This DPA forms part of your subscription agreement with Cobalz LLC (a Wyoming limited-liability company, registered office: 1309 Coffeen Ave, Sheridan, WY 82801, United States) and applies when we process personal data on your behalf in the meaning of the GDPR (EU/UK) and CCPA/CPRA.
Roles
You are the controller; we are the processor. For platform-side data (your account, billing, audit log) we are an independent controller.
Subprocessors
See our privacy policy for the current list. Material subprocessor changes get 30 days notice.
Security measures
- Encryption at rest (Supabase Postgres) and in transit (TLS 1.2+)
- Row-level security on every multi-tenant table
- Per-merchant Vault for third-party secrets (Mercury, plugin HMAC, TIN)
- Append-only audit log
- Standard Webhooks v1 outbound signing
International transfers
We rely on the EU Standard Contractual Clauses + UK IDTA. Our primary processing region is US-East (Supabase + Vercel).
Data subject requests
We assist you in handling DSRs through the in-product flow at Settings → Privacy.
Sign / countersign
For Enterprise contracts we counter-sign on a per-customer basis. Email team@cobalz.com.