Data Processing Agreement
Effective date: March 17, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Counselr, Inc. ("Processor", "we", "us") and the customer ("Controller", "you") who has accepted the Counselr Terms of Service. This DPA sets out the terms under which Counselr processes personal data on behalf of the Controller in connection with the Counselr platform.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope & Purpose of Processing
Counselr processes Personal Data solely for the purpose of providing the services described in the Terms of Service, which include:
- Hosting and serving websites created by the Controller
- Managing user accounts, authentication, and authorization
- Processing payment transactions via our payment processor (Stripe)
- Providing AI-powered website generation and editing capabilities
- Delivering customer support and platform communications
- Generating anonymized, aggregated analytics about platform usage
Categories of Personal Data: name, email address, IP address, payment information (processed by Stripe), website content, usage data, and device information.
Categories of Data Subjects: Controller's end users, Controller's employees and contractors, and visitors to Controller's hosted websites.
3. Obligations of the Processor
Counselr shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in Section 4.
- Assist the Controller in fulfilling obligations to respond to Data Subject requests.
- Not engage any Subprocessor without prior written authorization from the Controller (see Section 5).
- Make available all information necessary to demonstrate compliance and allow for audits (see Section 7).
4. Security Measures
Counselr implements and maintains the following technical and organizational measures to protect Personal Data:
Encryption
All data is encrypted in transit using TLS 1.3 (via Cloudflare). Databases and backups are encrypted at rest using AES-256. Secrets and API keys are managed via encrypted vault systems.
Access Control
Role-based access control (RBAC) limits employee access to Personal Data on a need-to-know basis. Multi-factor authentication is required for all internal systems. Administrative access is logged and audited.
Infrastructure Security
Network isolation via Kubernetes network policies, automated vulnerability scanning, DDoS protection via Cloudflare, regular penetration testing, and automated backups with geographic redundancy.
Incident Response
Documented incident response procedures, 24/7 monitoring and alerting, and regular incident response drills. All security incidents are documented and reviewed post-mortem.
5. Subprocessors
The Controller authorizes Counselr to engage the following Subprocessors. Counselr will notify the Controller at least 30 days before adding or replacing a Subprocessor:
| Subprocessor | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud infrastructure & hosting | United States |
| Cloudflare | CDN, DNS, DDoS protection | Global (edge) |
| Stripe | Payment processing | United States |
| Anthropic | AI content generation | United States |
The Controller may object to a new Subprocessor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the affected services.
6. Data Subject Rights
Counselr will assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection law, including:
- Right of access (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure / right to be forgotten (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)
Counselr will notify the Controller without undue delay if it receives a request directly from a Data Subject and will not respond to such requests without the Controller's instruction, unless required by law.
7. Data Breach Notification
In the event of a Data Breach, Counselr shall:
- Notify the Controller within 72 hours of becoming aware of the breach, providing the nature of the breach, categories and approximate number of records affected, and the likely consequences.
- Provide the name and contact details of the point of contact for further information.
- Describe the measures taken or proposed to address the breach and mitigate its effects.
- Cooperate with the Controller and provide all information necessary for the Controller to fulfill its notification obligations to supervisory authorities and Data Subjects.
8. Audit Rights
Counselr shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and no more than once per year unless required by a supervisory authority or following a Data Breach. The Controller shall bear the costs of the audit unless the audit reveals material non-compliance by Counselr.
9. International Data Transfers
Counselr processes data primarily in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, Counselr relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by additional technical and organizational measures as described in Section 4. Copies of the executed SCCs are available upon request.
10. Data Return & Deletion
Upon termination of the agreement or at the Controller's request:
- Counselr will return all Personal Data to the Controller in a commonly used, machine-readable format (JSON or CSV) within 30 days.
- After the data has been returned or upon the Controller's written instruction, Counselr will delete all copies of Personal Data within 30 days, except where retention is required by applicable law.
- Counselr will provide written confirmation of deletion upon request.
- Backup systems may retain encrypted copies for up to 90 days due to technical retention cycles, after which they are automatically purged.
11. Term & Termination
This DPA shall remain in effect for the duration of the Controller's use of Counselr services. The obligations under this DPA survive termination with respect to any Personal Data that Counselr continues to process. Either party may terminate this DPA in the event of a material breach by the other party that remains uncured for 30 days after written notice.
12. Contact
For questions about this DPA or to exercise data protection rights, contact our Data Protection Officer at dpo@counselr.xyz.