Data Processing Agreement
Last updated: March 26, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Vershun ("Processor") and you ("Controller").
1. Definitions
- "Personal Data" means any data relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
- "Processing" has the meaning given in Article 4(2) of the RGPD.
2. Scope
This DPA applies to the processing of Personal Data that you (as Controller) submit to Vershun, specifically:
- Subscriber email addresses
- Any personal data contained in changelog post content
3. Processor obligations
Vershun shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage sub-processors without prior consent (see section 5)
- Assist the Controller in fulfilling data subject rights requests
- Delete or return all Personal Data upon termination of the service
- Make available all information necessary to demonstrate compliance
4. Security measures
Vershun implements the following measures:
- Encryption in transit (TLS 1.2+)
- Encrypted storage (OVHcloud encrypted volumes)
- Access control (role-based, per-project)
- Regular backups (encrypted, stored in EU)
- Rate limiting and DDoS protection
- HTML sanitization (XSS prevention)
- No PII in application logs
- Passwordless authentication (no password storage)
5. Sub-processors
The Controller consents to the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| OVHcloud | Infrastructure hosting | France (EU) |
| Cloudflare Inc. | CDN, DNS | Global (EU SCCs) |
| Resend Inc. | Email delivery | USA (EU SCCs) |
| Stripe Inc. | Payment processing | USA (EU SCCs) |
Vershun will inform the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to the change.
6. International transfers
When Personal Data is transferred outside the EU/EEA, the transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Data breach notification
Vershun shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach.
8. Duration and termination
This DPA is effective for the duration of the Service agreement. Upon termination, Vershun will delete all Personal Data within 30 days.
9. Contact
DPA inquiries: [email protected]