Data Processing Addendum

Effective: June 2026 · Version 1.1

This Data Processing Addendum ("DPA") forms part of the agreement betweenDiip Solutions OÜ, operator of the ProcuLink service (the "Processor"), and the customer organisation (the "Controller") for the processing of personal data under the EU General Data Protection Regulation 2016/679 ("GDPR").

For customers who need a counter-signed DPA: Email legal@proculink.eu and include your organisation legal name and contact for signature. We will return a counter-signed PDF within 5 business days.

1. Definitions

Capitalised terms used but not defined here have the meaning given in the GDPR. "Service" means the ProcuLink procurement automation platform as described in the Terms of Service.

2. Roles and scope

The Controller determines the purposes and means of processing personal data submitted to the Service. ProcuLink processes personal data on the Controller's documented instructions as set out in this DPA and the Terms of Service.

3. Processor obligations (GDPR Art. 28)

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorised to process personal data are under a duty of confidentiality.
  • Implement the technical and organisational measures described in Annex II.
  • Use sub-processors only as listed in Annex III and provide 30 days' prior written notice of additions or replacements.
  • Assist the Controller in responding to data-subject rights requests under GDPR Chapter III.
  • Notify the Controller without undue delay (within 72 hours of awareness) of any personal data breach affecting the Controller's data.
  • On termination, delete or return all Controller personal data within the retention windows in the Privacy Policy.
  • Make available the information necessary to demonstrate compliance with GDPR Art. 28(3).

4. International transfers

All Controller personal data is processed in EU-region or EU-compliant infrastructure as described in the Subprocessors page. Where any sub-processor processes data outside the EEA, the relevant Standard Contractual Clauses (Commission Implementing Decision 2021/914) apply.

5. Audits

On reasonable written request and no more than once per calendar year, ProcuLink will provide the Controller with a summary of its security and compliance controls. Onsite audits are not provided as standard; mutual non-disclosure terms apply to any audit information shared.

Annex I — Parties and processing details

Controller

The customer organisation that accepts the Terms of Service.

Processor

Diip Solutions OÜ, registry code 17527757, Uus-Sadama tn 15-2, 10120 Tallinn, Estonia · Contact: legal@proculink.eu

Categories of data subjects

Employees and authorised users of the Controller; suppliers identified in purchase orders submitted by the Controller.

Categories of personal data

Account data (name, work email, organisation), purchase-order content (which may include contact names and emails for the Controller's suppliers), authentication tokens, and usage data.

Purpose and duration

Processing is for the provision of the Service and runs for the term of the agreement plus the retention windows described in the Privacy Policy.

Annex II — Technical and organisational measures

  • Encryption in transit: TLS 1.2+ for all client and inter-service traffic.
  • Encryption at rest: AES-256-GCM authenticated encryption for delivery credentials and IMAP passwords. Cloudflare R2 server-side encryption for stored order files.
  • Access control: Clerk-issued JWT authentication, organisation-scoped session isolation, every database query bound to the authenticated organisation id.
  • Logging and monitoring: Sentry error monitoring (EU region) without PII leakage; structured backend logging; audit trail for status transitions, delivery attempts, and mapping changes.
  • Backups: Daily automated PostgreSQL backups with point-in-time recovery.
  • Personnel: All personnel with access to production data are under written confidentiality obligations.
  • Incident response: Documented breach-notification process; target 72-hour Controller notification on confirmed personal-data breach.
  • Sub-processor management: 30 days' prior written notice for additions or replacements (see Annex III).

Annex III — Authorised sub-processors

The current list of authorised sub-processors is maintained at /subprocessors. The Controller may subscribe to change notifications by emailing privacy@proculink.eu with the subject line "Subprocessor notifications".

Privacy PolicyTerms of ServiceSubprocessorsSecurity

ProcuLink uses functional cookies to keep you signed in, and optional analytics cookies to improve the product. We don't use advertising or cross-site tracking. See our Privacy Policy.