AuthForge
Legal

Data Processing Addendum

Effective date: June 21, 2026 · Version 1.0

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Customer and EactiveNet, Inc. (“AuthForge”, “we”, “us”) and applies to the extent we process Personal Data on Customer’s behalf in providing paid Services. It reflects the parties’ agreement with respect to the Processing of Personal Data in accordance with the requirements of Data Protection Laws. A signed counterpart of this DPA is available for enterprise customers on request.

Contents

1. Scope and roles of the parties

AuthForge is self-hosted. Personal Data relating to Customer’s End Users is Processed within Customer’s own environment and does not reach our systems; with respect to that data, Customer is the Controller and we are neither a Controller nor a Processor. This DPA governs only the limited Personal Data that we Process as a Processor on Customer’s behalf in the course of providing paid Services — for example, contact details and information contained in support communications. Customer is the Controller and we are the Processor with respect to such data, and each party will comply with its obligations under applicable Data Protection Laws.

2. Definitions

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the EU and UK GDPR and applicable U.S. state privacy laws. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in the GDPR. “Sub-processor” means any Processor engaged by us to Process Personal Data on Customer’s behalf.

3. Processing of Personal Data

We will Process Personal Data only on Customer’s documented instructions, including as set out in the Terms and this DPA, and as necessary to provide the Services, unless required to do otherwise by law (in which case we will inform Customer unless legally prohibited). The subject matter is the provision of the Services; the duration is the term of the Terms; the nature and purpose is the operation and support of paid Services; the types of Personal Data are business contact details and the contents of support communications; and the categories of Data Subjects are Customer’s authorized representatives and personnel. We will notify Customer if, in our opinion, an instruction infringes Data Protection Laws.

4. Confidentiality of personnel

We ensure that personnel authorized to Process Personal Data are bound by appropriate obligations of confidentiality and are made aware of the confidential nature of the data and their responsibilities under this DPA.

5. Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, we implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including the measures described in our Security Policy: encryption in transit, access control on a least-privilege basis, network and application hardening, and logging and monitoring. We will assist Customer, taking into account the nature of Processing and the information available to us, in ensuring compliance with its security and impact-assessment obligations.

6. Sub-processors

Customer authorizes us to engage Sub-processors to Process Personal Data, provided that we impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and that we remain responsible for each Sub-processor’s performance. We maintain a current list of Sub-processors, which is available on request, and will give Customer notice of any intended addition or replacement of a Sub-processor with a reasonable opportunity to object on legitimate data-protection grounds.

7. Data-subject requests

Taking into account the nature of the Processing, we will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to requests by Data Subjects to exercise their rights. If we receive a request from a Data Subject in relation to Personal Data Processed under this DPA, we will advise the Data Subject to submit the request to Customer, who, as Controller, is responsible for responding. Where End User Personal Data resides solely within Customer’s Self-Hosted Deployment, Customer alone is able to, and is responsible to, action such requests.

8. Personal-data breach

We will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA, and will provide Customer with information reasonably available to us to assist Customer in meeting its own breach-notification obligations.

9. Audits and assessments

We will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and subject to confidentiality, will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, no more than once per year unless required by a supervisory authority or following a Personal Data Breach. We may satisfy audit requests by providing relevant third-party reports or summaries where available.

10. International transfers

Where Processing under this DPA involves the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not benefiting from an adequacy decision, such transfer is governed by the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum, as applicable), which are incorporated into this DPA by reference and completed with the details set out herein, together with supplementary measures where required.

11. Return and deletion

Upon termination or expiry of the Services, and at Customer’s choice, we will delete or return the Personal Data we Process on Customer’s behalf and delete existing copies, unless retention is required by law, in which case we will protect the data and limit further Processing.

12. Liability and order of precedence

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms. In the event of a conflict between this DPA and the Terms with respect to the Processing of Personal Data, this DPA controls; in the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.