Data Processing Agreement

Falktron – Technical Overview of Data Processing Agreements (DPAs)

date: May 2025

Target Group: IT Administrators & Data Protection Officers

Purpose: Central reference for all DPA-relevant third-party providers used by Falktron, including technical security standards, processing roles and oversight mechanisms.

Microsoft

  • dpaOverview.role: Processor
  • dpaOverview: Azure, M365, Infrastructure
  • Data Location: EU-based processing possible (EU Data Boundary)
  • Security: ISO 27001, ISO 27018, SOC2 certified
  • Special Feature: Data residency can be configured regionally

Vercel

  • dpaOverview.role: Processor
  • Use Case: Hosting for web and AI frontend applications
  • Technology: TLS, AES-256, MFA secured
  • Data Transfers: SCCs + Data Privacy Framework (DPF)
  • Access: Time-limited, documented and logged

Render.com

  • dpaOverview.role: Processor
  • Scope: Deployment metadata, access logs
  • Security: SOC2 Type 2, strict access controls
  • Data Deletion: Automatic 60 days post-termination
  • Transfer Model: SCCs and DPF safeguard international flows

Amazon Web Services (AWS)

  • dpaOverview.role: Processor, partly Controller (e.g., billing/account data)
  • Security Stack: IAM, TLS encryption, KMS, CloudTrail audit logs
  • Certifications: ISO 27001, ISO 27018, BSI C5
  • Highlight: Shared Responsibility Model & regional configuration

Customer.io

  • dpaOverview.role: Processor
  • dpaOverview.function: Automated messaging and transactional communication
  • dpaOverview.security: MFA-secured access, encrypted transmission & storage
  • dpaOverview.subprocessors: Pre-announced, with opt-out rights
  • dpaOverview.transfers: Secured via SCCs and UK Addendum

Lemonsqueezy

  • dpaOverview.role: Processor
  • Scope: Buyer-related data (name, email, transaction ID)
  • Data Retention: Deleted within 10 business days post-contract
  • International Transfers: Only with prior written consent and SCCs
  • Security: Restricted access, Art. 32 GDPR-compliant measures

Common Control Principles

  • Data is processed strictly on behalf of Falktron (Controller role)
  • SCCs are minimum requirement for all international data transfers
  • Provider-specific data deletion protocols and support for data subject rights
  • Technical and legal audit rights ensured via DPA clauses
  • New service onboarding must include Falktron DPA-compliance verification
This file supports internal DPIAs, external audit documentation, and regular compliance checks. New tools or cloud partners must be evaluated against Falktron’s minimum DPA criteria.