When you use Overcap, we act as a data processor and you are the controller. This agreement records our obligations under GDPR Art. 28.
VERSION
v2.1 · April 1, 2026
Roles
You are the Controller. We are the Processor. Each Overcap employee with access is under NDA and completes yearly privacy training.
Purpose
Processing is limited to what's required to deliver the service. No profiling of your visitors on our behalf, no ads, no third-party enrichment.
Subprocessors
Current subprocessor list: Supabase (DB), AWS Frankfurt (hosting), Stripe (payments), Resend (email). The full up-to-date list is available on request at sub@overcap.ru. Any changes are announced 30 days in advance with a right to object.
Security
Technical and organizational measures (TOMs): AES-256 at rest, TLS 1.3 in transit, MFA for all staff, RBAC, audit log, yearly third-party pen-test.
Data return
On request — export within 14 days (JSON + media). Deletion at contract end — within 30 days. Security logs rotate on a 12-month schedule.
Incident notification
Any security incident posing a risk to data subjects' rights — notification within 72 hours with scope, response actions and DPO contact.
Audit
Once every 12 months you or an independent auditor on your behalf may audit our TOMs (with mutually agreed date, NDA, and at your cost). Alternative: SOC 2 Type II report on request (once available).
Duration
The DPA runs alongside the main agreement and cannot be unilaterally terminated while the subscription is active.