Data Processing Addendum (“DPA”)
Effective Date: the date on which the Customer registers an account with Taplink.
This Data Processing Addendum (“DPA”) forms part of the Terms of Service of Taplink and is entered into by and between:
Controller: the entity (you / Customer) using the Taplink service, who determines the purposes and means of Processing Personal Data.
Processor: Taplink LLC, a company incorporated under the laws of the State of Florida, United States, with registration number L25000240227 and registered office at 1314 E Las Olas Blvd Unit #2882, Fort Lauderdale, FL 33301, United States.
This DPA applies whenever the use of your Taplink account is subject to EU Data Protection Laws (including GDPR), and governs the Processing of Personal Data by the Processor on behalf of the Controller.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on Personal Data (e.g. collection, storage, use, disclosure, erasure).
“Controller” means the entity that determines the purposes and means of Processing.
“Processor” means Taplink LLC when processing Personal Data on behalf of the Controller.
“Sub-processor” means any third party engaged by the Processor to assist in Processing.
“EEA” means the European Economic Area.
“SCCs” means the Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914).
2. Roles of the Parties
- Controller: You (Customer).
- Processor: Taplink LLC.
The Controller determines the purposes and means of Processing. The Processor provides the Services under the Terms and processes Personal Data only on behalf of the Controller, in accordance with this DPA.
Taplink as independent Controller. For certain limited purposes necessary to operate, secure, and improve the platform, Taplink acts as an independent controller (not a processor), including to: (i) detect, prevent, and address abuse, fraud, or security incidents; (ii) perform service analytics and product improvement; (iii) enforce content standards and Terms; and (iv) set and operate Taplink-controlled cookies and similar technologies as described in our Privacy Notice (see also Section 10). For such processing, Taplink independently determines the purposes and means, relies on appropriate lawful bases (e.g., legitimate interests or legal obligations), and complies with applicable data protection laws. This carve-out does not affect Taplink’s obligations as a Processor for Customer Personal Data under this DPA.
3. Scope and Purpose of Processing
Purpose: providing, maintaining, and improving the Taplink platform: hosting content, storing user profiles, enabling payments, sending notifications, analytics, and similar functions.
Duration: until termination of the Customer account and deletion or return of data, unless retention is required by law.
Types of Data: name, email, IP address, device/browser identifiers, usage data, payment details (via third-party providers), communication data, content data.
Subjects: Customers (Taplink users), visitors of Taplink pages, end-users interacting via forms, payers/purchasers.
Data Location and Storage: Taplink uses GEO DNS technology to determine the customer’s region at the time of registration. Depending on the customer’s location, personal data is processed and stored on different servers:
- For customers located in the European Economic Area (EEA), data is stored within the European Union, specifically on infrastructure provided by DigitalOcean in the Netherlands (Amsterdam).
- For customers located outside the EEA, including the United States, data is stored on infrastructure provided by DigitalOcean in the United States (Santa Clara, California).
Taplink may also process Personal Data in accordance with the applicable laws of other jurisdictions, including the United States, where Taplink has a presence and where required by law.
4. Sub-processors
Processor agrees to:
- process Personal Data only on documented instructions of Controller;
- ensure confidentiality of persons authorized to process data;
- implement appropriate technical and organizational security measures (Annex II);
- notify Controller without undue delay (within 72h where possible) of a Personal Data Breach;
- assist Controller in responding to data subject requests;
- delete or return all Personal Data upon termination, unless retention required by law;
- provide evidence of compliance and allow audits subject to confidentiality.
5. Sub-processors
Controller authorizes Processor to engage Sub-processors listed in Annex I.
When Customers activate integrations with third-party services (e.g. Facebook Pixel, Mailchimp, Google Analytics), such services act as independent Controllers. In such cases, Taplink acts only as a technical facilitator. Responsibility for compliance lies with the Customer.
6. International Data Transfers
Where Personal Data is transferred outside the EEA to a country without adequacy decision, Processor ensures that such transfers are subject to SCCs (Decision (EU) 2021/914).
SCCs are incorporated by reference and form part of this DPA (Annex III).
7. Data Subject Rights
Processor shall assist Controller in responding to:
- access, rectification, erasure (“right to be forgotten”);
- restriction of processing;
- data portability;
- objection to processing.
8. Personal Data Breach
Processor will notify Controller without undue delay, and where feasible within 72 hours, after becoming aware of a breach. The notification will describe:
- nature of the breach,
- affected data subjects and records,
- consequences,
- measures taken to mitigate risks.
9. Audit Rights
Controller may request documentation or certifications to verify compliance. Processor maintains records of processing and cooperates with Supervisory Authorities. Audits shall be limited to documentary reviews of security certifications and policies provided by Processor, no more than once in any 12-month period, on 30 days’ prior written notice, and at Controller’s expense, unless otherwise required by law or by a competent Supervisory Authority.
10. Cookies and Logs
Taplink uses cookies and similar technologies:
- Essential Cookies – platform functionality.
- Analytics Cookies – performance measurement (e.g. Google Analytics).
- Marketing Cookies – if enabled by Controller (e.g. Facebook Pixel).
End-users may refuse non-essential cookies via the cookie banner. Customers are responsible for ensuring proper notice and consent on their Taplink pages.
11. Governing Law
This DPA is governed by the laws of the State of Florida, United States, without prejudice to the mandatory provisions of EU Data Protection Laws which shall apply where relevant.
12. Execution
This DPA is an electronic agreement. Taplink executes it by publication at: https://taplink.at/fr/about/dpa.html
Controller accepts this DPA by registering an account and using Taplink’s services.
Annex I – Sub-processors
Infrastructure / Hosting
- DigitalOcean – Amsterdam, Netherlands (EU) – primary hosting for customers located in the EEA.
- DigitalOcean – Santa Clara, California, USA – primary hosting for customers located outside the EEA, including the United States.
- Cloudflare – USA / Global CDN – content delivery network and DDoS protection.
Payments
- Stripe – USA
- Paddle – UK / EU / USA
- LemonSqueezy – USA
Analytics
- Google Analytics – USA
Annex II – Security Measures
Encryption in transit: All data transmitted between customers and Taplink servers is encrypted using TLS/HTTPS.
Encryption at rest: User passwords are stored using strong one-way hashing algorithms.
Backups: Regular backups are maintained on mirrored infrastructure provided by DigitalOcean in Amsterdam (EU) and DigitalOcean in Santa Clara (USA), depending on customer region.
Access controls: Access to systems and databases is restricted to authorized employees only, protected with multi-factor authentication (MFA).
Monitoring and logging: System access and activities are logged and monitored.
Third-party infrastructure compliance: DigitalOcean and other infrastructure providers maintain industry certifications such as ISO 27001 and SOC 2.
Annex III – Standard Contractual Clauses
1. Incorporation of SCCs
The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021, “EU SCCs”) are incorporated into this DPA by reference and shall apply to all transfers of Personal Data from the EEA to a third country without an adequacy decision under Article 45 GDPR.
2. Applicable Modules
- Module Two (Controller → Processor): applies where Customer acts as Controller and Taplink acts as Processor under this DPA.
- Module One (Controller → Controller): may apply where Taplink acts as an independent Controller, as described in Section 2 of this DPA.
3. Docking Clause
The optional docking clause (Clause 7 of the SCCs) is incorporated, permitting additional parties to accede to the SCCs where necessary.
4. Governing Law and Jurisdiction
- For purposes of Clause 17 of the SCCs, the parties select the law of Ireland.
- For purposes of Clause 18 of the SCCs, disputes shall be subject to the jurisdiction of the courts of Ireland.
5. UK Addendum
For data transfers subject to the UK GDPR, the UK Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner’s Office, and updated from time to time) shall apply, in conjunction with the EU SCCs above.
6. Full Text Reference
The full text of the EU SCCs is available at: https://taplink.at/fr/about/dpa.html