Data Processing Agreement
Last updated: April 11, 2026
The 30-second version
You're the controller, we're the processor, the data lives in Frankfurt, and we'll tell you within 48 hours if anything goes sideways. Sub-processors are listed by name. The numbered sections are GDPR Article 28 in legal-speak.
1. Definitions
"Controller" means the entity that determines the purposes and means of processing personal data (you, the customer). "Processor" means CarbonTrace (operated by Simplinity, The Netherlands), which processes personal data on behalf of the Controller. "Sub-processor" means a third party engaged by the Processor to process personal data. "Personal Data" and "Processing" have the meanings given in GDPR Article 4.
2. Scope and purpose
This DPA applies to all processing of personal data by CarbonTrace on behalf of the Controller in connection with the CarbonTrace carbon footprint calculation and reporting service. The categories of data processed include: account information (name, email), organisation details, IT asset data, calculation results, and usage metadata. Data subjects include the Controller's employees and authorised users.
3. Processor obligations
CarbonTrace shall: process personal data only on documented instructions from the Controller (including the Terms of Service and this DPA); ensure that persons authorised to process personal data are bound by confidentiality obligations; implement appropriate technical and organisational security measures (see Section 7); assist the Controller in responding to data subject requests; delete or return all personal data upon termination of the service, at the Controller's choice; and make available all information necessary to demonstrate compliance.
4. Controller obligations
The Controller shall: ensure it has a lawful basis for processing personal data submitted to CarbonTrace; provide instructions that comply with applicable data protection law; and promptly notify CarbonTrace of any changes affecting data processing requirements.
5. Sub-processors
CarbonTrace uses the following sub-processors: Supabase Inc. (database and authentication, EU region eu-west-1), Vercel Inc. (application hosting and edge network), Mollie B.V. (payment processing, The Netherlands), and Resend Inc. (transactional email delivery). CarbonTrace will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor by contacting privacy@carbontrace.cloud within 14 days. Each sub-processor is bound by a data processing agreement with obligations no less protective than this DPA.
6. International transfers
Primary data storage is in the European Union (Frankfurt, eu-west-1). Where personal data is transferred outside the EU/EEA (e.g., Vercel edge functions in non-EU regions), CarbonTrace ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission. Transfer Impact Assessments are available upon request.
7. Security measures
CarbonTrace implements: encryption in transit (TLS 1.3) and at rest (AES-256); row-level security on all database tables; hash-chained, append-only audit logging with 7-year retention; access controls with role-based permissions; regular security reviews; and automated vulnerability scanning. A detailed security overview is available upon request at security@carbontrace.cloud.
8. Data subject rights
CarbonTrace provides technical measures to assist the Controller in fulfilling data subject requests under GDPR Articles 15–22: self-service data export (Art. 20 portability), self-service account deletion (Art. 17 erasure), profile editing (Art. 16 rectification), and audit log access for accountability. Users can exercise these rights directly from Settings → Privacy & Data.
9. Data breach notification
CarbonTrace will notify the Controller of a personal data breach without undue delay and in any event within 48 hours of becoming aware of it. The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach. All breaches are recorded in the audit log.
10. Audits and inspections
CarbonTrace shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, subject to reasonable advance notice (at least 30 days) and during normal business hours. CarbonTrace may offer an independent third-party audit report as an alternative. Audit costs are borne by the Controller unless the audit reveals non-compliance by CarbonTrace.
11. Duration and termination
This DPA is effective for the duration of the CarbonTrace service agreement. Upon termination, CarbonTrace will delete all personal data within 30 days, unless retention is required by applicable law (e.g., audit logs retained for 7 years under Dutch accounting regulations). The Controller may request a data export before termination.
12. Governing law
This DPA is governed by the laws of The Netherlands. Any disputes shall be resolved in the courts of The Netherlands, without prejudice to the data subject's right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
13. Contact
For questions about this DPA or to exercise your rights: privacy@carbontrace.cloud. Data Protection contact: Simplinity, The Netherlands.
Need a signed copy? Contact us or email privacy@carbontrace.cloud