes;
(b) Summaries of security assessments, penetration test results, and certifications (when available);
(c) Responses to reasonable written questions about ConsentStack's data protection practices.

12.3 If the documentation provided under Section 12.2 is insufficient, the Customer (or a qualified third-party auditor bound by confidentiality obligations) may conduct an audit of ConsentStack's facilities and records relevant to the Processing, subject to:

(a) At least 30 days' prior written notice;
(b) The audit being conducted during normal business hours and in a manner that minimizes disruption to ConsentStack's operations;
(c) The Customer bearing the costs of the audit, unless the audit reveals material non-compliance by ConsentStack with its obligations under this DPA, in which case ConsentStack will bear the reasonable costs.

12.4 On-site and remote audit rights under Section 12.3 are available to Customers on paid plans (Pro, Business, and Enterprise). Customers on the free plan (Basic) have access to the documentation-based audit rights described in Section 12.2.

12.5 ConsentStack may limit the scope and frequency of audits to once per twelve-month period, unless the Customer has reasonable grounds to believe a Data Breach has occurred or that ConsentStack is in material breach of this DPA.

13. International Data Transfers

13.1 ConsentStack processes Consent Data in the United States. A transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States occurs when the Service is used.

13.2 For transfers of Personal Data from the EEA, the parties agree to the EU Standard Contractual Clauses (Module 2: Controller to Processor), as set out in European Commission Implementing Decision (EU) 2021/914. The Annexes to this DPA serve as the appendices required by the SCCs. In the event of any conflict between this DPA and the SCCs, the SCCs will prevail with respect to the data transfers they govern.

13.3 For transfers of Personal Data from the United Kingdom, the parties agree to the UK International Data Transfer Addendum to the EU SCCs, as issued by the UK Information Commissioner's Office.

13.4 For transfers of Personal Data from Switzerland, the SCCs apply with the modifications required to comply with the Swiss Federal Act on Data Protection (FADP), including that the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority.

13.5 ConsentStack may rely on additional transfer mechanisms recognized under applicable Data Protection Laws, including adequacy decisions and the EU-US Data Privacy Framework, if and when applicable.

14. US State Privacy Laws

14.1 To the extent that ConsentStack processes Personal Data subject to the CCPA/CPRA, ConsentStack acts as a Service Provider (as defined under the CCPA) with respect to that Personal Data.

14.2 ConsentStack will not:

(a) Sell or share Personal Data;
(b) Retain, use, or disclose Personal Data for any purpose other than providing the Service as specified in the Agreement, or as otherwise permitted by the CCPA;
(c) Retain, use, or disclose Personal Data outside of the direct business relationship between ConsentStack and the Customer; or
(d) Combine Personal Data received from the Customer with Personal Data received from any other source, except as permitted by the CCPA.

14.3 ConsentStack will assist the Customer in responding to consumer rights requests under the CCPA/CPRA and other applicable US state privacy laws.

14.4 The obligations in this Section apply equally to Personal Data subject to other US state privacy laws that impose processor or service provider obligations, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and similar laws.

15. Liability

15.1 The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except where such limitations are not permitted by applicable Data Protection Laws.

15.2 Nothing in this DPA limits either party's liability to Data Subjects under Article 82 of the GDPR or equivalent provisions of applicable Data Protection Laws.

16. Miscellaneous

16.1 This DPA may be amended by ConsentStack with 30 days' written notice to the Customer. If the amendment materially reduces the Customer's rights under this DPA, the Customer may object by terminating the Agreement within 30 days of receiving notice.

16.2 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.

16.3 This DPA survives termination of the Agreement with respect to any Personal Data that ConsentStack continues to process.

16.4 This DPA is governed by the same governing law as the Agreement, except that the SCCs are governed by the law of the EU Member State specified in the SCCs.

Annex 1: Technical and Organizational Measures

The following measures are implemented by ConsentStack to protect Personal Data in accordance with Article 32 of the GDPR.

1. Confidentiality (Article 32(1)(b))

Physical access controls:

All data is hosted in managed cloud infrastructure (Supabase on AWS). ConsentStack does not operate on-premises servers.
Cloud providers maintain SOC 2 Type II certification and physical security controls including biometric access, 24/7 monitoring, and multi-factor entry.

Electronic access controls:

All data transmission uses HTTPS with TLS 1.3 encryption.
Database access is restricted via Row-Level Security (RLS) policies, ensuring team-scoped data isolation.
Administrative access to production systems requires multi-factor authentication.
Principle of least privilege applied to all system access.

Internal access controls:

Access to production databases is restricted to authorized personnel only.
Service accounts use scoped API keys with minimum required permissions.
Audit trails maintained for administrative actions.

Encryption:

Data in transit: TLS 1.3 for all connections.
Data at rest: AES-256 encryption via AWS managed encryption (Supabase).
Visitor identifiers hashed with SHA-256 before storage.

2. Integrity (Article 32(1)(b))

Database constraints enforce relational integrity.
Input validation at the application layer for all data inputs.
Database access restricted to application service accounts; direct database manipulation requires authorized administrative access.
Consent log records are append-only; records cannot be modified after creation.
Configuration changes are versioned with full audit trail (created_by, published_by, timestamps).

3. Availability and Resilience (Article 32(1)(b))

Application hosting: Vercel (global edge network with automatic failover).
Database hosting: Supabase on AWS (managed PostgreSQL with high availability).
CDN: Cloudflare (global content delivery network for SDK distribution).
DDoS protection: Cloudflare Web Application Firewall (WAF) with rate limiting.
Rate limiting: Applied to all public API endpoints to prevent abuse.
Monitoring: Application health checks run every 2 minutes.

4. Recoverability (Article 32(1)(c))

Automated database backups managed by Supabase (daily point-in-time recovery).
Infrastructure-as-code deployment enables rapid service restoration.
Serverless architecture eliminates single points of failure.

5. Pseudonymization (Article 32(1)(a))

Visitor identifier hashing: Anonymous IDs generated by the SDK are hashed using SHA-256 on ConsentStack's servers before storage. The original identifier is discarded immediately.
No IP address retention: IP addresses are processed transiently for geolocation (to determine the visitor's country and region for regulatory compliance) but are not stored in consent records. Only the derived country code is retained.
Site-scoped identifiers: Visitor identifiers are unique to each Customer's site and cannot be correlated across different Customers.
No cross-site tracking: ConsentStack cannot and does not track, fingerprint, or identify End Users across multiple Customers' websites.
No direct identifiers: Consent records do not contain names, email addresses, account identifiers, or other directly identifiable information about End Users.

6. Regular Review (Article 32(1)(d))

Security practices reviewed and updated regularly.
Personnel with access to Personal Data receive data protection training.
Sub-processor security practices reviewed before engagement and periodically thereafter.
Vulnerability assessments conducted on public-facing endpoints.

Annex 2: Sub-processor List

The Sub-processors authorized to process Personal Data on behalf of the Customer are listed on the Sub-processor List page. ConsentStack maintains this list with each Sub-processor's name, function, categories of data processed, and hosting location.

Annex 3: Processing Description

Subject Matter and Duration

ConsentStack processes Consent Data on behalf of the Customer for the purpose of providing the consent management Service described in the Agreement. Processing continues for the duration of the Agreement and the post-termination period described in Section 11.

Nature and Purpose of Processing

Collection, recording, organization, storage, retrieval, and use of consent records for the purpose of:

Providing proof of consent for regulatory compliance;
Enabling End Users to manage their consent preferences;
Providing consent analytics to the Customer (consent rates, device and geographic breakdown, trends);
Detecting and categorizing third-party scripts on the Customer's website;
Enforcing consent-based script blocking.

Categories of Data Subjects

End Users: Visitors to the Customer's website who are presented with or interact with a consent banner.

Categories of Personal Data

IP address — Geolocation detection (country/region) and network routing. Not stored; processed transiently by Cloudflare infrastructure. Only the derived country code is retained.
User-Agent header — Bot and synthetic traffic filtering. Not stored during config request.
Accept-Language header — Language detection for banner display. Not stored.
Origin header — Domain validation (CORS). Not stored.

Pseudonymous visitor identifier (hashed) — Correlate consent events for a single visitor within one site.
Consent state — Record which categories were accepted or rejected.
Event type and action — Record the nature of the consent event (initial, opt_in, opt_out, partial, acknowledge).
Timestamp — Record when consent was given (server-side UTC).
Configuration version — Associate consent with a specific banner version.
Country code — Regulatory jurisdiction determination.
Region identifier — More specific regulatory zone (e.g., gdpr-eu, ccpa).
Consent model — Regulatory model applied (opt_in, opt_out, notice_only).
Browser and OS — Consent analytics (device breakdown).
Device type — Consent analytics (desktop, mobile, tablet).
Page URL — Record where consent was given.
Domain — Record which domain consent was given on.
Banner interaction type — Analytics on how End Users interact with the banner (accept_all, reject_all, save_preferences).
Time to action (ms) — Analytics on banner engagement timing.
Banner position — Analytics on banner layout effectiveness.
Language — Record the language in which consent was presented.
SDK version — Technical diagnostics.

Data Stored for Script Detection

Script domain — Identify third-party scripts on Customer's site.
Sample script URL — Provide context for script categorization.
Page paths — Record where scripts were detected.
Auto-detected category — Suggest consent category for script.

Retention Periods

Consent log records — Retained during the term of the Agreement according to the Customer's plan tier as described in the Terms of Service (Basic: no long-term retention; Pro: 30 days; Business: 365 days; Enterprise: custom). After termination, the post-termination retention and deletion schedule in Section 11 applies.
Script detection records — Retained for the duration of the Agreement. Deleted after the post-termination period described in Section 11.
Client-side consent state — Configurable TTL (default: 365 days). Expires on TTL expiry or End User browser action.
Client-side visitor identifier — Session or persistent (browser-managed). Removed by browser action (clear storage).

Annex 4: International Transfer Mechanisms

EU Standard Contractual Clauses (Module 2: Controller to Processor)

The parties agree to the EU Standard Contractual Clauses as set out in European Commission Implementing Decision (EU) 2021/914, Module 2 (Transfer controller to processor), which are incorporated by reference into this DPA.

Clause-specific elections:

Clause 7 (Docking clause): Not included.
Clause 9(a) (Sub-processor authorization): Option 2 (General written authorization) applies. ConsentStack will inform the Customer of changes to Sub-processors with at least 30 days' notice, as described in Section 7 of this DPA.
Clause 11 (Redress): The optional language is not included.
Clause 13 (Supervision): Where the data exporter is established in an EU Member State, the supervisory authority of that Member State is the competent authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR under Article 3(2), the supervisory authority of the Member State designated by the data exporter under Article 27(1) is the competent authority.
Clause 17 (Governing law): Option 1 — the law of Ireland.
Clause 18(b) (Forum): The courts of Ireland.

Annex I.A (List of Parties): As set out in this DPA — the Customer is the data exporter (Controller) and ConsentStack LLC is the data importer (Processor).

Annex I.B (Description of Transfer): As set out in Annex 3 (Processing Description) of this DPA.

Annex I.C (Competent Supervisory Authority): As determined under Clause 13 above.

Annex II (Technical and Organizational Measures): As set out in Annex 1 (TOMs) of this DPA.

UK International Data Transfer Addendum

For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference. The ICO is the competent supervisory authority for UK transfers.

Swiss Addendum

For transfers of Personal Data from Switzerland, the SCCs apply with the following modifications: (a) references to "Regulation (EU) 2016/679" are interpreted as references to the Swiss FADP; (b) references to the "competent supervisory authority" mean the Swiss Federal Data Protection and Information Commissioner (FDPIC); (c) references to "Member State" are interpreted as references to Switzerland; and (d) the governing law and forum are those of Switzerland.