Data Processing Agreement
Data Processing Agreement for enterprise and GDPR compliance — processing scope, security, and data subject rights.
Data Processing Agreement (DPA)
Effective Date: March 2026
Parties
This DPA is between:
- Burning Ash Protocol, operated by TripleVision LLC ("Processor", "we", "us")
- Customer ("Controller", "you", "customer")
Purpose
This DPA supplements the Terms of Service for GDPR compliance when Customer uses BAP to process personal data of EU residents.
Scope of Processing
Data Categories
| Category | Examples | Purpose |
|---|---|---|
| Personal Identifiers | Name, email, phone | Account management |
| Will Documents | Uploaded files | Digital will transfer |
| Contact Information | Survivor details | Notification delivery |
| Authentication | Password hashes, OTP | Identity verification |
| Technical Data | IP logs | Security, troubleshooting |
Processing Activities
- Secure storage
- Encryption/decryption
- Authentication
- Notification delivery
- Access management
Security Measures
Technical Measures
| Measure | Implementation |
|---|---|
| Encryption | AES-256-GCM for all data |
| Key Management | Envelope encryption, SSS |
| Access Control | Role-based, least privilege |
| Network Security | TLS 1.3, firewall |
| Monitoring | Logging, alerting |
Encryption Details
┌─────────────────────────────────────────────────────────────┐
│ Encryption Architecture │
├─────────────────────────────────────────────────────────────┤
│ │
│ Storage Layer: │
│ - All files encrypted with AES-256-GCM │
│ - Unique nonce per file │
│ - Opaque storage (providers can't read) │
│ │
│ Key Layer: │
│ - DEK (Data Encryption Key) per will │
│ - Master Key encrypts DEKs │
│ - SSS splits DEK for survivors │
│ │
│ Zero-Knowledge: │
│ - Server never sees plaintext documents │
│ - We cannot decrypt user documents │
│ │
└─────────────────────────────────────────────────────────────┘No Plaintext Storage
- All data encrypted at rest
- Passwords hashed (Argon2id)
- OTP codes hashed
- Backup codes hashed
Sub-Processors
Current Sub-Processors
| Sub-Processor | Service | Data Location |
|---|---|---|
| AWS | Hosting, S3 Storage | US/EU |
| Google Cloud | OAuth | US/EU |
| Dropbox | Storage | US/EU |
| Twilio | SMS | US |
| Meta | US |
Notification
We will notify you of any new sub-processors.
Objection
You may object to new sub-processors by contacting support.
Data Subject Rights
We help you fulfill these rights:
| Right | Implementation |
|---|---|
| Access | Export via API or support |
| Rectification | Update via dashboard |
| Erasure | Delete via dashboard or support |
| Restriction | Contact support |
| Portability | Export in standard format |
| Objection | Contact support |
Response Time
We will respond to requests within 30 days.
Data Breaches
Notification
If a breach occurs affecting personal data:
- We assess within 24 hours
- Notify you within 72 hours
- Provide details:
- Nature of breach
- Categories affected
- Likely consequences
- Measures taken
Documentation
We maintain records of all breaches.
Data Transfers
Mechanisms
Data transfers outside the EU use:
- Standard Contractual Clauses (SCC)
- Adequacy decisions
- Supplementary measures
US Transfers
Data transferred to US uses:
- SCCs
- Additional security measures
Audits
Right to Audit
You may audit our compliance:
- Request audit in writing
- 30 days notice
- At your expense
- Conducted during business hours
- Limited to once per year
Certifications
We maintain:
- SOC 2 (planned)
- GDPR compliance documentation
Records
We maintain records of processing activities as required by GDPR Article 30.
Termination
This DPA ends when the Terms of Service ends.
Upon termination:
- Data deleted within 30 days
- Deletion confirmation provided
Liability
Processor Liability
Our liability under this DPA is subject to the limitations in Terms of Service.
Indemnification
We will indemnify against third-party GDPR claims with reasonable defense.
Contact
Data Protection: dpo@baprotocol.com
General: support@baprotocol.com
Amendments
We may amend this DPA. Notice given via email.
This DPA is part of your agreement with Burning Ash Protocol.