Legal
Data Processing Agreement
Version 1.0 · Effective: March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller", "Customer") and White Label Consultancy AS, operating as Pritect Beacon ("Processor", "we", "us"), for the provision of consent management services as described in the Terms of Service.
This DPA applies where and only to the extent that we process Personal Data on your behalf in the course of providing the Pritect Beacon service, and such processing is subject to the European Union ("EU"), European Economic Area ("EEA"), United Kingdom ("UK"), or Swiss data protection laws.
1. Definitions
- Personal Data: any information relating to an identified or identifiable natural person that is processed by us on your behalf under this DPA.
- Processing: any operation performed on Personal Data, including collection, storage, retrieval, and deletion.
- Data Subject: the individual to whom the Personal Data relates (typically your website visitors).
- Sub-processor: any third party engaged by us to process Personal Data on your behalf.
- Standard Contractual Clauses (SCCs): the contractual clauses approved by the European Commission for international data transfers.
2. Scope of Processing
| Subject matter | Consent management, cookie scanning, consent record storage, and compliance reporting. |
| Duration | For the duration of the service agreement, plus any legally required retention periods. |
| Nature & purpose | Collecting, storing, and providing access to end-user consent decisions for the Customer's website(s). |
| Categories of data | Consent decisions, pseudonymised session IDs, hashed IP addresses, country of origin, user agent strings, page URLs, consent timestamps. |
| Data subjects | End users who visit the Customer's website(s) where the Pritect Beacon script is deployed. |
3. Obligations of the Processor
We shall:
- Process Personal Data only on your documented instructions, unless required by applicable law.
- Ensure that all persons authorised to process Personal Data are bound by obligations of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS) and at rest, pseudonymisation (IP hashing), access controls, and regular security testing.
- Assist you in fulfilling your obligations to respond to Data Subject requests (access, deletion, portability) through our DSR management features.
- Assist you in ensuring compliance with breach notification obligations. We will notify you of any Personal Data breach without undue delay and no later than 72 hours after becoming aware of it.
- Delete or return all Personal Data at the end of the service agreement, at your choice, unless retention is required by applicable law.
- Make available all information necessary to demonstrate compliance and allow for audits and inspections.
4. Sub-processors
You provide general authorisation for us to engage sub-processors. We will inform you of any intended changes to sub-processors, giving you the opportunity to object. Our current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, edge functions | USA (EU region available) |
| Vercel Inc. | Application hosting, CDN, edge compute | USA (global edge) |
| Stripe Inc. | Payment processing (no consent data) | USA |
| Resend Inc. | Transactional email delivery | USA |
5. International Data Transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission Decision 2021/914.
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable.
- Swiss Federal Data Protection Act (nFADPA) compliant transfer mechanisms.
All sub-processors are bound by equivalent data protection obligations and transfer safeguards.
6. Data Retention
Consent records are retained for 5 years from the date of collection, in accordance with regulatory guidance for demonstrating consent validity. Scan results and cookie declarations are retained for the duration of the service agreement. Upon termination, data is deleted within 30 days unless you request earlier deletion or a longer retention period is legally required.
7. Security Measures
We implement the following technical and organisational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- IP address pseudonymisation via SHA-256 hashing before storage
- Consent record integrity verification via SHA-256 integrity hashes
- Row-Level Security (RLS) ensuring strict tenant data isolation
- Role-based access control (owner, admin, member, viewer)
- Monthly partitioned consent tables for data lifecycle management
- Rate limiting on public API endpoints
- Regular access reviews and principle of least privilege
8. Data Subject Rights
We provide tools to assist you in responding to Data Subject requests, including:
- Right of access: Consent records can be exported via the Reports section.
- Right to erasure: DSR management enables processing of deletion requests.
- Right to data portability: CSV export of all consent records.
- Right to withdraw consent: End users can withdraw consent via the preference center at any time.
9. Breach Notification
In the event of a Personal Data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.
10. Audit Rights
You may audit our compliance with this DPA by: (a) requesting our most recent security certifications or audit reports; (b) conducting a remote audit with reasonable advance notice (at least 30 days); or (c) engaging a qualified third-party auditor bound by confidentiality obligations.
11. Governing Law
This DPA shall be governed by the laws of Norway. Any disputes arising from this DPA shall be submitted to the exclusive jurisdiction of the courts of Oslo, Norway.
12. Contact
For questions about this DPA or to exercise your rights, contact us at: privacy@pritect.ai