Data Processing Addendum (DPA)
Effective date: June 2026
This Data Processing Addendum applies when CEMETERRA processes personal data on behalf of a customer in connection with the CEMETERRA services. In such cases, the customer acts as controller and CEMETERRA acts as processor unless otherwise required by law.
1. Subject Matter and Duration
Processing is limited to customer instructions and the functionality of the service, for the duration of the subscription and any limited post-termination retention period required for security, legal, and backup purposes.
2. Nature and Purpose of Processing
- Hosting and storage of customer-uploaded cemetery records.
- User authentication, access control, and security monitoring.
- Support operations and service reliability.
3. Categories of Data and Data Subjects
- Customer account users (staff and administrators).
- Data entered by customers for memorial and cemetery records.
- Operational metadata such as logs and access events.
4. Processor Obligations
- Process personal data only on documented customer instructions.
- Ensure confidentiality obligations for authorized personnel.
- Implement appropriate technical and organizational security measures.
- Assist customers with data subject requests where required.
- Support breach response obligations under applicable law.
- Delete or return personal data after service termination, subject to legal requirements.
5. Subprocessors
CEMETERRA uses subprocessors to deliver infrastructure and platform features. Current subprocessors are listed at /subprocessors.
6. International Transfers
Where personal data is transferred internationally, CEMETERRA relies on appropriate safeguards, including Standard Contractual Clauses where applicable.
7. Security Measures
- Encrypted transport (HTTPS).
- Password hashing using bcrypt.
- HTTP-only secure session cookies and CSRF protection.
- Role-based access control and audit logging.
8. Audit and Information Rights
CEMETERRA provides reasonable information to support customer compliance inquiries, taking into account confidentiality, security, and scope limits.