Data Processing Agreement

Standard template · Version 2026-05-09

This is a standard Data Processing Agreement template suitable for customers who require a written agreement under GDPR Art. 28 or equivalent. It is provided for convenience and is not legal advice; for high-value B2B contracts, both parties should have legal counsel review before execution.

This Data Processing Agreement ("DPA") forms part of the Pushoney Terms of Service and applies when Pushoney processes personal data on behalf of the Customer in the course of providing the Service.

1. Definitions

Terms used here have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Morocco Law 09-08. "Customer" is the account holder who has accepted the Pushoney Terms of Service. "Pushoney" is the operator of the Service.

2. Roles

The Customer is the data controller of personal data concerning the Customer's subscribers and end users. Pushoney is the data processor acting on the Customer's documented instructions.

3. Subject matter and duration

Pushoney processes personal data only for the purpose of providing the Service to the Customer, for as long as the Customer's account is active, or as required by applicable law. Categories and types of data are listed in Annex I.

4. Processor obligations

Pushoney shall:

process personal data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by Moroccan or EU law (in which case Pushoney shall inform the Customer of that legal requirement before processing, unless the law prohibits such information);
ensure that persons authorised to process personal data are bound by confidentiality obligations or under statutory duties of confidentiality;
implement appropriate technical and organisational measures as set out in Annex II;
respect the conditions for engaging sub-processors set out in Section 5;
assist the Customer, taking into account the nature of the processing, in fulfilling its obligation to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection);
assist the Customer in ensuring compliance with security, breach notification, data-protection impact assessments, and prior consultation obligations;
at the choice of the Customer, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless retention is required by law;
make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

5. Sub-processors

The Customer authorises Pushoney to engage the sub-processors listed in Annex III. Pushoney shall inform the Customer in advance of any intended changes (addition or replacement) of sub-processors, giving the Customer at least thirty (30) days to object. Pushoney imposes the same data-protection obligations on each sub-processor as set out in this DPA, by way of a written contract.

6. Security incidents

Pushoney shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Customer's data. The notification shall include, to the extent then available: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

7. International transfers

Pushoney's infrastructure is hosted in Europe. Where personal data is transferred from the European Economic Area to Morocco or other jurisdictions outside the EEA, the parties rely on appropriate safeguards including the European Commission's adequacy decision for Morocco (where applicable) or Standard Contractual Clauses (Module Two: Controller-to- Processor). The Customer is deemed to enter into and instruct Pushoney to enter into such Standard Contractual Clauses on its behalf.

8. Liability

The liability provisions of the Pushoney Terms of Service apply to this DPA. Where a data subject suffers material or non-material damage as a result of an infringement of the GDPR for which the parties are jointly liable, each party shall be responsible in proportion to its share of responsibility for the damage.

9. Term and termination

This DPA takes effect when the Customer accepts the Pushoney Terms of Service and continues for the duration of the Customer's account.

10. Order of precedence

In the event of any conflict between this DPA and the Pushoney Terms of Service, this DPA prevails on matters of data protection.

Annex I — Categories and types of data

Categories of data subjects

End users (subscribers) of the Customer's website who opt in to receive push notifications.

Categories of personal data

Browser push endpoint and public encryption keys
IP address and geolocation derived from IP (country, region, city)
User-agent string and derived attributes (browser, OS, device type)
UTM and source attribution parameters captured at subscribe time
Send / delivery / click / conversion events (with timestamps)

Special categories of data

None processed by Pushoney.

Frequency and duration of processing

Continuous, for the duration of the Customer's subscription to the Service. Subscriber data is retained until the subscriber unsubscribes or the Customer's hub is deleted. Send / Click / Conversion event data is retained for two (2) years from the event date.

Purpose of processing

Provision of the web push notification platform Service.

Annex II — Technical and organisational measures

Encryption of data in transit (TLS 1.2+) and at rest (AES-256-GCM for high-sensitivity secrets such as 2FA seeds; bcrypt for passwords and recovery codes)
Role-based access control with least-privilege defaults
Two-factor authentication available for all account holders
Audit logging of authentication, account-management, and campaign-management events with three (3) year retention
Active abuse-detection systems flagging unusual signup velocity, anomalous click rates, and geo-inconsistent subscriber behaviour
Regular dependency updates and security patching
Documented backup-and-restoration procedure operated via the Dokploy console (scheduled daily backups can be enabled per-customer requirement; restoration runbook maintained at docs/RUNBOOK.md)
Application of Standard Contractual Clauses for international transfers where required

Annex III — Authorised sub-processors

Sub-processor	Role	Location
Browser vendors (Google FCM, Mozilla, Apple, Microsoft)	Push delivery — required by the Web Push protocol	Various
Dokploy (hosting orchestrator)	Application hosting	Europe
Resend	Transactional email (verification, password reset, etc.)	United States — DPA + SCCs in place
MaxMind (GeoLite2 database)	IP-to-geolocation enrichment (offline database, no live API call per subscriber)	n/a (offline)
Cloudflare	CDN, DNS, Turnstile (bot protection on signup/login forms)	Global edge
Google (Analytics 4)	Aggregate usage analytics on the marketing surface (`portal.pushoney.com`). Loaded only after visitor consent via the cookie banner; no Personal Data of authenticated portal users is sent.	Global — DPA + SCCs in place

Updated lists of sub-processors are available on request at [email protected].

How to execute this DPA

For most customers, acceptance of Pushoney's Terms of Service at signup constitutes acceptance of this DPA as it stands. No countersignature is required.

If your organisation requires a counter-signed version (for example, to attach to your vendor records), email [email protected] with the legal name and address of your entity. We will send a PDF for both parties to sign within five (5) business days.

← Back to Pushoney