GDPR Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Adryse Brand Terms of Service and governs the processing of personal data by Idealy AB ("Adryse") on behalf of Brands ("Customers") under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
1. Parties
- Processor: Idealy AB (org. nr 556880-7464), Saturnusvägen 70, 352 64 Växjö, Sweden.
- Controller: The Brand entity that has accepted the Adryse Brand Terms of Service.
2. Subject and duration
Adryse processes personal data on behalf of the Brand for the purposes of operating the Adryse affiliate network, including click and conversion tracking, fraud detection, and commission processing. This DPA applies for as long as Adryse processes personal data on the Brand's behalf.
3. Nature and purpose of processing
Processing involves collection, storage, organization, retrieval, use, and transmission of personal data necessary to deliver the affiliate network services described in the Brand Terms of Service.
4. Types of personal data
- End-user identifiers (anonymous session tokens);
- Hashed IP addresses and hashed user agent strings;
- Referrer URL and click metadata;
- Conversion identifiers (order ID, order value, currency);
- Publisher-related identifiers necessary for attribution;
- Brand staff contact details (name, email, role) for the personnel administering the Brand's Adryse account.
5. Categories of data subjects
- End users who click affiliate tracking links to the Brand's offers;
- End users who complete a purchase or qualifying conversion event with the Brand;
- Brand staff (administrators, billing contacts, marketing contacts) authorized to use the Brand's Adryse account on the Brand's behalf.
6. Processor obligations
Adryse shall:
- Process personal data only on documented instructions from the Brand, including transfers outside the EU/EEA where instructed;
- Ensure persons authorized to process the data are bound by confidentiality;
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR);
- Assist the Brand in fulfilling its obligations to respond to data subject rights requests;
- Assist the Brand in ensuring compliance with Articles 32–36 GDPR;
- Notify the Brand without undue delay after becoming aware of a personal data breach;
- Make available to the Brand all information necessary to demonstrate compliance with this DPA.
7. Sub-processors
The Brand authorizes Adryse to engage the following sub-processors:
- Cloudflare, Inc. — hosting, CDN, edge compute, DNS, object storage. Headquartered in the United States, with EU data residency options for relevant services.
- Neon Inc. — managed PostgreSQL database. Headquartered in the United States; EU regional storage available.
- Stripe Payments Europe Ltd — payment processing, KYC, fund custody. Based in Ireland (EU). Licensed e-money institution.
- Resend Inc. — transactional email delivery. Headquartered in the United States.
Adryse will give the Brand at least 30 days' written notice before engaging additional sub-processors and will provide the Brand with the opportunity to object on reasonable grounds. If the Brand objects to a new sub-processor and Adryse cannot reasonably accommodate the objection, the Brand may terminate its account under the voluntary closure terms in Section 7 of the Brand Terms of Service without penalty.
8. International transfers
Where personal data is transferred outside the EU/EEA (notably to Cloudflare, Neon, and Resend, all US-based), Adryse ensures such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission or another lawful transfer mechanism recognized under GDPR. Supplementary technical safeguards (encryption, hashing, data minimization) are applied to all cross-border data flows. Stripe Payments Europe Ltd processes data within the EU and is not subject to international transfer rules.
9. Security measures
Adryse implements security measures including:
- Encryption of personal data in transit (TLS 1.2+) and at rest;
- SHA-256 hashing of IP addresses and user agents before storage;
- Strict access controls based on the principle of least privilege;
- Audit logging of all administrative and system access;
- Regular security reviews and dependency scanning;
- Defined incident response and breach notification procedures.
10. Data subject rights
Adryse will assist the Brand in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection) within reasonable timeframes and at reasonable cost.
11. Audits
On reasonable request, no more than once per year (except in case of a documented incident), Adryse will provide the Brand with information and documentation reasonably necessary to demonstrate compliance with this DPA. On-site audits may be requested at the Brand's expense and subject to mutually agreed scheduling.
12. Breach notification
Adryse will notify the Brand without undue delay (and in any case within 72 hours of becoming aware) of any personal data breach affecting the Brand's personal data, including the nature of the breach, categories and approximate number of data subjects affected, and likely consequences and mitigating measures.
13. Termination and data deletion
Upon termination of the underlying services, Adryse will, at the Brand's written choice, delete or return all personal data processed on the Brand's behalf and delete existing copies within 30 days of termination, unless retention is required by Swedish or EU law (in which case the relevant retention periods apply and access to that data is restricted in the meantime). Adryse will provide written confirmation of deletion or return upon completion.
14. Liability under this DPA
The processor's aggregate liability under this DPA is governed by the limitation of liability clause in the Brand Terms of Service (Section 15) and forms part of the same liability cap. This DPA does not increase or decrease the overall liability of either party beyond what is set out in the Brand Terms of Service.
15. Governing law
This DPA is governed by Swedish law. Any disputes shall be resolved in Växjö tingsrätt as the court of first instance.
16. Contact
DPA-related questions? Email hello@adryse.com.