DPA and Sub-processors

For customer data, the Splnit.eu operator, acting as a Czech sole trader, usually acts as processor and the customer as controller. For business communication and operational metrics, we act as controller. The final operator name, business ID, ARES link, and address must be completed before production launch.

The customer determines the purposes and means of processing customer data in the app. Splnit.eu processes that data to provide the service, security, support, maintenance, legal compliance, and other documented customer instructions.

Processing covers customer compliance data, user accounts, audit logs, evidence, documents, vendor and incident records, integration configuration, and automated test results.

Categories of data subjects may include customer users, administrators, employees, suppliers, contact persons, audited persons, and other people whose data the customer places in the service.

The processing period follows the contract term and the later period needed to return or delete data, unless law requires further retention.

We process personal data only on documented customer instructions, including app settings, connected integrations, support requests, and contractual arrangements.

If we believe an instruction violates GDPR or other EU or member-state law, we will notify the customer unless the law prohibits that notice.

We mainly use Vercel for hosting and Blob storage, Neon for the database, Clerk for authentication, Stripe for billing, Resend and Loops for email, Upstash for Redis, Sentry for observability, Inngest for background jobs, and PostHog for product analytics where enabled.

The customer gives general authorisation to use the sub-processors listed in this overview. We announce material changes in a reasonable way, and the customer may object at hello@splnit.eu.

We put appropriate data-protection commitments in place with sub-processors and remain responsible for their processing to the extent required by GDPR.

We separate data by organisation, use encrypted transport, encrypt integration tokens, keep audit logs, apply least-privilege access, restrict production access, and regularly review critical configurations.

Staff and supplier access is limited by role and need. People authorised to process personal data are bound by confidentiality or an equivalent legal duty.

Security incidents are assessed by impact. If an incident affects customer data processed as processor, we notify the customer without undue delay after becoming aware of it.

Within reasonable scope, we help the customer meet GDPR obligations, especially for data-subject requests, processing security, impact assessments, breach notifications, and demonstrating compliance.

At the end of the service, customer data will be returned, made available for export, or deleted according to customer instructions unless law requires further retention.

We provide information needed to demonstrate processor compliance. Audits must be reasonable, announced in advance, and must not compromise other customers' security or expose third-party confidential information.

The contact address for DPA questions, sub-processors, objections, and security questions is hello@splnit.eu.