Legal

Data Processing Agreement

This agreement is between eConsent LLC and the client with regard to access and use of econsent.org and related services. Contact us with questions.

Last Updated: April 6, 2026

Introduction

This Data Processing Agreement (“DPA”) outlines the terms and responsibilities related to the processing of personal data by eConsent LLC (“Processor” or “eConsent”) on behalf of the customer (“Controller”), in accordance with the requirements of applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
  • Data Subject: An identified or identifiable natural person whose personal data is processed by the Processor on behalf of the Controller.
  • Consent Data: Personal data processed through the eConsent platform in connection with the capture, certification, and verification of consumer consent, including but not limited to names, phone numbers, email addresses, IP addresses, device information, session recordings, MP4 video conversions of session recordings, SHA-256 cryptographic attestation hashes, consent template identifiers and versions, and language codes detected from consent disclosures.

Scope and Purpose

The purpose of this DPA is to ensure the lawful and compliant processing of Personal Data by eConsent, as instructed by the Controller, and to define the rights and obligations of both parties. This DPA applies to all Consent Data processed through the eConsent platform on behalf of the Controller.

Data Processing Terms

  1. Processing Instructions: eConsent agrees to process Personal Data only based on documented instructions from the Controller, unless required to do so by applicable law. The Controller instructs eConsent to process Consent Data for the purpose of providing consent capture, certification, verification, and retention services.

  2. Security of Processing: eConsent shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

    • Encryption of data in transit and at rest
    • Regular security assessments and penetration testing
    • Access controls and authentication mechanisms
    • Incident response and data breach notification procedures
    • Regular backups and disaster recovery capabilities
    • Three-layer storage architecture: (a) active storage on encrypted Amazon EFS and Amazon RDS for low-latency access, (b) immutable backup on Amazon S3 with Object Lock in COMPLIANCE mode, and (c) long-term archive on Amazon S3 Glacier with preserved Object Lock protections for cost-efficient retention

  3. Subprocessing: eConsent shall not engage another processor without prior written authorization from the Controller. Where authorized, eConsent shall ensure that any subprocessor is bound by data protection obligations no less protective than those set out in this DPA. A current list of subprocessors is available upon request.

  4. Data Subject Rights: eConsent shall assist the Controller in ensuring compliance with data subjects’ rights under applicable data protection laws, including the right to access, rectification, erasure, restriction of processing, data portability, and objection.

  5. Data Breach Notification: eConsent shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting the Controller’s data.

  6. Confidentiality: eConsent shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  7. Audits and Inspections: eConsent shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Consumer Revocation Processing

When eConsent receives a verified revocation instruction from the Controller on behalf of a consumer:

  • The consent record is flagged as revoked in eConsent’s system
  • The revocation event is timestamped and logged as part of the certificate record
  • The original certificate and session recording are retained for the Controller’s compliance records (documenting both the original consent and its subsequent revocation) unless the Controller instructs deletion
  • Revocation does not retroactively invalidate the original consent event — it documents that consent was withdrawn as of the revocation date

eConsent shall process revocation instructions from the Controller without undue delay. The Controller remains responsible for verifying the identity of the requesting consumer and for compliance with applicable opt-out processing timeframes (including the FCC’s 10-business-day requirement).

Data Retention

Consent Data is retained for the duration specified in the Controller’s service agreement and account settings. Upon expiration of the retention period or termination of services, eConsent shall securely delete the Controller’s Consent Data within 30 days, unless retention is required by applicable law.

The Controller may request a legal hold on specific Consent Data records. When a legal hold is in effect, the affected records are exempt from automated expiry and deletion until the hold is released by the Controller. Legal holds override standard retention schedules to ensure data is preserved for litigation, regulatory investigation, or other legal proceedings.

Long-Term Archive (Glacier)

Consent Data archived to Amazon S3 with Object Lock may be transitioned to Amazon S3 Glacier for cost-efficient long-term storage. Glacier-archived data retains all Object Lock protections and remains retrievable, though with longer access times than active storage. Transition to Glacier does not affect the integrity or retention guarantees of the data.

International Data Transfers

Where Personal Data is transferred outside of the European Economic Area (EEA), eConsent shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission or other legally recognized transfer mechanisms.

Duration and Termination

This DPA shall remain in effect for the duration of eConsent’s processing of Personal Data on behalf of the Controller. Upon termination, eConsent shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires further storage.

Governing Law

This DPA shall be governed by the laws of the State of California, United States, without regard to conflict of law principles.

Contact

For questions regarding this DPA, contact eConsent LLC at support@econsent.org.

See eConsent in action. Schedule a live demo
Schedule a demo