Data Processing Agreement (DPA)

Last updated: 14.05.2026  |  БГ / EN

⚠️ Important: This document is an automatically generated draft. Before the real launch it must be reviewed by a practicing lawyer specializing in e-commerce and GDPR. Do not rely on it for legal decisions without professional legal review.

1. Parties and roles

This Data Processing Agreement ("DPA") governs personal data processing between UGCBG.eu (the "Platform") and a registered advertiser (the "Brand"). For data exchanged within individual campaigns (creator profiles, correspondence, deliverables, statistics), the parties act as joint controllers under Art. 26 GDPR for the data both parties process for their own purposes. For data the Platform processes solely on the Brand's instructions (e.g. custom audience targeting), the Platform acts as a processor.

2. Categories of data subjects and data

  • Creators/influencers — name, profile, niches, portfolio, rate, statistics.
  • Brand representatives — name, email, role.
  • Campaign correspondence and metadata.

3. Processing purposes

  • Delivery of a specific campaign.
  • Issuance of accounting documents.
  • Disputes and mediation.
  • Service improvement (anonymised metrics only).

4. Obligations of the parties

The Platform:

  • Processes data only for the stated purposes.
  • Applies technical and organisational measures (TLS, at-rest encryption for sensitive data, access control, logging).
  • Notifies the Brand within 72 hours of a security incident affecting campaign data.
  • Assists the Brand with data subject requests, DPIA and communication with supervisory authorities.
  • Deletes or returns data upon termination, except where legal retention applies.

The Brand:

  • Has a legal basis for processing the data received from the Platform.
  • Does not forward data to third parties beyond the approved list without a separate basis.
  • Maintains its own privacy notice to its data subjects.
  • Replies to data subject requests relating to its own processing.

5. Sub-processors

The Platform uses the following sub-processors:

  • Stripe Inc. — payments (SCC).
  • Hetzner Online GmbH — hosting (EU).
  • SMTP provider — email sending.
  • Google LLC — anonymised analytics (SCC, only after consent).

Changes to the list are announced with 30 days' notice. The Brand may object; if no alternative is found, the contract may be terminated.

6. International transfers

For transfers outside the EEA, the European Commission's Standard Contractual Clauses (SCC) and additional measures apply (pseudonymisation, encryption).

7. Retention

See the Privacy Policy, § 6.

8. Audit

The Brand has the right to audit compliance with this DPA once a year with 30 days' notice. The audit is conducted with reasonable measures that do not compromise the confidentiality of other clients.

9. Liability

Each party is liable for its own breaches. Recourse claims are governed by Art. 82 GDPR.

10. Contact

Platform DPO: dpo@ugcbg.eu