Data Processing Addendum (DPA)

Last updated: {{ date('Y-m-d') }}

⚖️ Notice: This DPA is drafted by the operator as a plain-English statement. (LR) — for use in regulated jurisdictions (notably EU/UK under GDPR Art. 28 and the EU Standard Contractual Clauses (2021)) it should be reviewed and, if appropriate, replaced by counsel-drafted equivalents. The clauses below are intended to be self-contained but are not a substitute for the EU SCC text.

1. Parties

This addendum is between OTPBase ("Processor") and you ("Controller"). It applies whenever you use OTPBase to process personal data of identifiable third parties (e.g. if you forward another person's verification codes through OTPBase, which we strongly discourage — see Terms § 4).

If you are using OTPBase only for your own verification codes — the standard use case — you are the Data Subject as well as the Controller, and this DPA does not add obligations beyond the Privacy Policy and Terms.

2. Subject matter & duration

OTPBase processes personal data on Controller's instructions for the sole purpose of operating the OTPBase relay service. Processing continues for as long as the account is active and ends when the account is deleted (within 30 days).

3. Nature of processing

| Category of personal data | Source | What we do with it | |---|---|---| | Email address (the account) | Controller | Authentication, billing, transactional email | | Verification codes & message bodies | Inboxes / iOS Shortcut / TOTP apps connected by Controller | Decrypt-on-read, present in UI/API, physically delete within 1 hour | | IMAP credentials (if connected) | Controller | Encrypted at rest with our master key, used only to poll the inbox | | Bearer / API tokens | Controller (issued by us, copied by Controller) | Authenticate Controller's automated calls |

4. Sub-processors

A current list is in the Privacy Policy § 6: Resend, Cloudflare, Google reCAPTCHA Enterprise, PayPal/Stripe, Sentry. We notify Controller by email at least 14 days before adding a new sub-processor. Controller may object by emailing support@otpbase.com; if we cannot resolve the objection, Controller may terminate the account with a pro-rata refund of unused time.

5. International transfers

OTPBase's servers are operated in [Operator's region — fill in before launch]. Encrypted backups go to Cloudflare R2 (auto region — typically the geographically nearest CF datacentre). Sub-processors operate globally. Where personal data is transferred out of the EEA/UK to a country without a Commission adequacy decision, transfers are made under the EU Standard Contractual Clauses (2021/914) module 2 (Controller-to-Processor), incorporated by reference. (LR — recommend appending the actual signed SCC PDF as Annex II for EU enterprise customers.)

6. Security measures

The technical and organisational measures we apply are listed in the Privacy Policy § 7 (encryption at rest, encryption in transit, optional client-side E2EE) and in our public architecture document. The list is not exhaustive — we add measures over time and never remove them without notice.

7. Data subject requests

If a data subject contacts OTPBase directly with a request that should be answered by Controller (e.g. an access or deletion request from a third party whose code Controller forwarded), we will:

1. forward the request to Controller within 5 business days,
2. not respond directly to the data subject except to acknowledge receipt and re-direct them to Controller,
3. assist Controller in responding to the extent reasonably necessary.

8. Audit

Controller may audit Processor's compliance with this DPA once per calendar year, on 30 days' notice, at Controller's expense. To minimise disruption Processor may satisfy the audit obligation by providing a recent independent third-party report (e.g. SOC 2 Type II) covering the relevant controls — we currently do not have such a report and will tell you so plainly. (LR)

9. Termination & deletion

On termination, OTPBase will delete personal data within 30 days, or return it to Controller in JSON form on Controller's request before that deadline. Backup copies are purged on the next 30-day rotation cycle.

10. Contact

For DPA matters: support@otpbase.com with subject line DPA: <your-account-email>.

Annex I — Description of processing: see § 2-3 above. Annex II — TOMs (Technical & Organisational Measures): see Privacy Policy § 7 + public architecture document. Annex III — List of sub-processors: see Privacy Policy § 6.