Data Processing Agreement
This Data Processing Agreement (DPA) reflects the GDPR Article 28 requirements for processing personal data through Launch.now.
Last updated: June 15, 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Launch.now ("Processor") and the customer ("Controller") using the Platform. It governs the processing of personal data by the Processor on behalf of the Controller in compliance with the GDPR and applicable data protection laws.
2. Definitions
Personal Data, Processing, Controller, Processor, Data Subject, and Supervisory Authority have the meanings defined in the GDPR. Controller Personal Data means any personal data processed by the Processor on behalf of the Controller through the Platform.
3. Processor Obligations
The Processor shall: (a) process personal data only on documented instructions from the Controller; (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement appropriate technical and organizational measures; (d) assist the Controller in fulfilling data subject rights; (e) notify the Controller of personal data breaches without undue delay; (f) delete or return all personal data at end of services.
4. Data Subjects and Categories
The Processor processes personal data of the Controller's end users, customers, and team members. Categories include: identity data (name, email), professional data (company, role), usage data (platform interactions), and billing data (payment information processed by Stripe).
5. Sub-processors
The Controller authorizes engagement of sub-processors including: Convex (backend database and real-time infrastructure), Stripe (payment processing), Vercel (hosting and deployment). The Processor will provide 30 days' notice before adding or replacing sub-processors via email or the Platform.
6. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests under GDPR Articles 15-22. If a data subject makes a request directly to the Processor, it will be forwarded to the Controller within 10 business days. The Processor will provide tools and access to enable the Controller to fulfill these requests.
7. Security Measures
The Processor maintains technical and organizational measures including: encryption at rest (AES-256) and in transit (TLS 1.3); regular security audits and penetration testing; access controls based on least privilege principle; employee security training; incident response procedures; and regular backups with tested restoration processes.
8. Data Breach Notification
The Processor shall notify the Controller of any data breach affecting Controller Personal Data within 48 hours of becoming aware. Notification shall include: nature of the breach, categories and approximate number of data subjects and records affected, contact information for further information, and recommended mitigation measures.
9. Data Deletion
Upon termination of services, the Processor shall delete all Controller Personal Data within 90 days, unless storage is required by applicable law. The Controller may request earlier deletion. Upon request, the Processor will provide certification of deletion.
10. Audit Rights
The Controller may request an audit of the Processor's data processing activities once per year, subject to reasonable notice and confidentiality obligations. The audit shall be conducted at the Controller's expense and must not disrupt the Processor's operations.
11. International Transfers
Personal data may be transferred to countries outside the EEA, including the United States. The Processor ensures adequate safeguards through Standard Contractual Clauses (SCCs) adopted by the European Commission. Copies of SCCs are available upon request.
12. Liability
Each party's liability under this DPA shall be subject to the limitations set out in the Terms of Service. The Processor's liability to the Controller for all claims arising from this DPA shall be limited to the fees paid by the Controller in the 12 months preceding the claim.
13. Governing Law
This DPA shall be governed by the laws of France. Any disputes shall be resolved in the courts of Paris, France. This DPA supersedes any conflicting provisions in the Terms of Service regarding data processing.