SPRINKLING ACT — LEGAL
Data Processing Agreement
Version 3.0 — March 1, 2026
This document describes how Sprinkling Act processes personal data and lists our sub-processors, in accordance with GDPR Article 28.
1. Roles
Data Controller: Lamar B. Shucrani, operating as Sprinkling Act (BCE: BE 1034.962.482).
Sprinkling Act determines the purposes and means of processing personal data collected through sprinklingact.com.
Data Subjects: Users of the Sprinkling Act service (account holders, diagnostic users, waitlist subscribers, newsletter subscribers, and site visitors who consent to analytics).
Sprinkling Act determines the purposes and means of processing personal data collected through sprinklingact.com.
Data Subjects: Users of the Sprinkling Act service (account holders, diagnostic users, waitlist subscribers, newsletter subscribers, and site visitors who consent to analytics).
2. Sub-processors
Supabase Inc.
Service: Database, authentication, storage
Location: European Union
Data: Account, diagnostic, waitlist, newsletter, analytics
Vercel Inc.
Service: Hosting, CDN, serverless
Location: Global edge (EU primary)
Data: Server logs, request metadata
DPA: vercel.com/legal/dpa
Resend Inc.
Service: Transactional email
Location: United States
Data: Email addresses, email content
DPA: resend.com/legal/dpa
Stripe Payments Europe Ltd
Service: Payment processing
Location: Ireland (EU)
Data: Payment and billing info
DPA: stripe.com/legal/dpa
Sentry (Functional Software Inc.)
Service: Error monitoring
Location: United States
Data: Request metadata (IP, user agent, error context)
DPA: sentry.io/legal/dpa
3. Processing Instructions
Sprinkling Act processes personal data only on documented instructions from the data controller (i.e., as defined by this DPA and the Terms of Service). Processing is limited to:
— Providing the diagnostic and reporting service
— Sending transactional and notification emails
— Processing payments via Stripe
— Analytics (only with explicit consent)
Sprinkling Act will not process personal data for any other purpose without prior written instruction.
— Providing the diagnostic and reporting service
— Sending transactional and notification emails
— Processing payments via Stripe
— Analytics (only with explicit consent)
Sprinkling Act will not process personal data for any other purpose without prior written instruction.
4. International Transfers
Personal data may be transferred outside the EU/EEA to the following sub-processors:
Resend Inc. (United States) — Transactional emails. Transfer mechanism: EU Standard Contractual Clauses (SCCs) Module Two (Controller to Processor), as incorporated in Resend's DPA.
Vercel Inc. (Global edge network) — Hosting. Transfer mechanism: EU Standard Contractual Clauses (SCCs) as incorporated in Vercel's DPA.
Sentry (United States) — Error monitoring. Transfer mechanism: EU Standard Contractual Clauses (SCCs) as incorporated in Sentry's DPA.
Sub-processors located within the EU/EEA (Supabase, Stripe) do not require additional transfer mechanisms under GDPR Chapter V.
Resend Inc. (United States) — Transactional emails. Transfer mechanism: EU Standard Contractual Clauses (SCCs) Module Two (Controller to Processor), as incorporated in Resend's DPA.
Vercel Inc. (Global edge network) — Hosting. Transfer mechanism: EU Standard Contractual Clauses (SCCs) as incorporated in Vercel's DPA.
Sentry (United States) — Error monitoring. Transfer mechanism: EU Standard Contractual Clauses (SCCs) as incorporated in Sentry's DPA.
Sub-processors located within the EU/EEA (Supabase, Stripe) do not require additional transfer mechanisms under GDPR Chapter V.
5. Security Measures
— Encryption in transit (TLS 1.3) and at rest
— HSTS with preloading
— Content Security Policy enforced
— Row Level Security on all database tables
— Passwords hashed (bcrypt via Supabase Auth)
— No plaintext storage of sensitive data
— Production access limited to data controller
— Regular dependency updates
— Session-based authentication with automatic expiry
— HSTS with preloading
— Content Security Policy enforced
— Row Level Security on all database tables
— Passwords hashed (bcrypt via Supabase Auth)
— No plaintext storage of sensitive data
— Production access limited to data controller
— Regular dependency updates
— Session-based authentication with automatic expiry
6. Breach Notification
In the event of a personal data breach, Sprinkling Act will:
— Notify the Belgian Data Protection Authority (APD/GBA) within 72 hours (GDPR Article 33)
— Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
— Provide a description of the breach, categories of data affected, estimated number of data subjects, and measures taken or proposed
— Notify the Belgian Data Protection Authority (APD/GBA) within 72 hours (GDPR Article 33)
— Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
— Provide a description of the breach, categories of data affected, estimated number of data subjects, and measures taken or proposed
7. Audit Rights
Data subjects and supervisory authorities may request information about the processing activities carried out by Sprinkling Act. Sprinkling Act will make available all information necessary to demonstrate compliance with GDPR Article 28 obligations. Audit requests should be directed to legal@sprinklingact.com.
8. Data Deletion
Upon request, all personal data will be deleted within 30 days. Upon termination of a sub-processor relationship, data is deleted per their respective DPA terms. After the end of the service relationship, Sprinkling Act will delete or return all personal data at the data controller's choice, unless EU or Belgian law requires continued storage.
9. Duration & Hierarchy
This DPA applies for the duration of any processing of personal data by Sprinkling Act. In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters. Standard Contractual Clauses (where applicable) prevail over this DPA.
10. Contact
Data Controller: Lamar B. Shucrani
Email: legal@sprinklingact.com
BCE: BE 1034.962.482
Avenue des Arts 19 BT 2, 1210 Brussels, Belgium
Supervisory Authority: Autorité de protection des données (APD/GBA), Brussels, Belgium
Email: legal@sprinklingact.com
BCE: BE 1034.962.482
Avenue des Arts 19 BT 2, 1210 Brussels, Belgium
Supervisory Authority: Autorité de protection des données (APD/GBA), Brussels, Belgium