1. Introduction and Definitions
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Dorik, Inc. ("Processor," "we," "us," or "our") and the entity using our Consently.net consent management platform services ("Controller," "Customer," or "you").
This DPA governs the processing of personal data by Dorik, Inc. on behalf of the Controller in connection with the provision of our consent management platform services.
1.1 Definitions
For the purposes of this DPA:
-
"Controller" means the entity that determines the purposes and means of processing personal data
-
"Data Protection Laws" means all applicable data protection and privacy laws, including GDPR, UK GDPR, CCPA, and other relevant legislation
-
"Data Subject" means an identified or identifiable natural person
-
"Personal Data" means any information relating to an identified or identifiable natural person
-
"Processing" means any operation performed on personal data
-
"Processor" means the entity that processes personal data on behalf of the Controller
-
"Services" means Consently.net consent management platform services
-
"Sub-processor" means any third party engaged by the Processor to process personal data
2. Scope and Application
2.1 Scope of Processing
This DPA applies to the processing of personal data by Dorik, Inc. as Processor on behalf of the Controller in connection with:
-
Consent collection and management
-
Cookie consent banner display and functionality
-
Consent string generation and storage
-
Preference center operations
-
Compliance reporting and analytics
-
Integration with advertising and analytics platforms
2.2 Controller Responsibilities
The Controller acknowledges and agrees that:
-
It is the Controller of personal data processed through our Services
-
It determines the purposes and means of processing
-
It is responsible for ensuring lawful basis for processing
-
It must provide appropriate privacy notices to data subjects
-
It remains liable for compliance with applicable Data Protection Laws
3. Categories of Data and Data Subjects
3.1 Categories of Data Subjects
Personal data processed under this DPA relates to the following categories of data subjects:
-
Website visitors of the Controller's websites
-
Users interacting with consent mechanisms
-
Individuals whose consent preferences are managed
3.2 Categories of Personal Data
The personal data processed may include:
-
Consent Records: Consent choices, timestamps, consent strings
-
Technical Identifiers: Cookie IDs, session identifiers, browser information
-
Preference Data: User choices regarding cookies and tracking
-
Interaction Data: Consent banner interactions, preference updates
-
Compliance Data: Records required for regulatory compliance
3.3 Special Categories of Personal Data
We do not intentionally process special categories of personal data (sensitive data) under this DPA. If such data is inadvertently processed, the Controller must immediately notify us.
4. Processing Instructions and Purposes
4.1 Processing Purposes
We will process personal data solely for the following purposes:
-
Providing consent management services as described in our Terms of Service
-
Generating and maintaining consent records
-
Facilitating compliance with privacy regulations
-
Providing reporting and analytics on consent metrics
-
Ensuring proper integration with third-party platforms
4.2 Processing Instructions
We will process personal data only:
-
In accordance with documented instructions from the Controller
-
As necessary to provide the Services
-
As required by applicable law
-
With explicit written authorization from the Controller for any other purposes
4.3 Conflicting Instructions
If we believe that an instruction from the Controller violates applicable Data Protection Laws, we will inform the Controller and may refuse to carry out the instruction until the conflict is resolved.
5. Security Measures
5.1 Technical and Organizational Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical Measures:
-
Encryption of data in transit and at rest
-
Access controls and authentication systems
-
Regular security monitoring and logging
-
Secure data centers with physical access controls
-
Regular security assessments and penetration testing
Organizational Measures:
-
Staff training on data protection
-
Confidentiality agreements with personnel
-
Data breach response procedures
-
Regular review of security measures
-
Privacy by design implementation
5.2 Security Standards
Our security measures are designed to:
-
Ensure ongoing confidentiality, integrity, and availability of processing systems
-
Restore availability of personal data in a timely manner after incidents
-
Regularly test and evaluate the effectiveness of security measures
6. Sub-processors
6.1 Authorized Sub-processors
The Controller provides general authorization for the engagement of sub-processors. We maintain a current list of sub-processors, which may include:
-
Cloud hosting providers (for data storage and processing)
-
Infrastructure service providers
-
Security service providers
-
Backup and disaster recovery providers
6.2 Sub-processor Requirements
We ensure that any sub-processor:
-
Provides sufficient guarantees regarding security measures
-
Is bound by written contract with data protection obligations equivalent to this DPA
-
Allows for audits and inspections as required
-
Notifies us immediately of any changes affecting data protection
6.3 Sub-processor Changes
We will inform the Controller of any intended changes concerning sub-processors, giving the Controller the opportunity to object to such changes. If the Controller objects, we will work together to find a reasonable solution.
7. International Data Transfers
7.1 Transfer Mechanisms
Our servers are located in the European Union. Any international transfers of personal data will be conducted in accordance with applicable Data Protection Laws and appropriate safeguards, including:
-
Standard Contractual Clauses approved by the European Commission
-
Adequacy decisions by competent authorities
-
Other legally recognized transfer mechanisms
7.2 Transfer Documentation
We will provide the Controller with necessary documentation to demonstrate compliance with international transfer requirements upon request.
8. Data Subject Rights
8.1 Assistance with Rights Requests
We will assist the Controller in responding to data subject rights requests, including:
-
Right of access
-
Right to rectification
-
Right to erasure ("right to be forgotten")
-
Right to restriction of processing
-
Right to data portability
-
Right to object to processing
8.2 Technical Assistance
Taking into account the nature of processing, we will assist the Controller by implementing appropriate technical and organizational measures to fulfill data subject rights requests.
8.3 Direct Requests
If we receive a direct request from a data subject, we will not respond directly but will promptly forward the request to the Controller.
9. Data Breach Notification
9.1 Incident Response
We maintain incident response procedures to detect, investigate, and respond to potential personal data breaches. Upon becoming aware of a personal data breach, we will:
-
Contain and assess the breach
-
Investigate the cause and scope
-
Implement remedial measures
-
Document the incident
9.2 Notification to Controller
We will notify the Controller without undue delay and no later than 72 hours after becoming aware of a personal data breach. The notification will include:
-
Description of the nature of the breach
-
Categories and approximate number of data subjects concerned
-
Likely consequences of the breach
-
Measures taken or proposed to address the breach
9.3 Cooperation
We will cooperate with the Controller in any breach notification to supervisory authorities or data subjects as required by applicable law.
10. Data Protection Impact Assessments
10.1 Assistance with DPIAs
When required, we will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) related to our processing activities.
10.2 Information Provision
We will provide necessary information about our processing activities, security measures, and risks to enable the Controller to conduct effective DPIAs.
11. Audits and Compliance
11.1 Audit Rights
The Controller has the right to conduct audits and inspections to verify our compliance with this DPA and applicable Data Protection Laws. Such audits may be conducted:
-
Upon reasonable notice (minimum 30 days)
-
During regular business hours
-
No more than once per year unless required by regulatory authorities
-
At the Controller's expense
11.2 Compliance Documentation
We will maintain records of processing activities and make available to the Controller all information necessary to demonstrate compliance with this DPA.
11.3 Third-Party Audits
The Controller may engage qualified third-party auditors to conduct audits, subject to appropriate confidentiality agreements.
12. Data Retention and Deletion
12.1 Retention Period
We will retain personal data only for as long as necessary to provide the Services or as instructed by the Controller, taking into account:
-
Legal and regulatory requirements
-
Legitimate business purposes
-
Controller's retention instructions
12.2 Data Deletion
Upon termination of the Services or upon Controller's request, we will:
-
Delete or return all personal data to the Controller
-
Delete all copies unless retention is required by law
-
Provide certification of deletion upon request
12.3 Legal Holds
We may retain personal data longer if required by applicable law or legal process, and will notify the Controller of such requirements.
13. Liability and Indemnification
13.1 Limitation of Liability
Each party's liability under this DPA will be subject to the limitation of liability provisions in the Terms of Service.
13.2 Data Protection Violations
If one party's violation of this DPA causes the other party to be subject to fines or penalties under Data Protection Laws, the violating party will indemnify the non-violating party for such fines and penalties.
14. Term and Termination
14.1 Term
This DPA will remain in effect for as long as we provide Services to the Controller that involve the processing of personal data.
14.2 Survival
The following provisions will survive termination of this DPA:
-
Data deletion obligations
-
Confidentiality obligations
-
Liability and indemnification provisions
-
Audit rights (for a reasonable period)
15. Governing Law and Jurisdiction
15.1 Governing Law
This DPA is governed by the laws of the State of Delaware, United States, except where Data Protection Laws require application of different governing law.
15.2 Dispute Resolution
Any disputes arising under this DPA will be resolved in accordance with the dispute resolution provisions in the Terms of Service.
16. Amendments and Modifications
16.1 Changes to DPA
We may update this DPA from time to time to reflect changes in:
-
Applicable Data Protection Laws
-
Our processing activities
-
Industry standards and best practices
16.2 Notification
We will notify the Controller of any material changes to this DPA and provide reasonable time to review and object to such changes.
17. Contact Information
For any questions or concerns regarding this DPA or our data processing activities, please contact:
support@consently.net
Appendix A: Sub-processor List
Check our subprocessor list here: Consently Subprocessors
Appendix B: Standard Contractual Clauses
1. Introduction
This Appendix forms part of the Data Processing Agreement ("DPA") between the Controller and Dorik, Inc. ("Processor") and incorporates the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021 ("SCCs").
The parties agree that the SCCs shall apply to the transfer of personal data from the Controller (as data exporter) to the Processor (as data importer) where such transfer would otherwise be prohibited under EU data protection law in the absence of appropriate safeguards.
2. Module Selection
The parties agree that Module Two (Controller to Processor) of the SCCs applies to the processing of personal data under this DPA.
3. Clause Options
The following options under the SCCs are selected:
| Clause | Option Selected |
|---|---|
| Clause 7 (Docking clause) | Included |
| Clause 9(a) (Sub-processor authorization) | Option 2: General written authorization with notification of changes |
| Clause 11 (Redress) | Optional language not included |
| Clause 17 (Governing law) | Option 1: Law of an EU Member State (Ireland) |
| Clause 18(b) (Forum selection) | Courts of Ireland |
4. Annexes to the Standard Contractual Clauses
Annex I
A. List of Parties
Data Exporter (Controller): The Customer as identified in the Consently account.
Data Importer (Processor): Dorik, Inc. Contact: support@consently.net
B. Description of Transfer
| Item | Description |
|---|---|
| Categories of Data Subjects | Website visitors, users interacting with consent mechanisms |
| Categories of Personal Data | Consent records, timestamps, consent strings, cookie IDs, session identifiers, browser information, user preferences |
| Sensitive Data | None intentionally processed |
| Frequency of Transfer | Continuous, as part of service provision |
| Nature of Processing | Collection, storage, and management of consent data |
| Purpose of Processing | Providing consent management services, generating consent records, compliance reporting |
| Retention Period | As specified in the DPA or as instructed by Controller |
C. Competent Supervisory Authority
The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs. Where the data exporter is established in the EU, it shall be the supervisory authority of the EU Member State in which the data exporter is established.
For data exporters not established in the EU, the Irish Data Protection Commission shall serve as the competent supervisory authority.
Annex II
Technical and Organizational Measures
The Processor implements the following security measures:
1. Data Encryption
-
Encryption of data in transit using TLS 1.2+
-
Encryption of data at rest using AES-256
2. Access Controls
-
Role-based access control (RBAC)
-
Multi-factor authentication for system access
-
Unique user credentials for all personnel
-
Regular access reviews and revocation procedures
3. Infrastructure Security
-
EU-based data centers with physical access controls
-
24/7 security monitoring
-
Firewall and intrusion detection systems
-
Regular vulnerability assessments and penetration testing
4. Data Segregation
-
Logical separation of customer data
-
Isolated database instances per customer where applicable
5. Backup and Recovery
-
Regular automated backups
-
Encrypted backup storage
-
Tested disaster recovery procedures
6. Personnel Security
-
Confidentiality agreements with all staff
-
Background checks where legally permitted
-
Regular data protection training
7. Incident Management
-
Documented incident response procedures
-
72-hour breach notification commitment
-
Regular incident response testing
8. Organizational Controls
-
Privacy by design implementation
-
Regular security policy reviews
-
Documented change management procedures
Annex III
List of Sub-processors
The Processor maintains an up-to-date list of sub-processors at: https://consently.net/policy/subprocessors
The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object as outlined in Section 6.3 of the DPA.
5. UK International Data Transfer Addendum
For transfers of personal data from the United Kingdom, the UK Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference and applies to such transfers.
| Table | Information |
|---|---|
| Table 1 (Parties) | As set out in Annex I.A above |
| Table 2 (Selected SCCs) | Module 2, as specified in Section 2 above |
| Table 3 (Appendix Information) | As set out in Annexes I, II, and III above |
| Table 4 (Ending the Addendum) | Neither party may end the UK Addendum |
This Appendix B is incorporated into and forms part of the Data Processing Agreement between the parties.
