Data Processing Agreement (DPA)

The Processor processes personal data solely for the purpose of providing the Service under the Terms & Conditions. Processing duration matches the contract duration plus the 30-day export retention period.

Storage, organization, structuring, consultation, transmission, deletion of documents, client data, electronic signatures and audit logs uploaded or generated by the Controller in the platform.

Identification data (name, email, phone), contract data (role, company), signature data (IP, timestamp, image), document content. Data subjects: clients, partners, employees and signers designated by the Controller.

Process data only on the Controller's documented instructions.

Ensure confidentiality of authorized personnel.

Implement appropriate technical and organizational measures (Art. 32 GDPR): encryption, access control, RLS, backups, monitoring.

Assist the Controller in responding to data subject requests.

Notify the Controller without undue delay of any security breach (within 48 hours).

On contract termination, delete or return data per the Controller's choice.

The Controller authorizes the following sub-processors: Supabase / Lovable Cloud (hosting, auth, storage), Lovable AI Gateway (AI processing), transactional email providers.

The Processor will give the Controller at least 30 days' notice before adding or replacing a sub-processor, allowing reasonable objection.

Any transfers outside the EEA rely on the European Commission's Standard Contractual Clauses or other GDPR-compliant mechanisms.

Upon reasonable request and once per year, the Processor will provide the Controller with information necessary to demonstrate compliance with its GDPR obligations.

Liability is governed by the Terms & Conditions and the mandatory provisions of GDPR.

MCD United Grup SRL · [contact@TBD] · DPO: [DPO: TBD]