Data Processing Agreement (DPA)
Last updated: July 6, 2026
This Data Processing Agreement ("DPA") forms part of the Terms & Conditions and is entered into by and between Taproot Commerce LLC ("Processor", "we", "us"), operating as CompliWorx, and the customer entity that subscribes to the Service ("Customer", "Controller", "you"). This DPA reflects the parties' agreement with respect to the Processing of Personal Data.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
- Processing — any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
- Sub-processor — a third party engaged by the Processor to assist in Processing Personal Data.
- Standard Contractual Clauses (SCCs) — the standard contractual clauses for the transfer of personal data to third countries, as approved by the European Commission.
2. Roles and scope
Customer is the Controller of Personal Data submitted to the Service. Taproot Commerce LLC is the Processor, acting on Customer's written instructions as set forth in the Terms & Conditions and this DPA.
The scope, duration, nature, and purpose of Processing, the types of Personal Data, and the categories of data subjects are as described in the Terms & Conditions and the Privacy Notice.
3. Customer instructions
The Processor shall Process Personal Data only on the Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Customer warrants that its instructions comply with applicable data protection law.
4. Processor obligations
The Processor shall:
- Process Personal Data only on the Customer's documented instructions, including with regard to international transfers;
- Ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations;
- Implement appropriate technical and organizational security measures, as described in Section 6;
- Assist the Customer in responding to data subject requests, where applicable;
- Assist the Customer in meeting its obligations under data protection law, including breach notification and data protection impact assessments;
- Delete or return Personal Data to the Customer upon termination of the Service, subject to applicable law.
5. Sub-processors
The Customer provides general written authorization for the Processor to engage sub-processors, subject to the Processor's obligations to:
- Enter into a written agreement with the sub-processor imposing the same data protection obligations as set out in this DPA;
- Remain liable to the Customer for the sub-processor's performance of its obligations.
Current sub-processors include:
- Supabase (database, authentication) — USA
- Cloudflare (content delivery, security) — USA
- Stripe (payment processing) — USA
- Twilio (SMS messaging) — USA
- Google (authentication, cloud infrastructure) — USA
The Processor shall provide the Customer with notice of intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.
6. Security measures
The Processor maintains the following technical and organizational measures:
- Encryption — data is encrypted in transit (TLS) and at rest
- Access controls — role-based access, unique credentials, least privilege
- Authentication — password hashing, multi-factor authentication support, session management
- Row-level security — database-level policies enforce data isolation between Customers
- Audit logging — significant actions are logged for security review
- Incident response — documented procedures for detecting, investigating, and reporting security incidents
- Regular reviews — security posture is reviewed periodically and improvements are applied
7. Data subject rights
The Processor shall assist the Customer, where technically and reasonably possible, in fulfilling Customer's obligations to respond to data subject requests regarding access, rectification, erasure, portability, restriction, and objection.
8. Personal data breach
The Processor shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. Notification shall include:
- The nature of the breach and the approximate number of data subjects affected;
- The likely consequences of the breach;
- The measures taken or proposed to address the breach and mitigate its effects.
The Processor shall take reasonable steps to investigate, contain, and remediate the breach, and shall provide the Customer with reasonable cooperation and information.
9. Data transfers
To the extent that Processing of Personal Data involves a transfer to a third country (outside the EEA, UK, or Switzerland), the parties agree to the Standard Contractual Clauses (SCCs) as approved by the European Commission, which are incorporated by reference.
10. Audit rights
The Processor shall make available to the Customer, upon reasonable notice and not more than once per year, information necessary to demonstrate compliance with this DPA. Audits may be conducted by the Customer or an independent auditor, subject to confidentiality obligations and reasonable scheduling.
11. Deletion or return of data
Upon termination of the Service, the Processor shall, at the Customer's choice, delete or return Personal Data to the Customer, and delete existing copies, unless applicable law requires storage of the Personal Data.
12. Contact
For any questions about this DPA or to exercise your rights, contact us at admin@compliworx.com.
See also our Privacy Notice and Terms & Conditions.