Data Processing Agreement
This Data Processing Agreement (DPA) outlines how Eternal Memorials processes personal data in compliance with GDPR and other data protection regulations.
This Data Processing Agreement (DPA) is entered into between you (the "Data Controller") and Eternal Memorials (the "Data Processor") pursuant to the Terms of Service. It governs the processing of personal data you provide to us as part of using our services. By using Eternal Memorials, you agree to this DPA.
1. Introduction
Eternal Memorials acts as a Data Processor when processing personal data on behalf of users (Data Controllers) who create memorials and provide information about deceased individuals and their families. This DPA sets out the obligations of both parties in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant regulations.
The purpose of this DPA is to ensure that personal data is processed lawfully, securely, and in a manner that respects the rights of data subjects. It supplements our Terms of Service and Privacy Policy.
2. Definitions
Data Controller
The natural or legal person who determines the purposes and means of processing personal data. Typically, the user who creates a memorial.
Data Processor
Eternal Memorials, which processes personal data on behalf of the Data Controller.
Personal Data
Any information relating to an identified or identifiable natural person, including names, photos, dates, biographical details, and email addresses.
Processing
Any operation performed on personal data, such as collection, storage, alteration, retrieval, disclosure, or deletion.
Data Subject
The individual whose personal data is processed, which may include the deceased, family members, and memorial visitors.
Sub‑processor
A third‑party service engaged by the Data Processor to assist in processing personal data.
3. Scope of Processing
Eternal Memorials processes personal data solely for the purposes of providing the memorial platform and related services. The types of personal data processed include:
- Memorial Content: Names, photos, videos, biographical information, dates of birth and death, and other tributes.
- User Account Information: Email addresses, usernames, passwords (hashed), and profile details.
- Visitor Interactions: Guestbook messages, virtual candle lighting, flower contributions, and other tributes.
- Technical Data: IP addresses, browser information, device identifiers, and usage analytics (anonymized where possible).
- Payment Information: Billing details processed by third‑party payment providers; Eternal Memorials does not store credit card numbers.
Processing activities are limited to storage, display, sharing (according to privacy settings), backup, and deletion as requested by the Data Controller. We do not use personal data for marketing purposes without explicit consent.
4. Data Subject Rights
Eternal Memorials assists Data Controllers in fulfilling data subject rights under applicable laws. Data subjects may exercise the following rights by contacting the Data Controller (the memorial creator) or, where appropriate, directly through our platform:
Right of Access
Data subjects can request a copy of their personal data held by the platform. Memorial creators can export memorial data from their dashboard.
Right to Rectification
Inaccurate personal data can be corrected by memorial administrators at any time.
Right to Erasure
Data subjects may request deletion of their personal data. Memorial creators can delete memorials or guestbook entries, and users can delete their accounts.
Right to Restriction
Processing can be restricted while accuracy or lawful basis is verified.
Right to Data Portability
Data subjects can receive their personal data in a structured, commonly used, machine‑readable format.
Right to Object
Data subjects may object to certain processing activities, such as analytics or marketing communications.
We will respond to verified data subject requests within 30 days, as required by law.
5. Technical & Organizational Measures
Eternal Memorials implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Encryption
All data in transit is encrypted using TLS/SSL. Sensitive data at rest is encrypted using AES‑256.
Access Controls
Strict role‑based access controls limit employee access to personal data. Multi‑factor authentication is required for administrative accounts.
Regular Audits
Security audits and vulnerability assessments are conducted quarterly.
Data Backup
Daily encrypted backups are stored in geographically separate locations.
Incident Response
A documented incident response plan ensures timely action in case of a data breach.
Privacy by Design
Privacy considerations are integrated into the development lifecycle of our platform.
We regularly review and update these measures to address evolving security threats.
6. Sub‑processors
Eternal Memorials engages the following sub‑processors to assist in providing the service. Each sub‑processor is bound by contractual obligations that provide the same level of data protection as this DPA.
| Service | Purpose | Location | Data Shared |
|---|---|---|---|
| Vercel | Hosting and global content delivery | United States, EU | Memorial content, user data |
| Stripe | Payment processing | United States | Billing details, transaction data |
| Amazon Web Services (AWS) | Cloud storage and database | United States, EU | Memorial content, backups |
| Google Analytics | Platform analytics (anonymized) | United States | Usage statistics, IP addresses (anonymized) |
| SendGrid | Transactional emails | United States | Email addresses, notification content |
| Cloudflare | DNS, CDN, and DDoS protection | Global | IP addresses, request logs |
This list may be updated as we engage new sub‑processors. We will notify Data Controllers of any material changes.
7. Data Breach Procedures
In the event of a personal data breach, Eternal Memorials will:
- Notify the affected Data Controller(s) without undue delay, and in any case within 72 hours of becoming aware of the breach.
- Provide a description of the breach, categories of data affected, likely consequences, and measures taken or proposed to address it.
- Cooperate with the Data Controller in fulfilling any breach notification obligations to supervisory authorities and data subjects.
- Take immediate steps to contain the breach, mitigate its effects, and prevent recurrence.
- Document all breaches, including facts, effects, and remedial actions.
Data Controllers are responsible for notifying relevant supervisory authorities and data subjects where required by law.
8. International Data Transfers
Eternal Memorials operates globally, and personal data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA) or the United Kingdom. We ensure such transfers are protected by appropriate safeguards, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Privacy Shield certification (where applicable) or equivalent frameworks.
- Binding Corporate Rules for intra‑group transfers.
- Derogations for specific situations (e.g., explicit consent).
By using Eternal Memorials, Data Controllers acknowledge that sub‑processors may process data in various jurisdictions, as listed in Section 6.
9. Duration & Termination
This DPA shall remain in effect for as long as Eternal Memorials processes personal data on behalf of the Data Controller. Upon termination of the Terms of Service or upon request, we will:
- Cease all processing of the Controller's personal data, except as required by law.
- At the Controller's option, delete or return all personal data in our possession, unless retention is necessary for legal compliance.
- Provide confirmation of deletion upon request.
Data deletion may take up to 30 days from the request, with backups retained for an additional period before being securely purged.
10. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of California, United States, without regard to its conflict of law provisions. Any disputes arising under this DPA shall be subject to the jurisdiction of the courts specified in the Terms of Service.
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.
11. Contact Information
For questions about this Data Processing Agreement or to exercise your data protection rights, please contact:
Data Protection Officer
Eternal Memorials Ltd.
123 Memorial Lane, Suite 100
San Francisco, CA 94107
Email: dpo@eternalmemorials.com
Phone: +1 (555) 123‑4567
Important Note: This Data Processing Agreement is a template designed for demonstration purposes. It has not been reviewed by legal professionals and should not be relied upon as legal advice. Eternal Memorials recommends consulting with a qualified attorney to ensure compliance with applicable data protection laws.
Need Help with Data Protection?
Our data protection team is ready to answer your questions about data processing, GDPR, and your rights.