AuthProxy
Sign in

Data Processing Agreement (DPA)

Last updated: February 23, 2026

By using AuthProxy, you agree to this Data Processing Agreement. This DPA forms part of the Terms of Service between you ("Controller") and SB TECH CONSULTING SASU ("Processor"). If you have a separately negotiated DPA, that agreement takes precedence.

1. Definitions

  • Controller: The customer (organization owner) who configures sites and determines which end users are authorized.
  • Processor: SB TECH CONSULTING SASU, operating the AuthProxy service.
  • Data Subject: End users who authenticate through the proxy.
  • Personal Data: As defined in Article 4(1) GDPR.
  • Processing: As defined in Article 4(2) GDPR.
  • Sub-Processor: Third-party service providers used by the Processor.

2. Scope of Processing

Data Types Processed

Data Category Examples Purpose
Authentication data End-user email addresses Access control, session management
Access logs IP address, geolocation (country/city), HTTP headers, timestamps, request URLs, HTTP method, response status Access monitoring, security audit trail
Session metadata Encrypted session tokens (AES-256-GCM) Session continuity
Configuration data Site settings, allowed email lists, OAuth provider config Service delivery

Processing activities: Authentication, authorization, access logging, session management, email notifications (access alerts), analytics aggregation.

Data subjects: End users of the Controller's websites protected by AuthProxy.

Duration: For the term of the service agreement, plus 30 days for data export after termination.

3. Obligations of the Controller

  • Ensure a lawful basis for collecting end-user data (typically legitimate interest or consent for protected sites)
  • Inform end users that authentication is handled by AuthProxy (processor)
  • Provide instructions to the Processor regarding data processing
  • Respond to data subject requests (with Processor assistance)

4. Obligations of the Processor

  • Process data only on documented instructions from the Controller (or as required by law)
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures:
    • AES-256-GCM encryption for session tokens
    • PII scrubbing in error monitoring (Sentry sendDefaultPii: false)
    • HTTP header stripping (X-Auth-*, X-AuthProxy-* stripped from incoming requests)
    • DDoS protection and WAF (Cloudflare)
    • TLS encryption in transit
    • Rate limiting on authentication endpoints
    • No plaintext credential storage
    • Per-customer origin secret header for backend protection
  • Assist the Controller with data subject rights requests
  • Delete or return all personal data upon termination (at Controller's choice)
  • Make available all information necessary to demonstrate compliance

5. Sub-Processors

Current authorized sub-processors:

Sub-Processor Purpose Location Safeguards
Cloudflare, Inc. Hosting, CDN, database (D1), cache (KV), analytics, WAF, TLS Global DPF EU-US, SCCs
PostHog, Inc. Aggregated analytics (anonymous mode only for proxy data) EU EU hosting
Resend, Inc. Transactional emails USA SCCs
Sentry (Functional Software, Inc.) Error monitoring (PII scrubbed) USA DPF EU-US, SCCs
LemonSqueezy, LLC Billing (Merchant of Record) USA SCCs
  • Processor will provide 30 days' written notice before adding or replacing a sub-processor.
  • Controller may object to a new sub-processor within 14 days of notice.
  • If the objection cannot be resolved, Controller may terminate the agreement.

6. Data Subject Rights

  • Processor will assist Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection).
  • Processor will notify Controller without undue delay upon receiving a direct request from a data subject.
  • Processor will not respond directly to data subjects except to redirect them to the Controller.

7. Data Breach Notification

  • Processor will notify Controller of any personal data breach within 72 hours of becoming aware.
  • Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed to address the breach.
  • Processor will assist Controller in fulfilling breach notification obligations to supervisory authorities and data subjects.

8. Data Transfer Mechanisms

  • Primary data storage: Cloudflare D1 (EU region)
  • Cache: Cloudflare KV (globally distributed, encrypted)
  • Transfers outside EEA protected by:
    • EU-US Data Privacy Framework (Cloudflare, Sentry)
    • Standard Contractual Clauses (all US-based sub-processors)
    • AES-256-GCM encryption for all sensitive data at rest and in transit
  • Controller data residency: D1 database configured for EU region.

9. Audit Rights

  • Controller may audit Processor's compliance with this DPA once per year.
  • 30 days' written notice required before audit.
  • Audit conducted at Controller's expense.
  • Processor will provide reasonable cooperation and access to relevant records.
  • Audits limited to matters relevant to this DPA and conducted during normal business hours.
  • Processor may satisfy audit requests by providing: SOC 2 reports, penetration test summaries, or other third-party certifications.

10. Term and Termination

  • This DPA is effective for the duration of the service agreement.
  • Upon termination, Processor will:
    • Provide a 30-day window for Controller to export data
    • After the export window, delete all personal data within 30 days
    • Provide written confirmation of deletion upon request
  • Obligations regarding confidentiality and data protection survive termination.

11. Governing Law

This DPA is governed by French law. Disputes shall be submitted to the courts of Paris, France. In the event of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to personal data processing.

Contact

For any questions regarding this DPA or personal data processing: [email protected].