Data Processing Agreement #
Effective date: April 22, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and EthicsPortal (“Processor”) for the provision of the EthicsPortal whistleblower reporting platform (“Service”).
Need a signed copy? Contact legal@ethicsportal.eu to request a countersigned PDF version of this DPA for your records.
1. Parties #
Controller: The organization that subscribes to EthicsPortal and determines the purposes and means of processing personal data through the Service.
Processor: EthicsPortal, operated by Yaroslav Shmarov, registered at ul. Obrzeżna 1A, 02-691 Warsaw, Poland. Contact: legal@ethicsportal.eu .
2. Scope and purpose of processing #
The Processor processes personal data on behalf of the Controller solely to provide the Service, which includes:
- Receiving and storing whistleblower reports
- Enabling secure communication between reporters and case handlers
- Managing case workflows (assignment, status tracking, resolution)
- Generating audit logs and compliance records
- Sending transactional email notifications to case handlers and organization administrators
- Processing payments for the Service
The Processor does not process personal data for any purpose other than providing the Service as instructed by the Controller.
3. Types of personal data processed #
| Data category | Examples | Encrypted at rest |
|---|---|---|
| Reporter identity (optional) | Name, email address, phone number | Yes (non-deterministic) |
| Report content | Description of the reported concern | Yes (non-deterministic) |
| Communication content | Messages between reporter and case handler | Yes (non-deterministic) |
| File attachments | Documents, images, audio, video uploaded by reporters | Stored with metadata stripped |
| Access codes | Unique codes used by reporters to access their reports | Yes |
| Handler and admin data | Name, email address, role, organization membership | No (operational data) |
| Audit log entries | Timestamps, actor identity, action type | No (integrity-critical records) |
| Technical data | One-way hashed IP addresses (not reversible) for rate limiting only | Not applicable (hash, not personal data) |
4. Categories of data subjects #
- Whistleblowers / reporters — individuals who submit reports through the portal (may be anonymous)
- Case handlers — individuals designated by the Controller to receive and manage reports
- Organization administrators — individuals who manage the Controller’s EthicsPortal account and settings
5. Duration of processing #
The Processor processes personal data for the duration of the Controller’s subscription to the Service. Upon termination:
- The Controller may export their data before the subscription ends.
- Report data is retained according to the Controller’s configured retention period (12, 24, 36, or 60 months after report closure) and then permanently deleted.
- Upon written request, the Processor will delete all remaining Controller data within 30 days of subscription termination, unless retention is required by applicable law.
6. Obligations of the Processor #
6.1 Processing instructions #
The Processor processes personal data only on documented instructions from the Controller, unless required to do so by EU or member state law. If such a legal requirement arises, the Processor will inform the Controller before processing, unless the law prohibits such notification.
6.2 Confidentiality #
All persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 Security measures #
The Processor implements and maintains the technical and organizational measures described on the Security page, including:
- Non-deterministic encryption at rest for all sensitive report data
- No storage of raw reporter IP addresses in the database (one-way hashing for rate limiting only)
- Automatic file metadata stripping (EXIF, GPS, author data)
- Role-based access control with Pundit authorization policies
- Append-only audit trail for all actions
- Rate limiting on all public portal endpoints
- HTTPS/TLS for all connections
- CSRF protection
Security vulnerabilities and incident reports may be sent to security@ethicsportal.eu . Data subject and DPO-style inquiries may be sent to privacy@ethicsportal.eu or dpo@ethicsportal.eu .
6.4 Sub-processors #
The Processor uses the sub-processors listed in Section 8. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to the change; if no resolution is reached, the Controller may terminate the agreement.
6.5 Data subject rights #
The Processor assists the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection) by providing the necessary technical capabilities within the Service.
6.6 Data breach notification #
In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
6.7 Data Protection Impact Assessments #
The Processor assists the Controller with Data Protection Impact Assessments and prior consultations with supervisory authorities, to the extent that the Processor’s processing activities require such assistance.
6.8 Deletion and return of data #
Upon termination of the Service, the Processor will, at the Controller’s choice:
- Return all personal data to the Controller in the export formats made available by the Service at the time of termination, including PDF case exports and associated attachments, or
- Delete all personal data and confirm deletion in writing
unless EU or member state law requires continued storage.
If the Controller reasonably requires an additional portability format for migration or regulatory review, the Processor will assess the request in good faith and, where technically feasible, provide it under a separate written request.
6.9 Audit rights #
The Processor makes available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations. The Controller may conduct audits, including inspections, either directly or through a mandated auditor, subject to reasonable advance notice (at least 30 days) and during normal business hours. The Processor will cooperate with such audits.
6.10 No AI or LLM processing of report content #
The Processor commits that personal data processed under this DPA — including report content, reporter identity, handler messages, file attachments, and audit log entries — is not transmitted to any large language model, generative AI service, or AI-based classifier, whether operated by the Processor or by a third party (including but not limited to OpenAI, Anthropic, Google, and Mistral). The Service does not perform AI-driven categorisation, triage, summarisation, translation, or suggested replies on personal data. The Controller may rely on this commitment when assessing automated decision-making obligations under Art. 22 GDPR and when scoping sub-processor disclosure in its own privacy notices and Data Protection Impact Assessments. Any change to this commitment would be a material change to the Service and would be notified to the Controller under Section 6.4 (Sub-processors) and Section 11 (Term and termination).
Self-hosted statistical machine translation that runs entirely on Processor-controlled infrastructure (no data leaves Processor infrastructure, no external inference call) is not within the scope of this restriction and may be used to translate reporter or handler messages where the Controller has enabled it.
This commitment is reviewed annually. The “Last updated” date at the top of this DPA reflects the most recent affirmation. If the Processor at any point intends to introduce AI or LLM processing of personal data covered by this DPA, the Processor will notify the Controller in accordance with Section 6.4 and the change will take effect no earlier than the notice period stated there.
6.11 Customer-managed encryption keys (BYOK) #
The Service does not support customer-managed encryption keys — whether described as bring-your-own-key (BYOK), hold-your-own-key (HYOK), or external key management service (KMS) integration. This is a deliberate architectural choice, not an operational limitation, and is grounded in two confidentiality and lifecycle guarantees the Processor makes elsewhere in this DPA:
- Reporter–handler key boundary. Personal data covered by this DPA is encrypted at rest under Processor-managed keys held inside the Service. The encryption boundary that protects reporter identity and report content from external parties is the same boundary that protects it from the Controller’s own IT administrators. Routing key custody to the Controller would relocate that boundary into the Controller’s environment, where Controller-side administrators would, in principle, become capable of decrypting reporter identity — inverting the confidentiality model required by Art. 16 of Directive 2019/1937.
- End-to-end deletion guarantee. Retention-based deletion (Art. 5(1)(e) GDPR) and contractual deletion on termination (Section 6.8 above) rely on the Processor’s ability to cryptographically and physically destroy keyed data independently of the Controller. A Controller-held key would create a class of failure where the Processor cannot, on its own, guarantee complete deletion within the contractual window.
The Processor’s encryption-at-rest scheme, non-deterministic encryption properties, and key isolation are documented on the Security page. A change to this position would be a material change to the Service and would be notified to the Controller under Section 6.4 (Sub-processors) and Section 11 (Term and termination).
7. Obligations of the Controller #
The Controller is responsible for:
- Ensuring a lawful basis for processing personal data through the Service
- Providing required privacy notices to data subjects (EthicsPortal displays a privacy notice on the portal submission form)
- Configuring appropriate data retention periods within the Service
- Designating authorized handlers and administrators
- Responding to data subject requests, with assistance from the Processor as described above
8. Sub-processors #
The following sub-processors are authorized as of the effective date of this DPA:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting, database, and file attachment storage | Nuremberg, Germany (EU) | Data processed entirely within EU |
| Stripe Payments Europe, Ltd | Payment processing | Ireland (EU) | No payment credentials stored by Processor; Stripe is PCI DSS Level 1 certified |
| Mailjet (Sinch) | Transactional email delivery | France (EU) | Data processed entirely within EU |
| Cloudflare, Inc. | CDN and edge delivery for the marketing website | United States | Transfers, where personal data is involved, rely on Standard Contractual Clauses and supplementary safeguards |
| AppSignal B.V. | Error monitoring and application performance monitoring for admin and handler interfaces | Netherlands (EU) | Data processed entirely within EU; reporter IP addresses are never logged |
| Crisp IM SARL | In-app handler chat and identity verification support | France (EU) | Loaded only in the handler portal; not loaded on the marketing site or reporter-facing pages |
Marketing analytics (Cloudflare Web Analytics) are cookie-free and do not process personal data.
No AI or LLM sub-processor. No large language model, generative AI service, or AI-based classifier is a sub-processor of the Processor. Personal data processed under this DPA is not transmitted to OpenAI, Anthropic, Google, Mistral, or any other AI inference provider. See Section 6.10.
9. International data transfers #
Core whistleblower report data, including report content and file attachment storage, is hosted within the European Union (Hetzner, Germany). Payment processing occurs within the EU (Stripe), and transactional email is delivered from the EU (Mailjet, France).
Marketing-site requests are routed through Cloudflare (CDN, United States), which processes network metadata (visitor IP addresses and request headers) for content delivery and DDoS protection. No reports, handler data, or account data are shared with Cloudflare. Transfers rely on Standard Contractual Clauses and supplementary safeguards. The reporting portal and handler portal do not load Cloudflare. AppSignal (Netherlands) and Crisp (France) are EU-based; Crisp is loaded only in the handler portal.
10. Liability #
Each party’s liability under this DPA is subject to the limitations of liability set out in the main service agreement between the parties. To the maximum extent permitted by law, claims arising out of or relating to this DPA form part of the same aggregate liability cap that applies to the Service.
11. Term and termination #
This DPA takes effect when the Controller begins using the Service and remains in effect for as long as the Processor processes personal data on behalf of the Controller. The obligations in this DPA survive termination to the extent necessary to complete the deletion or return of personal data.
12. Governing law #
This DPA is governed by the laws of the Republic of Poland, without regard to conflict of laws principles. The competent courts of Warsaw, Poland have exclusive jurisdiction over disputes arising from this DPA.
Contact #
For questions about this DPA or to request a signed copy:
EthicsPortal Yaroslav Shmarov ul. Obrzeżna 1A, 02-691 Warsaw, Poland legal@ethicsportal.eu
Last updated: