Legal
Data Processing Agreement (DPA)
This document is provided for customers who need a processor/controller framework (including GDPR Article 28-style terms). Subprocessors are listed in our Subprocessor List.
1. Scope
This agreement governs the processing of personal data by Prima (Processor) on behalf of the Customer (Controller).
2. Technical and Organizational Measures
Access Control: Access to production environments (Vercel, InstantDB, Clerk) is restricted to authorized personnel and protected by Multi-Factor Authentication (MFA) at the vendor console level.
Encryption: Data is encrypted in transit via TLS (supporting 1.3) and at rest using industry-standard encryption (AES-256 or equivalent) managed by infrastructure providers.
Resiliency: Automated system snapshots are maintained on a 30-day rolling basis for disaster recovery.
3. Breach Notification
Processor shall notify Controller without undue delay after becoming aware of a personal data breach.