Data Processing Agreement

This standard DPA governs the processing of personal data by drpr on behalf of organisations subject to GDPR.

Effective date: 1 May 2026

Need a countersigned copy?

Email security@drpr.host and we will countersign and return this DPA within 2 business days.

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Controller:The organisation or individual (“Customer”) that uses the drpr service and determines the purposes and means of processing personal data.
  • Processor:drpr (“drpr”, “we”, “us”), the operator of the drpr.host platform, acting as a data processor on behalf of the Customer.

This DPA supplements and forms part of the drpr Terms of Service and Privacy Policy.

2. Subject Matter and Duration

drpr processes personal data on behalf of the Customer solely to provide the drpr file-sharing service as described in the Terms of Service. Processing continues for the duration of the Customer's use of the service and ceases upon termination of the Customer's account or upon written request.

3. Nature and Purpose of Processing

drpr processes personal data for the following purposes:

  • Storing and serving files uploaded by the Customer or Customer's end users
  • Authenticating users via Google OAuth (where SSO is enabled)
  • Enforcing access controls on Customer projects
  • Providing account management and dashboard features
  • Operating rate limiting and abuse prevention

4. Type of Personal Data

The personal data processed depends on how the Customer uses the service. It may include:

  • Email addresses (for authenticated accounts)
  • IP addresses (for rate limiting and security)
  • Google Workspace email addresses (where SSO is enabled)
  • Any personal data contained within files uploaded by the Customer or their end users

drpr does not intentionally collect sensitive categories of personal data. Customers are responsible for ensuring that files uploaded to drpr do not contain sensitive personal data unless appropriate safeguards are in place.

5. Categories of Data Subjects

  • The Customer (account holder)
  • The Customer's employees, contractors, or team members
  • The Customer's end users or stakeholders who access shared links

6. Obligations of the Controller

The Customer agrees to:

  • Process personal data in accordance with applicable data protection law, including GDPR where applicable
  • Provide any necessary notices to data subjects and obtain any required consents before uploading personal data to drpr
  • Ensure that instructions given to drpr are lawful and documented
  • Not upload special category data (health, biometric, criminal, etc.) without appropriate legal basis and safeguards

7. Obligations of the Processor

drpr agrees to:

  • Process personal data only on documented instructions from the Customer, unless required by law
  • Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures to protect personal data, as described in our Security page
  • Not engage sub-processors without informing the Customer (see Section 8)
  • Assist the Customer in fulfilling data subject rights requests, to the extent technically feasible
  • Notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer data
  • Delete or return all personal data to the Customer upon termination of the service, and delete existing copies within 30 days unless retention is required by law
  • Provide the Customer with all information necessary to demonstrate compliance with this DPA

8. Sub-processors

drpr engages the following sub-processors. We require all sub-processors to provide equivalent data protection guarantees to those in this DPA.

Cloudflare R2File storageWestern Europe (WEUR)
SupabaseDatabase and authenticationEU (AWS eu-west-1)
VercelApplication hostingEU (AWS eu-west-1)
StripePayment processingUnited States (PCI DSS)

drpr will notify the Customer of any intended changes to sub-processors (additions or replacements) by updating this page and emailing affected customers where reasonably practicable. The Customer has the right to object to new sub-processors on reasonable grounds.

9. Data Subject Rights

drpr will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures in fulfilling its obligation to respond to requests for exercising data subjects' rights under Chapter III of GDPR (access, rectification, erasure, portability, restriction, objection).

Customers can delete all personal data within their account at any time via the dashboard or by contacting security@drpr.host.

10. Security Measures

drpr implements and maintains appropriate technical and organisational security measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and row-level security on all database queries
  • Rate limiting and abuse prevention
  • Periodic security reviews

Full details are available on our Security page.

11. Breach Notification

In the event of a personal data breach affecting Customer data, drpr will notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with the Customer's account. The notification will include, to the extent available:

  • The nature of the breach and categories of data involved
  • The approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

12. International Transfers

Personal data is primarily stored and processed within the European Economic Area (EEA). Where sub-processors are located outside the EEA (e.g., Stripe in the United States), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as required by GDPR Article 46.

13. Audit Rights

drpr will make available to the Customer all information necessary to demonstrate compliance with this DPA. drpr may fulfil audit requests by providing relevant third-party audit reports (e.g., SOC 2 Type II reports from our sub-processors) in lieu of Customer-conducted audits. Bespoke audits may be arranged by contacting security@drpr.host.

14. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales, unless otherwise agreed in writing.

15. Contact

For questions about this DPA, data protection matters, or to request a countersigned copy, contact us at security@drpr.host.