Data Processing Addendum (DPA)
Effective Date: May 31, 2026. This DPA establishes the terms for secure and compliant data processing.
Self-Hosting Legal Advantage
If you deploy the **Subkit Self-Hosted Community Edition**, you operate your own database and validation engine on your own servers. In this model, **Subkit never processes, receives, or has access to your customer data.**
Consequently, **no DPA is required for self-hosted installations**, giving you absolute data residency sovereignty with zero legal dependencies.
1. Introduction & Scope
This GDPR Data Processing Addendum ("DPA") forms part of the Terms of Service or Master Services Agreement available at subkit.io/terms(the "Agreement"), entered into by and between the Customer (the "data controller") and Subkit (the "data processor"), pursuant to which Customer has accessed Subkit Managed Cloud Services.
The purpose of this DPA is to reflect the parties' agreement with regards to the processing of Customer Data in accordance with the requirements of Data Protection Legislation (specifically Regulation (EU) 2016/679 - General Data Protection Regulation).
2. Definitions
"Data Protection Legislation" means, as applicable, the GDPR (Regulation (EU) 2016/679), European Directives 95/46/EC and 2002/58/EC, and any subsequent amending or replacing legislation relating to the processing of personal data and privacy inside the European Union.
"Customer Data"means any data which is defined as 'personal data' under Data Protection Legislation processed by Subkit on behalf of the Customer in the course of providing Managed Cloud Services.
"Data Controller", "Data Processor", "Data Subject", and "Processing" shall be interpreted in accordance with the definitions set forth in the GDPR.
3. Roles & Compliance
The parties agree that Customer is the **Data Controller** and that Subkit is its **Data Processor** in relation to Customer Data. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provides or configures to be processed by Subkit pursuant to the Agreement.
4. Processor Obligations
In respect of Customer Data processed under this DPA, Subkit agrees to:
- Documented Instructions: Process Customer Data only in accordance with the documented instructions from the Customer. If Subkit is required to process the personal data for any other purpose provided by applicable law, Subkit will inform the Customer prior to the processing unless prohibited on important grounds of public interest.
- Technical & Organizational Measures: Implement and maintain appropriate technical and organizational security measures designed to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure.
- Sub-Processors:Hire third-party sub-processors only under strict written agreements containing terms substantially similar to this DPA. Subkit remains fully responsible for its Sub-Processors' compliance with these obligations.
- Confidentiality: Ensure that all Subkit personnel required to access Customer Data are informed of its confidential nature and have entered into binding confidentiality agreements.
- Data Subject Rights Support:Assist the Customer (insofar as possible, and at Customer's request and cost) in responding to data subject rights requests under the GDPR, including requests for rectification, access, erasure, or portability of personal data.
- Data Erasure:At the end of the term of Managed Services, upon Customer's request, securely destroy or return to the Customer all Customer Data within Subkit's possession or control.
- Security Incident Notification:If Subkit becomes aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to Customer Data (a "Security Incident"), it shall without undue delay notify the Customer and provide necessary details and mitigation updates.
5. Audits & Inspections
Subkit shall allow, no more than once every 12 months and at Customer's expense, the Customer or its authorized agents to conduct audits or inspections during the term of the Agreement, provided that Customer has given Subkit at least 30 days prior written notice. Such audit will be conducted during reasonable business hours with minimal disruption. For the avoidance of doubt, no direct logical access to Subkit's cloud networks, databases, or IT infrastructure hosting other customers will be permitted.
Annex 1: Details of the Data Processing
1. Subject Matter, Nature, and Purpose: Subkit processes Customer Data to provide App Store, Google Play, and Stripe in-app subscription receipt validation, cohort analytics, and entitlment state management.
2. Duration of Processing: The duration of processing will be the same as the duration of the provision of Managed Services under the Agreement.
3. Categories of Individuals: End-users of Customer's mobile and web applications who engage in subscription or billing activities.
4. Types of Personal Data processed by default:
- Unique, non-personally identifiable App User ID (created by Customer).
- Cryptographically signed Store Purchase Receipts (containing transaction ID, package purchased, and timestamps).
- IP Addresses (processed for local geolocation tax rendering, discarded or hashed immediately).
- Attribution tokens (e.g. AppsFlyer, Adjust, or Branch tokens configured by the Customer).
DPA Requests
For signed copies or custom DPAs, please contact compliance.