Data Processing Agreement
Effective April 17, 2026
This Data Processing Agreement ("DPA") applies where Eccolo processes personal data on behalf of a maker ("Controller") in connection with providing the Service, and where such processing is subject to the GDPR or UK GDPR.
1. Definitions
"Personal Data," "Controller," "Processor," "Data Subject," and "processing" have the meanings given in the GDPR.
2. Roles
The maker is the Controller of personal data relating to their clients (including client names, email addresses, and project content). Eccolo acts as the Processor of that data, processing it solely to provide the Service.
3. Scope of Processing
- Data subjects: The maker's clients
- Types of data: Names, email addresses, uploaded files, portal activity logs
- Purpose: Providing the project portal, document storage, and communication tools described in the Terms of Service
- Duration: For as long as the maker's account is active, or as otherwise instructed
4. Our Obligations as Processor
We will:
- Process personal data only on the Controller's documented instructions (i.e. providing the Service)
- Ensure persons authorised to process the data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Assist the Controller in responding to Data Subject requests
- Notify the Controller without undue delay if we become aware of a personal data breach
- Delete or return all personal data upon termination of the Service, at the Controller's choice
- Make available all information necessary to demonstrate compliance with this DPA
5. Sub-Processors
We use the following sub-processors to deliver the Service. By agreeing to this DPA you authorise their use:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | Database and file storage | USA |
| Stripe | Payment processing | USA |
| Resend | Email delivery | USA |
| Vercel | Hosting | USA |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object.
6. International Transfers
Where personal data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses as approved by the European Commission or UK ICO.
7. Security
We implement appropriate technical measures including encryption at rest and in transit, access controls, and regular security reviews.
8. Data Subject Rights
If we receive a request from a data subject relating to data you control, we will forward it to you promptly and assist where reasonably possible.
9. Breach Notification
We will notify you within 72 hours of becoming aware of a personal data breach affecting your data.
10. Governing Law
This DPA is governed by the laws of the State of California, USA, except where the GDPR or UK GDPR require otherwise.