Back

Data Processing Agreement (DPA) Template

Template for businesses using Anderro to process affiliate data

This template is provided for informational purposes. Businesses should review it with their legal counsel and adapt it to their specific needs and jurisdiction.

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") is entered into between [Business Name] ("Data Controller") and Infinee s. r. o.("Data Processor", operating Anderro), Babuškova 3107/3, 821 03 Bratislava - Ružinov, Slovakia, IČO: 55986773, DIČ: 2122153110, collectively referred to as the "Parties."

1. Subject Matter and Duration

This DPA governs the processing of personal data by Anderro on behalf of the Data Controller in connection with the Anderro affiliate management platform. This DPA shall remain in effect for the duration of the underlying service agreement.

2. Nature and Purpose of Processing

Anderro processes personal data for the purpose of:

  • Tracking affiliate referrals using anonymous visitor IDs
  • Managing affiliate partnerships and commission records
  • Recording commission and payout metadata (payouts themselves are issued by the business directly to the affiliate, not by Anderro)
  • Sending transactional emails related to the affiliate program
  • Generating analytics and performance reports

3. Types of Personal Data

  • Affiliate marketer: email, name, profile information
  • End-user (customer): anonymous visitor ID only; email only when explicitly sent via tracking API
  • Payment data: transaction amounts and Stripe references (no card details)

4. Data Security Measures

Anderro implements appropriate technical and organizational measures:

  • All data transmitted over HTTPS/TLS encryption
  • Passwords hashed with bcrypt
  • Optional TOTP two-factor authentication
  • API key authentication with separate public/secret keys
  • Rate limiting and IP-based fraud protection
  • Automatic soft delete with 90-day retention period
  • Regular database backups

5. Sub-processors

Anderro uses the following sub-processors:

  • Stripe - Payment processing and payout transfers
  • Resend - Transactional email delivery
  • Hetzner/DigitalOcean - Infrastructure hosting

6. Data Subject Rights

Infinee s. r. o. will assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability) as required by applicable data protection laws. Requests should be directed to [email protected].

7. Data Breach Notification

Anderro will notify the Data Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach. The notification will include the nature of the breach, categories of data affected, and measures taken.

8. Return and Deletion of Data

Upon termination of the service agreement, Anderro will delete or return all personal data to the Data Controller within 30 days, except where retention is required by law.