Data Processing Agreement (DPA)
Data-processing terms between dnoise and business customers.
dnoise processes End Customer data solely to generate analytical reports for the Data Controller. No other use is permitted.
- Transaction data: amounts, currencies, dates, statuses, payment method types, card country and brand, risk levels, fees, net amounts.
- Customer profile data: Stripe Customer IDs, full email addresses, names, billing country.
- Subscription data: plan IDs, status changes, dates, amounts.
- Invoice data: amounts, attempt counts, dates, payment error codes.
Explicitly NOT processed:
- Raw card numbers, CVV, or full PAN (Stripe API does not expose these).
- Stripe login credentials.
- Data outside the approved read-only OAuth scope.
- Process End Customer data only on documented instructions of the Data Controller.
- Implement technical and organizational security measures per the Security Policy (https://dnoise.online/security).
- Not disclose End Customer data to third parties except sub-processors bound by equivalent obligations.
- Notify the Data Controller without undue delay (within 72 hours if required by applicable law) of any confirmed personal data breach.
- Delete or anonymize End Customer data automatically within 30 days of Stripe disconnection, or earlier upon explicit User request — whichever is sooner.
- Revoke Stripe OAuth access tokens automatically at the end of the active subscription period, without requiring a separate User request.
- Provide reasonable assistance to the Data Controller in responding to data subject rights requests.
- Upon request, provide information necessary to demonstrate compliance with this DPA.
The Processor shall, upon the Controller’s reasonable written request (with at least 30 days’ notice, no more than once per calendar year unless required by a supervisory authority), make available information necessary to demonstrate compliance and allow for audits conducted by the Controller or an independent auditor. The Processor may charge a reasonable fee for such assistance. Any auditor must be bound by confidentiality obligations.
- Ensure a lawful basis exists for sharing End Customer data with dnoise.
- Provide appropriate privacy disclosures to End Customers about processing by dnoise.
- Issue only lawful instructions to dnoise regarding data processing.
| Sub-Processor | Location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany | Hosting and infrastructure |
| Google LLC | USA | Analytics — with consent |
Stripe Inc. is a separate data controller and not a sub-processor of dnoise. Data accessed from Stripe is governed by Stripe’s own Privacy Policy and Terms.
Payment infrastructure used for the User's own subscription purchase, including cryptocurrency payment-request providers, is outside the scope of this DPA unless and to the extent such provider processes End Customer data from the connected Stripe account on behalf of the Controller.
The Controller provides general authorization to engage the above sub-processors. The Processor will notify the Controller at least 14 days before engaging new sub-processors. The Controller may object within 14 days; if unresolved, the Controller may terminate the Service.
International transfers use appropriate safeguards where required by applicable law. Copies available at admin@dnoise.online.