Logo Caption

Data Processing Agreement

Effective Date: 27 September 2025 - Last Updated: 30 September 2025

1. Introduction and Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Dorik, Inc. ("Processor," "we," "us," or "our") and the entity using our Consently.net consent management platform services ("Controller," "Customer," or "you").

This DPA governs the processing of personal data by Dorik, Inc. on behalf of the Controller in connection with the provision of our consent management platform services.

1.1 Definitions

For the purposes of this DPA:

  • "Controller" means the entity that determines the purposes and means of processing personal data
  • "Data Protection Laws" means all applicable data protection and privacy laws, including GDPR, UK GDPR, CCPA, and other relevant legislation
  • "Data Subject" means an identified or identifiable natural person
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on personal data
  • "Processor" means the entity that processes personal data on behalf of the Controller
  • "Services" means Consently.net consent management platform services
  • "Sub-processor" means any third party engaged by the Processor to process personal data

2. Scope and Application

2.1 Scope of Processing

This DPA applies to the processing of personal data by Dorik, Inc. as Processor on behalf of the Controller in connection with:

  • Consent collection and management
  • Cookie consent banner display and functionality
  • Consent string generation and storage
  • Preference center operations
  • Compliance reporting and analytics
  • Integration with advertising and analytics platforms

2.2 Controller Responsibilities

The Controller acknowledges and agrees that:

  • It is the Controller of personal data processed through our Services
  • It determines the purposes and means of processing
  • It is responsible for ensuring lawful basis for processing
  • It must provide appropriate privacy notices to data subjects
  • It remains liable for compliance with applicable Data Protection Laws

3. Categories of Data and Data Subjects

3.1 Categories of Data Subjects

Personal data processed under this DPA relates to the following categories of data subjects:

  • Website visitors of the Controller's websites
  • Users interacting with consent mechanisms
  • Individuals whose consent preferences are managed

3.2 Categories of Personal Data

The personal data processed may include:

  • Consent Records: Consent choices, timestamps, consent strings
  • Technical Identifiers: Cookie IDs, session identifiers, browser information
  • Preference Data: User choices regarding cookies and tracking
  • Interaction Data: Consent banner interactions, preference updates
  • Compliance Data: Records required for regulatory compliance

3.3 Special Categories of Personal Data

We do not intentionally process special categories of personal data (sensitive data) under this DPA. If such data is inadvertently processed, the Controller must immediately notify us.

4. Processing Instructions and Purposes

4.1 Processing Purposes

We will process personal data solely for the following purposes:

  • Providing consent management services as described in our Terms of Service
  • Generating and maintaining consent records
  • Facilitating compliance with privacy regulations
  • Providing reporting and analytics on consent metrics
  • Ensuring proper integration with third-party platforms

4.2 Processing Instructions

We will process personal data only:

  • In accordance with documented instructions from the Controller
  • As necessary to provide the Services
  • As required by applicable law
  • With explicit written authorization from the Controller for any other purposes

4.3 Conflicting Instructions

If we believe that an instruction from the Controller violates applicable Data Protection Laws, we will inform the Controller and may refuse to carry out the instruction until the conflict is resolved.

5. Security Measures

5.1 Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Regular security monitoring and logging
  • Secure data centers with physical access controls
  • Regular security assessments and penetration testing

Organizational Measures:

  • Staff training on data protection
  • Confidentiality agreements with personnel
  • Data breach response procedures
  • Regular review of security measures
  • Privacy by design implementation

5.2 Security Standards

Our security measures are designed to:

  • Ensure ongoing confidentiality, integrity, and availability of processing systems
  • Restore availability of personal data in a timely manner after incidents
  • Regularly test and evaluate the effectiveness of security measures

6. Sub-processors

6.1 Authorized Sub-processors

The Controller provides general authorization for the engagement of sub-processors. We maintain a current list of sub-processors, which may include:

  • Cloud hosting providers (for data storage and processing)
  • Infrastructure service providers
  • Security service providers
  • Backup and disaster recovery providers

6.2 Sub-processor Requirements

We ensure that any sub-processor:

  • Provides sufficient guarantees regarding security measures
  • Is bound by written contract with data protection obligations equivalent to this DPA
  • Allows for audits and inspections as required
  • Notifies us immediately of any changes affecting data protection

6.3 Sub-processor Changes

We will inform the Controller of any intended changes concerning sub-processors, giving the Controller the opportunity to object to such changes. If the Controller objects, we will work together to find a reasonable solution.

7. International Data Transfers

7.1 Transfer Mechanisms

Our servers are located in the European Union. Any international transfers of personal data will be conducted in accordance with applicable Data Protection Laws and appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by competent authorities
  • Other legally recognized transfer mechanisms

7.2 Transfer Documentation

We will provide the Controller with necessary documentation to demonstrate compliance with international transfer requirements upon request.

8. Data Subject Rights

8.1 Assistance with Rights Requests

We will assist the Controller in responding to data subject rights requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

8.2 Technical Assistance

Taking into account the nature of processing, we will assist the Controller by implementing appropriate technical and organizational measures to fulfill data subject rights requests.

8.3 Direct Requests

If we receive a direct request from a data subject, we will not respond directly but will promptly forward the request to the Controller.

9. Data Breach Notification

9.1 Incident Response

We maintain incident response procedures to detect, investigate, and respond to potential personal data breaches. Upon becoming aware of a personal data breach, we will:

  • Contain and assess the breach
  • Investigate the cause and scope
  • Implement remedial measures
  • Document the incident

9.2 Notification to Controller

We will notify the Controller without undue delay and no later than 72 hours after becoming aware of a personal data breach. The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9.3 Cooperation

We will cooperate with the Controller in any breach notification to supervisory authorities or data subjects as required by applicable law.

10. Data Protection Impact Assessments

10.1 Assistance with DPIAs

When required, we will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) related to our processing activities.

10.2 Information Provision

We will provide necessary information about our processing activities, security measures, and risks to enable the Controller to conduct effective DPIAs.

11. Audits and Compliance

11.1 Audit Rights

The Controller has the right to conduct audits and inspections to verify our compliance with this DPA and applicable Data Protection Laws. Such audits may be conducted:

  • Upon reasonable notice (minimum 30 days)
  • During regular business hours
  • No more than once per year unless required by regulatory authorities
  • At the Controller's expense

11.2 Compliance Documentation

We will maintain records of processing activities and make available to the Controller all information necessary to demonstrate compliance with this DPA.

11.3 Third-Party Audits

The Controller may engage qualified third-party auditors to conduct audits, subject to appropriate confidentiality agreements.

12. Data Retention and Deletion

12.1 Retention Period

We will retain personal data only for as long as necessary to provide the Services or as instructed by the Controller, taking into account:

  • Legal and regulatory requirements
  • Legitimate business purposes
  • Controller's retention instructions

12.2 Data Deletion

Upon termination of the Services or upon Controller's request, we will:

  • Delete or return all personal data to the Controller
  • Delete all copies unless retention is required by law
  • Provide certification of deletion upon request

We may retain personal data longer if required by applicable law or legal process, and will notify the Controller of such requirements.

13. Liability and Indemnification

13.1 Limitation of Liability

Each party's liability under this DPA will be subject to the limitation of liability provisions in the Terms of Service.

13.2 Data Protection Violations

If one party's violation of this DPA causes the other party to be subject to fines or penalties under Data Protection Laws, the violating party will indemnify the non-violating party for such fines and penalties.

14. Term and Termination

14.1 Term

This DPA will remain in effect for as long as we provide Services to the Controller that involve the processing of personal data.

14.2 Survival

The following provisions will survive termination of this DPA:

  • Data deletion obligations
  • Confidentiality obligations
  • Liability and indemnification provisions
  • Audit rights (for a reasonable period)

15. Governing Law and Jurisdiction

15.1 Governing Law

This DPA is governed by the laws of the State of Delaware, United States, except where Data Protection Laws require application of different governing law.

15.2 Dispute Resolution

Any disputes arising under this DPA will be resolved in accordance with the dispute resolution provisions in the Terms of Service.

16. Amendments and Modifications

16.1 Changes to DPA

We may update this DPA from time to time to reflect changes in:

  • Applicable Data Protection Laws
  • Our processing activities
  • Industry standards and best practices

16.2 Notification

We will notify the Controller of any material changes to this DPA and provide reasonable time to review and object to such changes.

17. Contact Information

For any questions or concerns regarding this DPA or our data processing activities, please contact:

support@consently.net

Appendix A: Sub-processor List

Check our subprocessor list here: Consently Subprocessors

This Data Processing Agreement is effective as of the date listed above and forms an integral part of our Terms of Service.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at support@consently.net

©2025 Dorik, Inc. All rights reserved.