Data Processing Agreement
Effective date: April 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and EthicsPortal (“Processor”) for the provision of the EthicsPortal whistleblower reporting platform (“Service”).
Need a signed copy? Contact support@ethicsportal.eu to request a countersigned PDF version of this DPA for your records.
1. Parties
Controller: The organization that subscribes to EthicsPortal and determines the purposes and means of processing personal data through the Service.
Processor: EthicsPortal, operated by Yaroslav Shmarov, ul. Obrzeżna 1A, 02-691 Warsaw, Poland. Contact: support@ethicsportal.eu.
2. Scope and purpose of processing
The Processor processes personal data on behalf of the Controller solely to provide the Service, which includes:
- Receiving and storing whistleblower reports
- Enabling secure communication between reporters and case handlers
- Managing case workflows (assignment, status tracking, resolution)
- Generating audit logs and compliance records
- Sending transactional email notifications to case handlers and organization administrators
- Processing payments for the Service
The Processor does not process personal data for any purpose other than providing the Service as instructed by the Controller.
3. Types of personal data processed
| Data category | Examples | Encrypted at rest |
|---|---|---|
| Reporter identity (optional) | Name, email address, phone number | Yes (non-deterministic) |
| Report content | Description of the reported concern | Yes (non-deterministic) |
| Communication content | Messages between reporter and case handler | Yes (non-deterministic) |
| File attachments | Documents, images, audio, video uploaded by reporters | Stored with metadata stripped |
| Access codes | Unique codes used by reporters to access their reports | Yes |
| Handler and admin data | Name, email address, role, organization membership | No (operational data) |
| Audit log entries | Timestamps, actor identity, action type | No (integrity-critical records) |
| Technical data | One-way hashed IP addresses (not reversible) for rate limiting only | Not applicable (hash, not personal data) |
4. Categories of data subjects
- Whistleblowers / reporters — individuals who submit reports through the portal (may be anonymous)
- Case handlers — individuals designated by the Controller to receive and manage reports
- Organization administrators — individuals who manage the Controller’s EthicsPortal account and settings
5. Duration of processing
The Processor processes personal data for the duration of the Controller’s subscription to the Service. Upon termination:
- The Controller may export their data before the subscription ends.
- Report data is retained according to the Controller’s configured retention period (12, 24, 36, or 60 months after report closure) and then permanently deleted.
- Upon written request, the Processor will delete all remaining Controller data within 30 days of subscription termination, unless retention is required by applicable law.
6. Obligations of the Processor
6.1 Processing instructions
The Processor processes personal data only on documented instructions from the Controller, unless required to do so by EU or member state law. If such a legal requirement arises, the Processor will inform the Controller before processing, unless the law prohibits such notification.
6.2 Confidentiality
All persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 Security measures
The Processor implements and maintains the technical and organizational measures described on the Security page, including:
- Non-deterministic encryption at rest for all sensitive report data
- No storage of IP addresses (one-way hashing for rate limiting only)
- Automatic file metadata stripping (EXIF, GPS, author data)
- Role-based access control with Pundit authorization policies
- Immutable audit trail for all actions
- Rate limiting on all public portal endpoints
- HTTPS/TLS for all connections
- CSRF protection
6.4 Sub-processors
The Processor uses the sub-processors listed in Section 8. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to the change; if no resolution is reached, the Controller may terminate the agreement.
6.5 Data subject rights
The Processor assists the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection) by providing the necessary technical capabilities within the Service.
6.6 Data breach notification
In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
6.7 Data Protection Impact Assessments
The Processor assists the Controller with Data Protection Impact Assessments and prior consultations with supervisory authorities, to the extent that the Processor’s processing activities require such assistance.
6.8 Deletion and return of data
Upon termination of the Service, the Processor will, at the Controller’s choice:
- Return all personal data to the Controller in a structured, commonly used format (PDF export), or
- Delete all personal data and confirm deletion in writing
unless EU or member state law requires continued storage.
6.9 Audit rights
The Processor makes available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations. The Controller may conduct audits, including inspections, either directly or through a mandated auditor, subject to reasonable advance notice (at least 30 days) and during normal business hours. The Processor will cooperate with such audits.
7. Obligations of the Controller
The Controller is responsible for:
- Ensuring a lawful basis for processing personal data through the Service
- Providing required privacy notices to data subjects (EthicsPortal displays a privacy notice on the portal submission form)
- Configuring appropriate data retention periods within the Service
- Designating authorized handlers and administrators
- Responding to data subject requests, with assistance from the Processor as described above
8. Sub-processors
The following sub-processors are authorized as of the effective date of this DPA:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting, database | Nuremberg, Germany (EU) | Data processed entirely within EU |
| Stripe, Inc. | Payment processing | EU | No payment credentials stored by Processor; Stripe is PCI DSS Level 1 certified |
| Postmark (ActiveCampaign) | Transactional email delivery | US (with EU processing) | Standard Contractual Clauses (SCCs) |
| Cloudflare, Inc. (R2) | File attachment storage | EU | Data stored in EU region |
The Processor does not use any other sub-processors for the processing of personal data. Marketing analytics (Cloudflare Web Analytics) are cookie-free and do not process personal data.
9. International data transfers
All primary processing of personal data occurs within the European Union (Hetzner, Germany). File storage is in the EU (Cloudflare R2). Payment processing occurs within the EU (Stripe).
Postmark (transactional email) processes data in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) as approved by the European Commission. Postmark is used only for handler/admin notifications — whistleblower-facing portal pages do not trigger email delivery to US-based processors.
No personal data is transferred to any country outside the EU/EEA without appropriate safeguards as required by GDPR Chapter V.
10. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the main service agreement between the parties.
11. Term and termination
This DPA takes effect when the Controller begins using the Service and remains in effect for as long as the Processor processes personal data on behalf of the Controller. The obligations in this DPA survive termination to the extent necessary to complete the deletion or return of personal data.
12. Governing law
This DPA is governed by the laws of the Republic of Poland, without regard to conflict of laws principles. The competent courts of Warsaw, Poland have exclusive jurisdiction over disputes arising from this DPA.
Contact
For questions about this DPA or to request a signed copy:
EthicsPortal Yaroslav Shmarov ul. Obrzeżna 1A, 02-691 Warsaw, Poland 02-673 Warsaw, Poland support@ethicsportal.eu