Data Processing Agreement (template)

April 2026 — for B2B customers who need a signed DPA

This page provides a non-binding outline of topics typically covered in a Data Processing Agreement between your organisation (the “Controller”) and the operator of Shotdrive (the “Processor”). Replace with executed PDFs or DocuSign flows as required by procurement.

Subject matter

Processing of personal data to provide file transfer, storage on Cloudflare R2, metadata in D1, and related logs.

Duration

Aligned with your subscription or project term and deletion procedures after offboarding.

Nature and purpose

Hosting, delivery, security monitoring, abuse prevention, and support — as described in the Privacy policy.

Sub-processors

Cloudflare and, where applicable, identity and observability vendors. Maintain a current list and notification process for changes per GDPR Article 28.

Technical and organisational measures

Reference encryption in transit, access control, separation of environments, and incident response. Map to your actual controls.

International transfers

If data leaves the EEA, document appropriate safeguards (e.g. SCCs, UK IDTA) with Cloudflare and other vendors.

This is not a signed agreement. Legal and procurement should attach the official DPA version your company uses.