Data Processing Agreement
Effective Date: September 22, 2025
This Data Processing Agreement ("DPA") is entered into by and between:
- The Client ("Controller"), who has accepted the Korrero Terms and Conditions; and
- Kyrylo Yezholov, a sole proprietor operating as Korrero ("Processor").
This DPA is incorporated into and forms a part of the Korrero Terms and Conditions (the "Terms").
1. Definitions
- Terms such as "Personal Data", "Data Subject", "Processing", and "Personal Data Breach" shall have the meanings given to them in the GDPR.
- "Service" refers to the Korrero notification API and associated services provided by the Processor.
- "Controller Data" means the Personal Data contained within the content of notifications and media files processed by the Processor on behalf of the Controller through the Service.
2. Details of the Processing
This DPA applies to the processing of Controller Data as described below:
Processing Details
- Subject-Matter of Processing: The processing of notification content for delivery via the Korrero API.
- Duration of Processing: For the term of the Client's active subscription to the Service, subject to the data retention policies outlined in the Terms.
- Nature and Purpose of Processing: The Processor will process Controller Data for the sole purpose of providing the Service as instructed by the Controller, which includes transmitting, storing, and providing analytics for notifications.
- Type of Personal Data: The types of Personal Data are determined and controlled by the Controller in the content of the notifications they choose to send. This may include names, contact details, or any other information the Controller decides to transmit.
- Categories of Data Subjects: The Data Subjects are the end-users of the Controller's applications or services to whom the Controller directs notifications.
3. Obligations of the Processor (Korrero)
The Processor agrees to:
- 3.1.
Processing on Instructions: Only process Controller Data on the documented instructions of the Controller (i.e., using the API and service controls), unless required to do so by EU or Member State law.
- 3.2.
Confidentiality: Ensure that all personnel authorized to process Controller Data are bound by a duty of confidentiality.
- 3.3.
Security: Implement and maintain the appropriate technical and organizational security measures as described in Section 7 ("Security of Your Information") of the Korrero Privacy Policy. These measures are designed to protect Controller Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
- 3.4.
Sub-processing:- The Controller provides a general authorization for the Processor to engage third-party sub-processors to provide the Service.
- The Processor will maintain an up-to-date list of its sub-processors, which is provided below. The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.
- 3.5.
Assistance to Controller: Considering the nature of the processing, assist the Controller by providing appropriate technical and organizational measures (such as the account deletion and data export tools) to help the Controller respond to Data Subject rights requests.
- 3.6.
Personal Data Breach: Notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Data.
- 3.7.
Deletion of Data: Upon termination of the Service by the Controller, delete all Controller Data from its systems in accordance with the retention periods specified in the Korrero Privacy Policy.
- 3.8.
Audits and Information: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR, upon reasonable request.
Currently Authorized Sub-processors
| Service Provider | Purpose | Location |
|---|
| Hetzner Online GmbH | Hosting & File Storage | Germany / Finland, EU |
| Cloudflare | Security & Performance (CDN) | Global / US |
| Paddle | Payment Processing | Ireland / US |
| Google | Authentication, Email Delivery, Analytics | US |
4. Obligations of the Controller (The Client)
The Controller agrees that it is solely responsible for:
- Ensuring the lawfulness and accuracy of all Controller Data provided to the Processor.
- Having a valid legal basis for the processing of Controller Data and for sending notifications to Data Subjects.
- Providing all necessary notices and obtaining all necessary consents from Data Subjects as required by applicable data protection laws.
5. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Republic of Lithuania.
If you have any questions about this Data Processing Agreement, please contact us at [email protected].
© 2025 Korrero. All rights reserved.