Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Easy RFP ("Processor", "we", "us") and you, the customer ("Controller", "you"). It governs the processing of personal data that Easy RFP carries out on your behalf in the course of providing the Easy RFP platform and related services (the "Service"). This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable United Kingdom data protection law.
1. Definitions
Terms used in this DPA have the meanings given to them in Article 4 GDPR. In particular: "Personal Data" means any information relating to an identified or identifiable natural person; "Processing" means any operation performed on Personal Data; "Data Subject" means the individual to whom Personal Data relates; "Sub-Processor" means any processor engaged by Easy RFP to assist in fulfilling obligations under this DPA; "SCCs" means the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914.
2. Subject Matter, Duration, and Nature of Processing
Subject matter. Easy RFP processes Personal Data on your behalf solely to provide the Service as described in the Terms and Conditions and in your documented instructions (including instructions embedded in the Service's user interface).
Duration. Processing continues for the term of your subscription and, after termination, for up to 30 days during which data is held for recovery before deletion or anonymisation, except where retention is required by law (e.g. tax records).
Nature and purpose. Processing is performed to enable the creation, distribution, and management of Requests for Proposals (RFPs), comparison of hotel responses, communication between planners and hotels, billing, service analytics, and support.
3. Categories of Data Subjects and Personal Data
| Category of Data Subject | Types of Personal Data |
|---|---|
| Controller's employees and authorised users | Name, work email, job title, authentication data, usage telemetry |
| Attendees or event participants entered by Controller | Name, dietary requirements (if entered), room allocation preferences |
| Hotel sales contacts receiving RFPs | Name, work email, phone number (if provided), response metadata |
| Controller's billing contact | Name, billing email, company address, VAT ID, payment method (processed by Stripe) |
Easy RFP does not knowingly process special categories of personal data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR) as part of the Service. You must not upload such data to the Service.
4. Controller and Processor Obligations
Your obligations as Controller. You warrant that (a) you have a valid legal basis under Article 6 GDPR for all Processing you instruct; (b) you have provided any notices and obtained any consents required under Articles 13, 14, and 7 GDPR from Data Subjects; (c) your instructions to Easy RFP comply with applicable data protection law; and (d) hotel sales contacts you import have been collected lawfully for B2B outreach (legitimate interest under Art. 6(1)(f)) and you offer an easy opt-out.
Our obligations as Processor. Easy RFP will: (a) process Personal Data only on your documented instructions, except where required by EU or Member State law; (b) ensure that personnel authorised to process Personal Data are bound by confidentiality; (c) implement the technical and organisational measures described in Section 7; (d) assist you in fulfilling obligations under Articles 32-36 GDPR, including data subject requests; (e) notify you without undue delay of any Personal Data breach; and (f) inform you immediately if an instruction appears to infringe GDPR or other applicable law.
5. Sub-Processors
You provide general authorisation for Easy RFP to engage the sub-processors listed below. Easy RFP will notify you of any intended addition or replacement of sub-processors by email and/or via the Service at least 30 days in advance. You may object in writing for a legitimate reason, in which case we will discuss a mutually acceptable resolution or, failing that, you may terminate the affected Service without penalty.
| Sub-Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Supabase | Primary database, authentication, edge functions | EU (eu-west-2, Ireland) | EEA |
| Cloudflare | CDN, DDoS protection, static hosting (Pages) | Global edge network | SCCs + EU-US DPF |
| Stripe Payments Europe Ltd | Payment processing, invoice and VAT handling | EU/US | SCCs + EU-US DPF |
| Resend | Transactional email delivery (RFPs, reminders, notifications) | EU/US | SCCs |
| MailerLite (UAB Mailerlite) | Consent-based marketing email, newsletter | EU (Lithuania) | EEA |
| PostHog Inc. | Product analytics, session-level usage metrics | EU (Frankfurt) | EEA |
| Google Ireland Ltd (GA4 / GTM) | Website analytics and tag management (consent-gated) | EU/US | SCCs + EU-US DPF |
| Anthropic PBC (Claude API) | AI text generation for RFP drafts and reply classification | US | SCCs; zero-retention configuration |
Easy RFP remains fully liable to you for the acts and omissions of its sub-processors. Each sub-processor is bound by a written contract imposing data protection obligations no less protective than those in this DPA.
6. International Data Transfers
Where Personal Data is transferred outside the European Economic Area or the United Kingdom, Easy RFP relies on one or more of the following safeguards: (a) a European Commission adequacy decision; (b) the EU-US Data Privacy Framework, where the recipient is certified; or (c) the Standard Contractual Clauses published by the European Commission in Decision 2021/914, supplemented where appropriate by the UK Addendum issued by the Information Commissioner's Office. A copy of the safeguards in place for any specific sub-processor is available on request at [email protected].
7. Security Measures (Article 32 GDPR)
Easy RFP implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit: TLS 1.2+ required for all connections; HSTS enabled on all domains.
- Encryption at rest: AES-256 on database storage and backup volumes.
- Access control: Role-based access control (RBAC) inside the platform; least privilege for Easy RFP staff; multi-factor authentication enforced on all administrative accounts.
- Secret management: API keys and secrets stored in managed secret stores; rotated on suspicion of compromise.
- Row-level security: Database policies ensure a workspace cannot read or modify another workspace's data.
- Audit logging: Administrative actions and access to Personal Data are logged and retained for 12 months.
- Rate limiting: Sign-up and sensitive endpoints are rate-limited to mitigate abuse.
- Backups: Automated daily backups of the primary database; point-in-time recovery available for 7 days.
- Vulnerability management: Dependencies monitored; patches applied within 7 days of disclosure for high-severity issues.
- Staff training: Data protection awareness training for all staff with access to Personal Data.
- Incident response: Documented runbook for security incidents and breach notification.
8. Assistance with Data Subject Requests
Easy RFP will assist you, taking into account the nature of the Processing and insofar as possible, by appropriate technical and organisational measures, in responding to requests from Data Subjects exercising rights under Articles 15-22 GDPR. The Service provides self-service export (JSON/CSV), rectification, and deletion tools in your account settings. For requests that cannot be fulfilled through these tools, contact [email protected] and we will respond within 10 working days.
9. Personal Data Breach Notification
Easy RFP will notify you without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting your data. The notification will include, to the extent known at the time: (a) the nature of the breach, including categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) measures taken or proposed to address the breach and mitigate possible adverse effects; and (d) contact details of the Easy RFP security contact. Easy RFP will cooperate reasonably with you in any subsequent notifications to supervisory authorities or Data Subjects.
10. Audit Rights
Easy RFP will make available to you all information necessary to demonstrate compliance with Article 28 GDPR and this DPA. This includes providing, on reasonable request and no more than once per calendar year (unless a Personal Data breach has occurred), the most recent independent security assessment summaries, penetration test executive reports, and SOC-style control descriptions where available. Where a controller reasonably requires an on-site audit, the parties will agree in advance on scope, timing, duration, confidentiality and cost, with the controller bearing the reasonable costs of the audit.
11. Return and Deletion
At your choice, Easy RFP will delete or return all Personal Data to you after the end of the provision of services, and will delete existing copies unless EU or Member State law requires storage of the Personal Data. You may initiate deletion at any time through the "Delete workspace" action in your account settings or by emailing [email protected]. Deletion is completed within 30 days of the confirmed request, subject to the retention periods in the Privacy Policy for records required by law (e.g. 7 years for invoicing).
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions. Nothing in this DPA limits either party's liability to Data Subjects under the GDPR.
13. Changes to this DPA
Easy RFP may update this DPA from time to time to reflect changes in sub-processors, technical measures, or applicable law. Material changes will be communicated at least 30 days in advance by email or prominent in-product notice. Continued use of the Service after a material change constitutes acceptance of the updated DPA.
14. Governing Law
This DPA is governed by the laws of Spain. Disputes arising out of or in connection with this DPA are subject to the exclusive jurisdiction of the courts of Barcelona, Spain, without prejudice to any mandatory consumer protection or data protection provisions of Member State law that may apply.
15. Contact
Questions about this DPA, sub-processor changes, or compliance matters: [email protected]. A countersigned copy of this DPA on your paper is available on request.