Data Processing Agreement (DPA)
In accordance with Art. 28 GDPR
This Data Processing Agreement applies to the processing of personal data within the scope of using the Affonso platform, provided by:
Affonso by ZASolution Ayrton Zinnanti
c/o Block Services,
Stuttgarter Str. 106,
70736 Fellbach,
Germany,
Email: info@zaapp.io
– hereinafter referred to as "Processor" –
by customers of the Affonso platform – hereinafter referred to as "Controller".
1. Subject and Duration of the Agreement
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with Art. 28 GDPR. The data processing is limited to what is technically necessary for the operation of the Affonso platform. This Agreement remains in effect for the duration of the Controller's active use of the Processor's services.
2. Nature and Purpose of Processing
The Processor provides a software platform for affiliate program management. Personal data is processed solely to enable and support the provision of this service. This includes affiliate tracking, analytics, and automated referral attribution.
3. Types of Personal Data and Data Subjects
Data subjects may include:
- End customers
- Affiliates
- Platform users (e.g. employees or contractors of the Controller)
Types of data processed may include:
- Email addresses
- IP addresses
- Affiliate IDs and campaign parameters
- Basic usage and event data
- Referral and commission-related records
- Payout and billing information provided by affiliates (e.g. IBAN, PayPal address – no credit card details)
- Invoice data (e.g. company name, address, tax ID)
- Optional user-submitted data via roadmap, feedback, or support tools
The Processor does not process special categories of data (Art. 9 GDPR).
4. Obligations of the Processor
The Processor ensures:
- Personal data is processed only as necessary to provide the service and strictly according to the Controller's documented instructions
- Appropriate technical and organizational measures (TOMs) are in place to protect data
- Employees involved in data handling are bound by confidentiality and receive appropriate data protection training
- Immediate notification to the Controller of any personal data breaches within 24 hours of becoming aware, including all relevant details for breach assessment and notification obligations
- Assistance to the Controller in fulfilling data subject rights requests and regulatory compliance obligations
- Regular review and updating of security measures to maintain appropriate protection levels
The Processor is not responsible for ensuring legal compliance of the Controller's data processing operations beyond the platform scope, including the lawfulness of data collection and the adequacy of consent mechanisms.
5. Sub-Processors
5. Sub-Processors
To deliver its services, the Processor uses selected sub-processors that support core platform functionality and may process personal data on behalf of the Controller:
- Supabase Inc. – Data storage, authentication, and backend infrastructure (EU – Frankfurt region)
- Vercel Inc. – Hosting and deployment of the web application (EU – Frankfurt region)
- Plunk – Email delivery for platform-related communication (e.g. confirmations, invitations)
- PostHog – Product usage analytics to improve core functionality (EU – Frankfurt region)
- AWS – Cloud infrastructure and file storage (e.g. for reports or attachments) (EU – Frankfurt region)
- Stripe Inc. – Optional payment processing if the Controller uses Stripe integration
- Google Cloud Platform - Auxiliary infrastructure
- Featurebase.app – Roadmap, changelog, feedback & help center
The Processor ensures that all sub-processors are selected with care and meet appropriate data protection standards.
The Controller agrees to the use of these sub-processors. The Processor may update or replace sub-processors as necessary,
provided the Controller is informed in a timely manner and may object on reasonable grounds.
6. Rights and Responsibilities of the Controller
The Controller remains responsible for compliance with data protection regulations, including data subject rights and serves as the primary contact for data protection authorities. The Controller must ensure lawful processing by obtaining all necessary legal bases, including appropriate consent from data subjects where required by applicable law. The Controller is obligated to provide clear and comprehensive privacy notices to data subjects regarding the processing of their personal data through the Affonso platform.
The Controller must implement appropriate consent management mechanisms on their website and ensure that tracking functionality is only activated after obtaining proper user consent where required by law. The Controller is responsible for handling all data subject requests related to personal data processed through the platform and must promptly inform the Processor of any relevant requests that require technical assistance.
The Processor acts solely as a technical service provider and is not obligated to evaluate the lawfulness of the Controller's data inputs or outputs. The Controller acknowledges that proper implementation of privacy-compliant tracking mechanisms is their responsibility.
7. Data Access, Deletion and Controller Rights
The Controller may request access to data associated with their account through the platform interface or by contacting the Processor directly. The Controller has the right to receive confirmation of data processing activities and obtain copies of processed data in a structured, commonly used format.
Upon termination of services, personal data will be securely deleted or returned to the Controller as requested within 30 days, in accordance with standard retention schedules and legal obligations. The Processor will provide written confirmation of data deletion upon request.
8. Limitation of Liability
The Processor is liable only for damages resulting from willful or grossly negligent violations of its obligations. No liability is assumed for data loss or unauthorized access resulting from factors outside the Processor's reasonable control.
9. Final Provisions
This Agreement is governed by the laws of the Federal Republic of Germany. No signatures are required. The Agreement is deemed accepted by the Controller upon use of the Processor's services.