Last updated: 2026-04-15

Data Processing Addendum (DPA)

This addendum applies to engagements where Bitloom processes personal data on behalf of a client — typically the rental tier, or a managed Custom Build. The DPA forms part of the Master Services Agreement and is signed alongside the SOW.

Roles

Client is the controller of learner data. Bitloom is the processor. Client decides purpose; we follow documented instructions.

Sub-processors

Current sub-processors (as of 2026-04-28):

• Cloudflare (EU) — CDN, edge compute, DNS
• AWS (eu-central-1, eu-west-1) — primary hosting and database
• Stripe Payments Europe Ltd. (Ireland) — payment processing where enabled
• Veriff OÜ (Estonia) — identity verification where enabled
• Postmark / SES — transactional email

We notify clients in writing 30 days before adding a new sub-processor; you may object and we will propose alternatives or exit terms.

Security measures

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control with audit logs
• Quarterly access review
• Incident response plan with 72-hour breach notification commitment
• Regular backups, tested restore procedure, EU-only backup storage

Data subject requests

If a learner contacts us directly, we forward the request to the controller within 5 working days. If the controller asks us to act on a request, we do so without undue delay.

Termination

On termination of services, we return or delete all client personal data within 30 days, on written instruction. Backup retention follows agreed schedules and is documented in the SOW.

Sign and request

A counter-signable PDF version is available on request — write to privacy@bitloom.pro.

Note: this DPA template references a draft sub-processor list and security baseline. The counter-signable version sent on request reflects the current production configuration.