Trust & legal

Data Processing Addendum

This Data Processing Addendum ("DPA") is intended to supplement Consentfolio's Terms of Service and to reflect the requirements of Article 28(3) GDPR for processing carried out by Consentfolio on behalf of its customers. In this DPA, "Consentfolio" means Tudor N. Rusmanica, a sole trader established in the United Kingdom, trading as Consentfolio, and "customer" has the meaning given in the Terms of Service.

1. Roles

For the purposes of applicable data protection law, the customer is the controller of personal data collected from its own website visitors via the Consentfolio banner, and Consentfolio is the processor, acting only on the customer's documented instructions as set out in this DPA and the Consentfolio documentation.

2. Subject matter, duration, nature, and purpose of processing

  • Subject matter: the processing of website-visitor consent records by Consentfolio's hosted banner and consent-receipt infrastructure on the customer's behalf.
  • Duration: for as long as the customer's Consentfolio subscription (or, for canceled accounts, the applicable retention window) remains active — see retention.md.
  • Nature of processing: collection, storage, and provision (export/lookup) of consent choices made by the customer's website visitors.
  • Purpose: to enable the customer to obtain, record, and demonstrate valid cookie/tracking consent from its website visitors, including for Google Consent Mode v2 integration.

3. Categories of data subjects and personal data

Data subjects: visitors to the customer's website who are shown the consent banner.

Categories of data: consent records are deliberately minimized. They consist of: the consent choices made per category (current and prior state), the published configuration version the choices relate to, a client-generated visitor UUID, a client-generated event UUID, the origin host the request came from, and timestamps. Consent records do not include IP address, user-agent, or page URL. Full detail is at retention.md.

4. Sub-processors

Consentfolio's current sub-processors, their purpose, and their location are listed at subprocessors.md. That page is the authoritative, current list; the customer should be notified of material changes to it in line with the process described in the Terms of Service.

5. Security measures

We apply technical and organisational measures appropriate to the limited, minimised data we process, including encryption of data in transit (TLS), encrypted storage, access controls on production systems following the principle of least privilege, and routine monitoring of the systems that serve the banner and receive consent receipts. We do not claim any formal certification.

6. Assistance with data subject requests

Because the visitor's own consent ID and date are shown to them directly in the banner's preferences modal, visitors can self-serve much of a data subject access request by quoting that ID. Consentfolio additionally provides the customer, as controller, with a per-project CSV export and a visitor-UUID lookup tool so the customer can locate and respond to a specific data subject's request without needing to contact Consentfolio directly for routine cases.

7. Breach notification

Consentfolio will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer's consent records, and will provide the information reasonably available to it to help the customer meet its own notification obligations.

8. Deletion and return on termination

On termination of the customer's subscription, consent records are not deleted immediately. Canceled projects remain accessible read-only (receipts, CSV export, visitor-UUID lookup) for the same retention window described in retention.md — the life of each consent plus 1 year after expiry or supersession (about two years in total) — after which they are permanently deleted by the automated monthly purge. The customer may export its data via CSV at any point before final deletion.

9. Audit

Consentfolio will make available information reasonably necessary to demonstrate compliance with this DPA, for example by responding to a reasonable security questionnaire. Given the minimised nature of the data, on-site audits are not offered.

10. International transfers

Consent records are hosted on DigitalOcean's London (LON1) data center, providing UK data residency for that data. Cloudflare provides network-edge services (DNS/CDN/TLS/DDoS protection) which may involve routing traffic through Cloudflare's global edge network. Where a sub-processor processes data outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.

Questions? consentfolio.com · This page is documentation, not legal advice.