ByNoon — Data Processing Agreement (DPA)

Last updated: 2026-05-23.

This Data Processing Agreement ("DPA") is entered into between you, as Customer ("Controller"), and ByNoon ("ByNoon", "Processor"), and forms part of the Terms of Service. It governs Processor's processing of Personal Data on Controller's behalf in the course of delivering the ByNoon Services. The DPA implements the requirements of Article 28 of the GDPR.

By accepting the Terms of Service, you also accept this DPA.

1. Subject matter and duration

The subject matter of the processing is the Personal Data that you, as Controller, upload to or generate within the ByNoon Services (the "Customer Personal Data"). The duration matches the term of your Subscription, plus the retention windows set out in section 8.

2. Nature and purpose of processing

Processor processes Customer Personal Data exclusively to:

  • host and serve your Projects and Workspace;
  • run the publish, build, and deploy pipeline you trigger;
  • store Customer Personal Data in our database, object storage, and email-delivery integrations;
  • meet Processor's legal obligations toward you (billing records, tax, audit).

Processor does not use Customer Personal Data for any purpose outside the scope of providing the Services and does not transfer it to third parties except the subprocessors listed in section 7.

3. Type of Personal Data and categories of data subjects

Type: any Personal Data that Controller decides to collect or process through the Services. Typical examples for a ByNoon-built website include contact-form submissions (name, email, message), newsletter sign-ups, and any other data Controller chooses to gather from the visitors of its websites.

Categories of data subjects:

  • visitors of Controller's websites who interact with Controller's forms or workflows;
  • end-users of Controller's e-commerce, support, or other functionality (where Controller has implemented these);
  • any other natural person about whom Controller chooses to process Personal Data through the Services.

Control over the actual content and categories of Customer Personal Data rests with Controller — Processor does not pre-determine what Personal Data is collected.

4. Obligations of Processor

Processor will:

  1. process Customer Personal Data only on documented instructions from Controller, including those set out in this DPA and the Terms of Service, unless required by EU or Member-State law (in which case Processor will inform Controller of that legal requirement before processing, unless prohibited from doing so on grounds of public interest);
  2. ensure that persons authorised to process Customer Personal Data are bound by a written confidentiality obligation;
  3. implement the technical and organisational measures described in Annex A;
  4. respect the conditions for engaging subprocessors set out in section 7;
  5. take account of the nature of the processing and, insofar as possible, assist Controller in fulfilling its obligation to respond to data-subject requests (Articles 12–22 GDPR) — primarily by maintaining the self-service Access / Rectification / Erasure / Portability tools described in the Privacy Policy;
  6. assist Controller in complying with Articles 32–36 GDPR (security, breach notification, DPIA);
  7. on termination of the Services, at Controller's choice, delete or return all Customer Personal Data within 30 days, save where EU or Member-State law requires longer retention (notably Dutch tax-record retention);
  8. make available to Controller all information necessary to demonstrate compliance with the obligations in Article 28 GDPR, and allow for and contribute to audits as described in section 9.

5. Controller responsibilities

Controller is responsible for:

  • having a valid lawful basis under Article 6 GDPR for the processing it instructs Processor to perform;
  • the accuracy and lawfulness of the Customer Personal Data it uploads;
  • providing the privacy notices required by Articles 13–14 GDPR to the data subjects whose Personal Data it processes through the Services;
  • handling and recording any consent it relies on, where consent is the lawful basis (Article 7 GDPR);
  • ensuring that any special-category Personal Data (Article 9 GDPR) is processed only with a valid Article 9(2) lawful basis.

6. Personal-Data breaches

Processor will notify Controller without undue delay — and in any event within 48 hours — of becoming aware of a Personal-Data breach affecting Customer Personal Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Processor will assist Controller in fulfilling its own breach-notification obligations under Articles 33 and 34 GDPR.

7. Subprocessors

Controller grants general authorisation to Processor to engage the subprocessors listed at bynoon.app/subprocessors. Processor will:

  • enter into a written agreement with each subprocessor that imposes data-protection obligations equivalent to those of this DPA;
  • remain fully liable to Controller for the performance of each subprocessor's obligations;
  • inform Controller of any addition or replacement of subprocessors, with at least 30 days' prior notice, allowing Controller to object on reasonable data-protection grounds. If Controller objects, the parties will discuss in good faith a workaround; if no workaround is possible, Controller may terminate the affected Services.

The subprocessor list at bynoon.app/subprocessors is updated whenever a subprocessor is added, changed, or removed, and the change-notification email mechanism described in section 22.2 decision 76 of the billing plan applies.

8. International transfers

Processor operates an EU data-residency posture and does not transfer Customer Personal Data outside the European Economic Area, except for the transfer to Stripe (United States), which is necessary for payment processing. That transfer relies on Stripe's EU–US Data Privacy Framework certification. If the DPF is invalidated, Processor will switch to Standard Contractual Clauses under Article 46 GDPR within 30 days and notify Controller.

No Customer Personal Data is transferred outside the EEA except as described above.

9. Audit

Processor will make available to Controller, on reasonable written request, the information necessary to demonstrate Processor's compliance with this DPA, including the most recent external security audit reports (where available) and Processor's technical and organisational measures documentation. On reasonable request, and subject to an appropriate confidentiality agreement, Processor will allow Controller (or an external auditor mandated by Controller) to conduct an audit, not more than once per 12 months, at Controller's expense, during regular business hours, with at least 30 days' written notice, and in a manner that does not unreasonably disrupt Processor's operations.

10. Liability and indemnification

Liability under this DPA is subject to the limitation-of-liability provisions in the Terms of Service. To the extent permitted by law, each party indemnifies the other against losses, damages, and reasonable legal costs arising from that party's breach of this DPA.

11. Governing law and forum

This DPA is governed by the laws of the Netherlands. Any dispute is subject to the exclusive jurisdiction of the District Court of Amsterdam (Rechtbank Amsterdam).

12. Order of precedence

If there is any conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters.

Annex A — Technical and organisational measures (Article 32 GDPR)

Processor implements the following measures, taking account of the state of the art, the cost of implementation, the nature, scope, context, and purposes of the processing, and the risks for the rights and freedoms of natural persons.

A.1 Pseudonymisation and encryption

  • TLS 1.2 or higher for all customer-facing connections.
  • Database encryption at rest (Supabase + Cloudflare R2 native encryption).
  • Stripe customer payment methods are tokenised; raw card or IBAN data never reach ByNoon's infrastructure.

A.2 Confidentiality, integrity, availability, and resilience

  • Row Level Security on every Supabase table holding Customer Personal Data, scoping access to authorised members of the Workspace.
  • Service-role access limited to backend processes; no human reads the service-role key in normal operation.
  • Per-customer workspace isolation: each customer's Projects are hosted in separate Fly.io machines and served via per-customer Cloudflare Workers.
  • Daily Supabase backups; point-in-time recovery available.
  • Multi-region static-asset hosting (Cloudflare R2 + EU edge).

A.3 Restoration of availability and access

  • Documented recovery procedures for the Supabase database, R2 buckets, and Fly.io customer machines.
  • Test restorations performed on a regular cadence.

A.4 Regular testing

  • Pre-deploy automated test suite (npm run check) covering lint, format, build, and 600+ unit tests.
  • Pre-launch security review of access-control surfaces.
  • Subprocessor-list audit on every quarterly cadence.

A.5 Access management

  • ByNoon staff with access to Customer Personal Data are bound by written confidentiality.
  • Personal credentials are individual, not shared.
  • Production access is gated through identity-provider authentication.

A.6 Subprocessor due diligence

  • Each subprocessor is evaluated for GDPR posture before onboarding.
  • The current list is published at bynoon.app/subprocessors with the data category and processing location for each.
Version 1