Data Processing Addendum (DPA)

• Controller: the natural or legal person that decides on the processing of personal data — in this DPA, the Customer.
• Processor: the natural or legal person that processes personal data on behalf of the Controller — in this DPA, ConsentFly.
• Personal Data: any information relating to an identified or identifiable natural person processed in the context of the service.
• Data Subject: the natural person to whom the personal data relates — typically visitors of the Customer's sites.
• Subprocessor: a third party engaged by the Processor to process personal data in support of the service.
• Incident: a security breach causing unauthorized access, loss, destruction, alteration, or accidental or unlawful disclosure of personal data.

Subject matter: processing of personal data of visitor data subjects on the Customer's sites, per the Customer's configuration on the ConsentFly platform.

Nature and purpose: capture and store consent evidence (timestamp, accepted categories, country/region derived from IP, technical identifier), deliver that evidence to the Customer via dashboard, API, or webhook, and generate exports on demand.

Duration: for the term of the service agreement between Customer and ConsentFly, subject to the retention periods described in section 6.

Types of personal data processed:

• Consent events (timestamp, opaque technical identifier generated by the banner, accepted/rejected cookie categories)
• Country and region derived from the visitor's IP address; the raw IP is not persisted in the database
• Browser user-agent (to audit the context of the consent)
• URL of the page where consent was captured

Categories of data subjects:

• Visitors of the Customer's sites
• Authenticated users on the Customer's sites, when the Customer associates the consent event with its own identifier

ConsentFly does not process sensitive data as defined in LGPD Art. 5(II) or GDPR Art. 9 in the normal course of the service. The Customer agrees not to send sensitive data via the banner or API without prior notice and a contractual addendum.

ConsentFly undertakes to:

• Process personal data only on documented instructions from the Customer (including dashboard configuration) and applicable legislation
• Ensure that persons authorized to process personal data are under a duty of confidentiality
• Implement and maintain appropriate technical and organizational measures, as described in section 7
• Assist the Customer in fulfilling data subject requests and data protection impact assessments where applicable
• Notify the Customer in the event of any incident involving personal data, per section 8
• Delete or return data at the end of the agreement, per section 6
• Make available to the Customer, upon reasonable request, the information needed to demonstrate compliance with this DPA

The Customer undertakes to:

• Act as Controller of the personal data collected by the banner or sent via the API, defining purpose and legal basis
• Ensure it has a valid legal basis (consent, legitimate interest, legal obligation, etc.) to collect the data before configuring it in ConsentFly
• Provide data subjects with the information required by the LGPD/GDPR at the time of collection — the ConsentFly banner supports but does not replace the site's own privacy policy
• Not send sensitive data to ConsentFly without a prior contractual addendum
• Respond directly to requests from data subjects whose data was collected on its sites, optionally requesting operational support from ConsentFly
• Keep platform credentials up to date (strong passwords, MFA when available) and webhook configurations (HTTPS URL, HMAC secret)

Data processed on behalf of the Customer is kept for the duration of the agreement. Upon termination or account deletion:

• The Customer has 30 days to export any data via the dashboard or API
• After that period, ConsentFly deletes the data within 30 additional days, subject to the legally mandatory retentions described in the Privacy Policy
• Backups are overwritten in the regular retention cycle (up to 30 additional days across all environments)

ConsentFly maintains, at minimum:

• Encryption of data in transit (TLS 1.2+) across all surfaces
• Passwords stored as bcrypt hashes; JWT tokens in HttpOnly+Secure+SameSite cookies
• Outbound webhooks signed with HMAC-SHA256, with SSRF protection
• Least-privilege access controls on the production database
• Rate-limiting and brute-force protection on authentication routes
• Error monitoring via Sentry with PII filtering before submission
• Daily automated PostgreSQL backups with provider-side encryption at rest (Railway)
• Regular dependency review and remediation of known vulnerabilities
• Formal incident management process with notification chain

ConsentFly will notify the Customer within 72 hours of becoming aware of any security incident involving personal data processed on the Customer's behalf. The notification will include:

• Nature and known timeline of the incident
• Categories and approximate number of affected data subjects
• Categories and approximate volume of personal data records affected
• Likely consequences of the incident
• Measures taken or proposed to mitigate adverse effects
• Points of contact for additional information

When ConsentFly acts as Processor, it is for the Customer (as Controller) to notify the ANPD and/or the competent European authority and the data subjects within legal timeframes (LGPD Art. 48 / GDPR Art. 33). ConsentFly will provide reasonable support to that notification.

The Customer authorizes, on a general basis, ConsentFly's use of the subprocessors listed at /legal/processors. ConsentFly maintains a written agreement with each subprocessor imposing obligations equivalent to those in this DPA, including security measures and international transfer regime.

ConsentFly will notify the Customer with at least 15 days' notice before any new subprocessor that processes the Customer's personal data goes into production. In case of a reasoned objection, the Customer may terminate the agreement without penalty before the switch.

When personal data is transferred outside Brazil or the European Economic Area, ConsentFly ensures a valid transfer mechanism:

• Standard Contractual Clauses (SCC) approved by the European Commission, with applicable modules (controller-processor, processor-subprocessor)
• Prior assessment of the destination country's legal regime (transfer impact assessment) where required
• For Brazilian data subjects, compliance with LGPD Art. 33

The Customer may request, at most once per year and with reasonable notice, documentary evidence of ConsentFly's compliance with this DPA — including summary audit reports, subprocessor certifications, and a description of security measures. On-site audits are subject to a separate agreement and reimbursement of reasonable costs incurred.

ConsentFly provides, within the dashboard, tools to help the Customer fulfill data subject requests (DSAR):

• Consent CSV exports (sync and async)
• Subject lookup API (subject_id) to locate evidence for a specific data subject
• Subject erasure endpoint to honor deletion requests

ConsentFly undertakes to respond to operational support requests within 5 business days. Detailed SLA is in the Privacy Policy.

ConsentFly's liability for breach of this DPA is limited to the provisions of the Terms of Use. Nothing in this DPA relieves the Customer of its own responsibility as Controller, in particular regarding the existence of a legal basis for processing and transparency toward data subjects.

This DPA is governed by the laws of the Federative Republic of Brazil. For Customers based in the European Economic Area, the mandatory provisions of the GDPR also apply. The elected venue is the courts of São Paulo/SP, except where mandatory law provides otherwise.

For questions about this DPA, to request a formal countersignature, or to contact our DPO:

Email: suporte@consentfly.com.br