Skip to main content

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Amianto.info ("Processor") and any registered customer ("Controller") who provides personal data through the platform. It complies with Article 28 of the European General Data Protection Regulation (GDPR).

1. Subject and Duration

This DPA governs the processing of personal data carried out by Amianto.info on behalf of the Controller in the context of the subscription services offered through amianto.info.

It applies for the entire duration of the subscription contract and continues to apply, where relevant, after termination for the time required to delete or return the personal data.

2. Nature and Purpose of Processing

Amianto.info processes personal data on behalf of the Controller solely for the purposes of:

  • Hosting and displaying the Controller's company profile within the directory.
  • Managing the Controller's subscription, billing, and account settings.
  • Forwarding contact requests from end users to the Controller.
  • Providing customer support and technical assistance.
  • Generating aggregated, anonymised analytics on directory usage.

3. Categories of Data Subjects and Data

The personal data processed under this DPA may include:

  • Identification data of the Controller's authorised users (name, work email, phone, role).
  • Business contact details and credentials of the Controller (company name, address, VAT, certifications).
  • Connection logs (IP address, browser, timestamps) for security and audit.
  • Optional content uploaded by the Controller (logo, photographs, project descriptions).

4. Obligations of the Processor

Amianto.info undertakes to:

  • Process personal data only on documented instructions from the Controller, including with regard to international transfers.
  • Ensure that persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures pursuant to Article 32 GDPR.
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection).
  • Notify the Controller without undue delay after becoming aware of a personal data breach.
  • Make available all information necessary to demonstrate compliance with this DPA.
  • Delete or return all personal data after the end of the services, unless retention is required by law.

5. Sub-processors

The Controller authorises Amianto.info to engage the following sub-processors:

  • Supabase (Singapore) — database, authentication and storage hosted on AWS infrastructure.
  • Stripe (Ireland / United States) — payment processing and subscription billing.
  • Vercel (United States, EU edge) — application hosting and content delivery.
  • Geoapify (Germany) — geocoding and map tile services.
  • Resend (United States) — transactional email delivery.

Amianto.info will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object on reasonable grounds.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area, Amianto.info ensures that the transfer is covered by an adequacy decision from the European Commission or by Standard Contractual Clauses approved under Implementing Decision (EU) 2021/914, supplemented when necessary by additional safeguards.

7. Security Measures

Amianto.info implements technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest.
  • Strong password hashing (bcrypt/argon2) for authentication.
  • Role-based access control and least-privilege principles.
  • Regular backups and disaster recovery procedures.
  • Logging and monitoring of access to production systems.
  • Security reviews of code and dependencies before deployment.

8. Data Breach Notification

In the event of a personal data breach affecting data processed on behalf of the Controller, Amianto.info will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will describe the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed.

9. Audit Rights

The Controller is entitled to audit Amianto.info's compliance with this DPA once per year, with reasonable advance notice and during normal business hours, in a manner that does not unreasonably interfere with the Processor's operations. Such audits may be conducted by an independent third party bound by confidentiality.

10. Liability and Indemnity

Each party is liable for damages caused by its non-compliance with the GDPR or this DPA in accordance with Article 82 GDPR. The Processor is only liable for damage caused by processing where it has not complied with obligations specifically directed to processors or has acted outside or contrary to lawful instructions from the Controller.

11. Contact

For any question relating to this Data Processing Agreement, please contact our Data Protection point of contact at:

contact@amianto.info