NL EN

Data Processing Agreement.

Data Processing Agreement

proofn. Version 1.0 — June 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Controller: The customer ("Customer") who has accepted Proofn's Terms of Service and is identified in the associated account registration.

Processor: Proofn, a sole proprietorship registered in the Netherlands under the trade name Proofn.marketing, with registered office at Keizersgracht 123, 1015 CJ Amsterdam, the Netherlands. 

This DPA forms part of, and is incorporated into, the Terms of Service between the Customer and Proofn (the "Agreement").

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure or deletion.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • "Sub-processor" means any third party engaged by Proofn to process Personal Data on behalf of the Customer.
  • "Services" means the SEO task generation, dashboard, analytics integration and related services provided by Proofn under the Agreement.

3. Subject Matter and Duration

Proofn processes Personal Data on behalf of the Customer solely for the purpose of providing the Services as described in the Agreement. Processing takes place for the duration of the Agreement and ceases upon termination, subject to applicable retention obligations.

4. Nature, Purpose and Categories of Processing

4.1 Categories of data subjects

  • Customers (business owners, founders, employees) who use the Proofn platform.
  • Website visitors of the Customer whose data is collected via Google Search Console, Google Analytics 4 and Bing Webmaster Tools, as authorised by the Customer via OAuth.

4.2 Categories of personal data

  • Identification data: name, email address, password hash.
  • Session and authentication data: session tokens, IP addresses, user-agent strings.
  • Website performance data: search queries, page URLs, clicks, impressions, positions (via GSC/GA4/Bing APIs).
  • Business data: website URL, domain name, task history, dashboard metrics.
  • Communication data: support ticket content, email message content.
  • Consent records: IP address, device fingerprint, timestamp of consent.

4.3 Purposes of processing

  • Generating personalised SEO tasks based on the Customer's website data.
  • Providing the dashboard, analytics, and result-tracking features.
  • Sending transactional emails (weekly task emails, notifications, trial communications).
  • Operating and maintaining the Proofn platform and infrastructure.
  • Translating blog content between Dutch and English.
  • Generating AI-assisted blog content and SEO recommendations.

5. Obligations of Proofn (Processor)

Proofn shall:

  • Process Personal Data only on documented instructions from the Customer, including those set out in this DPA and the Agreement.
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures in accordance with Article 32 GDPR.
  • Notify the Customer without undue delay upon becoming aware of a Personal Data breach affecting the Customer's data.
  • Assist the Customer, to the extent possible, in responding to data subject requests under Chapter III GDPR.
  • Delete or return all Personal Data upon termination of the Agreement, at the Customer's choice, unless EU or Member State law requires retention.
  • Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Customer or an authorised auditor.

6. Obligations of the Customer (Controller)

The Customer shall:

  • Ensure there is a valid legal basis for the processing of Personal Data before instructing Proofn.
  • Ensure that data subjects have been informed of the processing in accordance with Articles 13 and 14 GDPR.
  • Ensure that the OAuth authorisations granted to Proofn (Google Search Console, Google Analytics, Bing) are valid and in scope.
  • Notify Proofn promptly of any changes to instructions that affect the processing.

7. Technical and Organisational Security Measures

Proofn implements and maintains the following measures:

  • Data encryption at rest and in transit (TLS 1.2+).
  • Access controls and role-based authorisation within the platform.
  • Database hosted on Supabase (EU-Frankfurt), with automated backups retained for 14 days.
  • Off-site encrypted backups via Cloudflare R2.
  • Audit logging of consent records including IP, device, user-agent and timestamp.
  • Automated data retention: tickets soft-deleted after 60 days, trash purged after 10 days, data-export files deleted after 7 days.

8. Sub-processors

The Customer grants Proofn general authorisation to engage sub-processors. Proofn shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.

Proofn shall ensure sub-processors are bound by data protection obligations equivalent to those in this DPA. Where sub-processors are located outside the EEA, Proofn relies on Standard Contractual Clauses (SCCs) as the transfer mechanism under Article 46 GDPR.

Current sub-processors are listed in Annex A.

9. International Data Transfers

Several sub-processors are located in the United States. Transfers to these parties are governed by Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission. Copies of the applicable SCCs are available from each sub-processor's legal or privacy portal.

Sub-processors with EU-based processing: Supabase Inc. (Frankfurt) and DeepL SE (Germany). No SCC is required for these transfers.

10. Data Subject Rights

Upon receiving a verifiable data subject request, Proofn shall assist the Customer in fulfilling obligations under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection). Proofn shall forward any data subject requests received directly to the Customer within 5 business days.

11. Personal Data Breaches

In the event of a Personal Data breach affecting Customer data, Proofn shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include, to the extent available:

  • A description of the nature of the breach.
  • The categories and approximate number of data subjects concerned.
  • The categories and approximate number of records concerned.
  • The likely consequences of the breach.
  • Measures taken or proposed to address the breach.

12. Term and Termination

This DPA enters into force on the date the Customer accepts the Agreement and remains in force for the duration of the Agreement. Upon termination, Proofn shall, at the Customer's election, delete or return all Personal Data within 30 days, unless applicable law requires continued retention.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts in Amsterdam, the Netherlands.

14. Contact

For questions regarding this DPA or data protection matters, please contact:

Proofn — info@proofn.marketing Keizersgracht 123, 1015 CJ Amsterdam, the Netherlands

* Transfer governed by Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2).