Affonso

LIMITED SPOTSScale your affiliate program with Revenue Pass - Pay once, no monthly fees  

Data Processing Agreement (DPA)

In accordance with Art. 28 GDPR

This Data Processing Agreement applies to the processing of personal data within the scope of using the Affonso platform, provided by:

Affonso by ZASolution Ayrton Zinnanti
c/o Block Services, Stuttgarter Str. 106, 70736 Fellbach, Germany, Email: info@zaapp.io

– hereinafter referred to as "Processor" –
by customers of the Affonso platform – hereinafter referred to as "Controller".

1. Subject and Duration of the Agreement

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with Art. 28 GDPR. The data processing is limited to what is technically necessary for the operation of the Affonso platform. This Agreement remains in effect for the duration of the Controller's active use of the Processor's services.

2. Nature and Purpose of Processing

The Processor provides a software platform for affiliate program management. Personal data is processed solely to enable and support the provision of this service. This includes affiliate tracking, analytics, and automated referral attribution.

3. Types of Personal Data and Data Subjects

Data subjects may include:

  • End customers
  • Affiliates
  • Platform users (e.g. employees or contractors of the Controller)

Types of data processed may include:

  • Email addresses
  • IP addresses
  • Affiliate IDs and campaign parameters
  • Basic usage and event data
  • Referral and commission-related records
  • Payout and billing information provided by affiliates (e.g. IBAN, PayPal address – no credit card details)
  • Invoice data (e.g. company name, address, tax ID)
  • Optional user-submitted data via roadmap, feedback, or support tools

The Processor does not process special categories of data (Art. 9 GDPR).

4. Obligations of the Processor

The Processor ensures:

  • Personal data is processed only as necessary to provide the service
  • Appropriate technical and organizational measures (TOMs) are in place to protect data
  • Employees involved in data handling are bound by confidentiality

The Processor is not responsible for ensuring legal compliance of the Controller's data processing operations beyond the platform scope.

5. Sub-Processors

5. Sub-Processors

To deliver its services, the Processor uses selected sub-processors that support core platform functionality and may process personal data on behalf of the Controller:

  • Supabase Inc. – Data storage, authentication, and backend infrastructure (EU – Frankfurt region)
  • Vercel Inc. – Hosting and deployment of the web application (EU – Frankfurt region)
  • Plunk – Email delivery for platform-related communication (e.g. confirmations, invitations)
  • PostHog – Product usage analytics to improve core functionality (EU – Frankfurt region)
  • AWS – Cloud infrastructure and file storage (e.g. for reports or attachments) (EU – Frankfurt region)
  • Stripe Inc. – Optional payment processing if the Controller uses Stripe integration
  • Google Cloud Platform - Auxiliary infrastructure
  • Featurebase.app – Roadmap, changelog, feedback & help center

The Processor ensures that all sub-processors are selected with care and meet appropriate data protection standards.
The Controller agrees to the use of these sub-processors. The Processor may update or replace sub-processors as necessary,
provided the Controller is informed in a timely manner and may object on reasonable grounds.

6. Rights and Responsibilities of the Controller

The Controller remains responsible for compliance with data protection regulations, including data subject rights. The Processor acts solely as a technical service provider and is not obligated to evaluate the lawfulness of the Controller's data inputs or outputs.

7. Data Access and Deletion

The Controller may request access to data associated with their account. Upon termination of services, personal data will be deleted automatically in accordance with standard retention schedules and legal obligations.

8. Limitation of Liability

The Processor is liable only for damages resulting from willful or grossly negligent violations of its obligations. No liability is assumed for data loss or unauthorized access resulting from factors outside the Processor's reasonable control.

9. Final Provisions

This Agreement is governed by the laws of the Federal Republic of Germany. No signatures are required. The Agreement is deemed accepted by the Controller upon use of the Processor's services.