Data Processing Agreement (DPA)
Last updated: April 28, 2026
This Data Processing Agreement (“DPA”) is entered into between you (“Controller”, the ReleaseBell account holder) and Zeroject (trading as ReleaseBell), Herstedvang 8, 2620 Albertslund, Denmark(“Processor”, ReleaseBell), and forms part of the Terms of Service.
This DPA applies where and to the extent that ReleaseBell processes personal data on behalf of the Controller in connection with the ReleaseBell service, as required by GDPR Art. 28.
1. Definitions
- Controller: The ReleaseBell account holder (product owner) who determines the purposes and means of processing subscriber personal data.
- Processor: ReleaseBell, which processes personal data on behalf of the Controller.
- Personal Data: Any information relating to an identified or identifiable natural person, specifically subscriber email addresses and associated consent records.
- Data Subjects: End users who subscribe to the Controller's product changelog.
- Processing: Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- Sub-processor: Any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
2. Subject matter and nature of processing
The Processor will process Personal Data on behalf of the Controller for the following purposes:
- Storing subscriber email addresses and consent records in a secure database
- Sending double opt-in confirmation emails to subscribers
- Sending changelog notification emails when the Controller publishes a new entry
- Processing unsubscribe requests and deleting subscriber records accordingly
Categories of Personal Data: Email addresses, subscription timestamps, consent records (IP address, user agent, form version, confirmation timestamp).
Duration: For as long as the Controller maintains an active ReleaseBell account with at least one active product.
3. Processor obligations (GDPR Art. 28(3))
The Processor agrees to:
- Process only on documented instructions.Process Personal Data only on the Controller's documented instructions (as expressed through use of the ReleaseBell platform — e.g. publishing an entry, deleting a product). If the Processor is required by law to process data contrary to these instructions, it will inform the Controller unless prohibited by law.
- Confidentiality. Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Security (Art. 32). Implement appropriate technical and organisational measures to protect Personal Data, including encrypted connections (TLS 1.2+), access controls, token-based unsubscribe mechanisms, and double opt-in consent flows.
- Sub-processors. Not engage sub-processors without prior authorisation. Currently authorised sub-processors are listed in Section 5. The Processor will notify the Controller of any intended changes at least 30 days in advance, giving the Controller the opportunity to object.
- Data subject rights. Assist the Controller in responding to Data Subject requests by providing the technical means to access, export, and delete subscriber data via the ReleaseBell dashboard. For requests that require direct Processor action, the Processor will respond within 30 days.
- Assistance with GDPR obligations. Assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, data breach notification, DPIAs) taking into account the nature of processing.
- Deletion or return of data.Upon termination of the service relationship or on the Controller's request, delete all Personal Data and existing copies within 30 days, unless retention is required by applicable law.
- Audit rights.Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28. The Controller may request a written compliance summary once per year at no charge; on-site audits require 30 days' notice and reasonable cost reimbursement.
4. Controller obligations
The Controller agrees to:
- Have a valid legal basis for collecting subscriber personal data (double opt-in consent is provided by the Processor's platform)
- Ensure their privacy policy accurately describes the use of subscriber email addresses
- Not instruct the Processor to process Personal Data in ways that violate applicable law
- Respond to Data Subject access and deletion requests within applicable timeframes
- Maintain appropriate records of processing activities (RoPA) for their own controller role
5. Sub-processors
The Controller hereby grants general authorisation for the Processor to engage the following sub-processors. Each has entered into a GDPR-compliant DPA with the Processor:
| Sub-processor | Location | Purpose | Transfer safeguard |
|---|
| Supabase Inc. | USA (EU region) | Database hosting, authentication | DPF + SCCs |
| Resend Inc. | USA | Email delivery | SCCs |
| Vercel Inc. | USA (EU Edge) | Application hosting | DPF + SCCs |
The Processor will impose the same data protection obligations on sub-processors as are set out in this DPA and remains fully liable to the Controller for sub-processor performance.
6. International transfers
Where Personal Data is transferred to sub-processors in the United States, the Processor relies on the EU–US Data Privacy Framework (DPF) adequacy decision and/or Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) as the legal transfer mechanism. Copies of applicable SCCs are available on request at privacy@releasebell.io.
7. Data breach notification
The Processor will notify the Controller of any confirmed personal data breach involving the Controller's subscriber data within 72 hours of becoming aware, providing sufficient information for the Controller to meet their own GDPR Art. 33 notification obligations to the relevant supervisory authority.
8. Governing law
This DPA is governed by the laws of Denmark. Where applicable, it incorporates the EU Standard Contractual Clauses (SCCs) for controller-to-processor transfers (Commission Decision 2021/914, Module 2), which prevail in case of conflict.
9. Contact
For DPA-related enquiries, data subject access requests, or to request a countersigned copy of this DPA:
Zeroject (trading as ReleaseBell)
Herstedvang 8, 2620 Albertslund, Denmark
privacy@releasebell.io
By using ReleaseBell and collecting subscriber email addresses, you (the Controller) accept this DPA as part of our Terms of Service. If you require a countersigned PDF copy of this DPA, contact us at privacy@releasebell.io.