LEGAL
Data Processing Agreement
Raccoon Page's standard Data Processing Agreement (DPA) for customers acting as Data Controller — GDPR-aligned, with sub-processor, security, and breach-notification terms.
Last updated .
1. Parties and Definitions
This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer (“Data Controller”) and Raccoon Page (“Data Processor”) for the provision of the Raccoon Page service. “Personal Data,” “Processing,” “Data Subject,” and other terms used herein have the meanings given in the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Processing Description
The Processor processes Personal Data on behalf of the Controller to provide the Raccoon Page knowledge management service. Categories of data subjects include the Controller’s employees and authorized users. Categories of personal data include names, email addresses, user-generated content (wiki pages, comments, attachments), usage logs, and IP addresses. Processing activities include storage, retrieval, organization, display, and deletion of personal data as necessary to provide the service.
3. Sub-processors
The Controller authorizes the Processor to engage the sub-processors listed on our Subprocessors page. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. If the Controller objects to a new sub-processor, the Controller may terminate the affected service by providing written notice within 30 days of the notification.
4. Security Measures
The Processor implements appropriate technical and organizational measures to protect Personal Data, including: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, infrastructure access restricted to SSH key with MFA, automated daily backups with 30-day retention, regular dependency vulnerability scanning, and logging of administrative actions.
5. Breach Notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
6. Data Return and Deletion
Upon termination of the agreement, the Processor will, at the Controller’s election, return all Personal Data or delete it within 30 days. The Controller may export data at any time using the built-in data export functionality. Backup copies will be deleted within 90 days of the termination date. The Processor will provide written certification of deletion upon request.
7. Audit Rights
The Controller may audit the Processor’s compliance with this DPA once per calendar year, with 30 days advance written notice. Audits will be conducted during normal business hours and in a manner that minimizes disruption. The Processor will provide reasonable cooperation and access to relevant documentation, facilities, and personnel. The Controller bears the cost of the audit unless the audit reveals material non-compliance.
8. Data Subject Rights
The Processor will assist the Controller in responding to data subject requests to exercise their rights under applicable data protection law (access, rectification, erasure, portability, restriction, and objection). The Processor will promptly notify the Controller if it receives a request directly from a data subject.
9. International Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area. The Processor ensures adequate protection for such transfers through Standard Contractual Clauses (SCCs) as approved by the European Commission, or other lawful transfer mechanisms as applicable.
10. Term and Termination
This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. The obligations of confidentiality and data protection survive termination of this DPA.