Data Processing Agreement (DPA)
Effective 2026-05-24. Version 1.0. Signed with enterprise customers in addition to the Terms of Service.
1. Parties
Controller: Customer (the company using Libermall ID for its end users).
Processor: Libermall (operator of Libermall ID).
2. Scope of processing
- User identifiers (Telegram ID, TON wallet, email)
- Profile data (name, avatar, language)
- Sessions and audit log
- OAuth consents
3. Purpose of processing
Providing the single sign-on service according to the Terms of Service and Controller instructions.
4. Categories of data subjects
End users of the Controller who use Libermall ID to sign in to the Controller's services.
5. Sub-processors
Libermall uses the following sub-processors:
- Fornex — VPS hosting (Frankfurt, DE)
- Cloudflare — DNS, CDN, DDoS protection
- Let's Encrypt — SSL certificates
- GitHub — source code hosting (no user data)
The Controller is notified 30 days in advance when new sub-processors are added.
6. Security measures
- Encryption at rest (PostgreSQL data + backups)
- Encryption in transit (TLS 1.3)
- Access control (RBAC, 2FA for admins)
- Daily backups with encryption
- Audit log with 12-month retention
- Incident response plan
7. Data transfers
All data is stored in the EU (Frankfurt, DE). No transfers outside the EU.
8. Data subject rights
Upon Controller request, within 30 days Libermall:
- Exports subject data (GDPR Article 15)
- Corrects inaccurate data (Article 16)
- Deletes data (Article 17)
- Transmits data in a machine-readable format (Article 20)
9. Data breaches
In case of a data breach Libermall notifies the Controller within 24 hours and provides:
- Description of the breach
- Categories and number of affected subjects
- Measures taken and planned
- DPO contact for follow-up requests
10. Audit
Enterprise customers have the right to an annual data-processing audit, scheduled in advance. Alternative: independent audit reports (SOC 2 Type 1 — Q4 2026, ISO 27001 — 2027).
11. Termination
On termination Libermall either deletes or returns the data to the Controller within 30 days, at the Controller's choice.
12. Contact
DPO Libermall: dpo@libermall.com
To sign a DPA: legal@libermall.com