Legal
Data Processing Agreement
Version 2.2 · Article 28 UK GDPR Compliant
1. Parties
Data Controller: The customer or entity that uses Endorsr and determines the purposes and means of processing personal data.
Data Processor: BuiltByGo Ltd, operating Endorsr (endorsr.co), registered in England and Wales.
2. Scope
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Endorsr platform. It forms part of the Terms of Service and applies to all personal data processed through the platform.
3. Processing Details
4. Controller Obligations
The Controller warrants that they have obtained all necessary consents and have a lawful basis for processing personal data through the platform. The Controller is responsible for the accuracy and legality of the data they submit.
5. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure personnel are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior authorisation (see Schedule 2)
- Assist the Controller in fulfilling data subject rights requests
- Notify the Controller without undue delay of any personal data breach
- Delete or return all personal data at the end of the service term
6. Sub-Processors
The Controller authorises the Processor to engage the sub-processors listed in Schedule 2. The Processor shall provide at least 14 days notice of any intended changes to this list.
7. Data Subject Rights
The Processor shall assist the Controller in responding to data subject access requests, rectification requests, erasure requests, and other rights under UK GDPR. Requests can be sent to [email protected].
8. Data Breach Notification
The Processor shall notify the Controller within 48 hours of becoming aware of a personal data breach. The notification shall include the nature of the breach, categories of data affected, and remedial measures taken or proposed.
9. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Schedule 1: Security Measures
Data at rest: AES-256 encryption for all database and storage data.
Data in transit: TLS 1.3 for all network communications.
Access control: Row-level security enforced at database level. Service roles restricted to edge functions only.
Authentication: Multi-factor authentication available. Session management via Supabase Auth with configurable expiry.
Audit logging: Immutable, append-only audit log for all content review and administrative actions.
Infrastructure: Hosted on Supabase (Google Cloud Platform, US regions) and Cloudflare (global edge network).
Schedule 2: Sub-Processors
| Name | Service | Location |
|---|---|---|
| Supabase | Database, Auth, Edge Functions | US (GCP) |
| Stripe | Payment processing | US / EU |
| Cloudinary | Image hosting | US (AWS) |
| Mux | Video streaming | US / EU |
| Cloudflare | CDN, DNS, Workers | Global edge |
| Railway | Web application hosting | US |
| Resend | Email delivery | US / EU |
| PostHog | Product analytics (self-hosted) | US |
| Sentry | Error monitoring | US |
Note: Stripe, Sentry, and Railway are conditional sub-processors — only engaged if the Controller uses the relevant features.
Schedule 3: Controller Rights
This DPA does not limit the Controller's rights under UK GDPR or the Data Protection Act 2018. The Controller may request an audit of the Processor's compliance upon 30 days written notice, subject to confidentiality obligations and reasonable security restrictions.