Data Processing Agreement

When you use ShareMyPage to process personal data, you are the controller and ShareMyPage is the processor. This page summarizes the terms under which we process that data on your behalf under Article 28 of the GDPR. A countersigned DPA is available on request for customers with an enterprise agreement. Last updated: June 2026.

1. Roles

You (the customer) determine the purposes and means of processing and are the controller. ShareMyPage processes personal data only on your documented instructions as the processor.

2. Subject matter and duration

We process personal data for as long as your workspace is active and for the limited period afterwards described in our retention policy. Processing covers the hosting, sharing, and access control of the content you upload and the accounts of your members.

3. Nature and purpose

Storing and serving access-controlled HTML pages, authenticating members, recording an audit trail, and providing support — solely to deliver the service.

4. Types of data and data subjects

Account data (name, email, workspace membership) of your members and invited viewers, plus any personal data contained in the content you choose to upload. You are responsible for the lawful basis of content you upload.

5. Subprocessors

You authorize us to engage the subprocessors listed on our Subprocessors page, each bound by data-protection terms no less protective than this agreement. We will give notice of material changes so you may object.

6. Security measures

We maintain technical and organizational measures appropriate to the risk, including tenant isolation, sandboxed serving of untrusted content, encryption in transit and at rest, hashed secrets, least-privilege access tokens, rate limiting, and audit logging. Customer-managed encryption keys (BYOK) are available on enterprise plans.

7. International transfers

Where personal data is transferred outside the EEA, transfers are covered by appropriate safeguards such as the EU Standard Contractual Clauses.

8. Assistance, breach notification, and audits

We assist you, taking into account the nature of processing, with data subject requests and with your obligations under Articles 32–36. We notify you without undue delay after becoming aware of a personal data breach, and we make available the information needed to demonstrate compliance, including reasonable audit support.

9. Return and deletion

On termination, we delete or return personal data within 30 days, except where retention is required by law.

This page is a plain-language summary, not the executed contract, and is a working draft pending legal review. To execute a binding, countersigned DPA for an enterprise agreement, contact sales@sharemypage.app.