Data Processing Agreement
Last updated: February 23, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SquirrelHQ ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means the individual to whom the Personal Data relates.
3. Scope of Processing
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country. The categories of data processed include: contact information (names, email addresses, phone numbers), company data, engagement metrics, and any custom fields configured by the Controller.
4. Security Measures
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication (including multi-factor authentication)
- Regular security testing and vulnerability assessments
- Incident detection and response procedures
- Employee security awareness training
- Data backup and disaster recovery
5. Sub-processors
The Controller authorises the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database hosting and authentication | EU (Ireland) |
| Vercel | Application hosting and CDN | Global (EU primary) |
| Stripe | Payment processing | EU / US |
| Resend | Transactional email delivery | EU (Ireland) |
| DigitalOcean | Dedicated tenant infrastructure | EU (Amsterdam / Frankfurt) |
| Sentry | Error tracking (no PII stored) | EU |
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. The Controller can export all tenant data and delete accounts at any time through the platform's settings.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach.
8. Data Retention and Deletion
Upon termination of the service agreement or upon request, the Processor shall delete all Personal Data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. The Controller can initiate immediate data deletion through the Account settings.
9. International Transfers
Personal Data is primarily stored and processed within the European Economic Area (EEA). Where transfers outside the EEA are necessary (e.g., certain sub-processors), the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Contact
For questions about this DPA or to exercise data protection rights, please contact us at privacy@squirrelhq.net or visit our contact page.