Skip to content
Start free
Legal · DPA

Data Processing Agreement (GDPR Article 28)

When you use Ensaria for business purposes (most freelance work qualifies), you are the data controller and Ensaria is the data processor. This page documents the standard terms; a counter-signed PDF is available on request.

LAST UPDATED · 2026-05-21

1. Scope and purpose

This DPA applies to all personal data Ensaria processes on your behalf in the course of providing the Ensaria service (the “Service”), under the terms accepted at /terms. It supplements those terms with the controller/processor obligations required by Articles 28 and 32 of the EU General Data Protection Regulation (GDPR).

2. Roles and definitions

You are the “Controller” of the personal data you upload, generate, or otherwise process through the Service. Ensaria is the “Processor” of that data, processing it only on your documented instructions and for the purposes of providing the Service.

3. Categories of data processed

  • Account data — email address, name (if provided), avatar (if uploaded), authentication tokens.
  • Business data — projects, tasks, time entries, payment records, client names, and any free-text notes you create.
  • Usage data — request logs (IP, user-agent, route), retained for 30 days for abuse prevention.
  • Billing data — handled by Stripe (see subprocessors). Ensaria stores only a customer ID + subscription state.

4. Purposes and lawful basis

Ensaria processes Controller data exclusively for: (a) providing the Service as contracted, (b) responding to support requests, (c) maintaining service security and integrity, and (d) complying with applicable legal obligations. No marketing use. No third-party sharing outside the listed subprocessors.

5. Subprocessors

A current list of subprocessors is maintained at /subprocessors. Each subprocessor is bound by terms at least as protective as this DPA. Ensaria will notify Controllers of any new subprocessor at least 30 days before engaging them; Controllers may object in writing during that period.

6. Security measures (Article 32)

TLS 1.3 in transit, AES-256 at rest, Postgres row-level security per user, magic-link or OAuth authentication, continuous WAL backups with 7-day point-in-time recovery, EU-only data residency (Neon EU-Central, Frankfurt), and least-privilege access for all internal staff. See /security for the full technical detail.

7. Data subject rights

Ensaria assists the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) under Articles 15–21. End users can exercise these rights directly via in-product Export and Delete flows. For requests routed through the Controller, contact privacy@ensaria.com; response within 30 days.

8. International transfers

All Controller data is stored in the EU (Frankfurt). Transfers outside the EU occur only where a listed subprocessor requires it (e.g., Stripe US for billing processing), in which case Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914 apply.

9. Breach notification

Ensaria will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting Controller data.

10. Audits

Controllers may, on reasonable written notice (at least 30 days), request evidence of Ensaria's compliance with this DPA. Where formal SOC 2 reports or equivalent third-party audits exist (Ensaria does not yet hold SOC 2 — see /security), they will be provided.

11. Term and termination

This DPA remains in force for the duration of the Controller's use of the Service. Upon termination, Controller data is retained for 30 days and then hard-deleted, except where retention is required by law (financial records: 7 years).

12. Requesting a signed copy

For a counter-signed PDF of this DPA on Ensaria letterhead, email privacy@ensaria.com with your Controller entity name and the email address on your Ensaria account. Standard turnaround is three business days.