Data Processing Agreement (DPA).

You are the Controller. We (IE Spiridonov D. V.) are the Processor. Anyone with access to data is under NDA and completes yearly privacy training.

Processing is limited to what's required to deliver the service. No profiling of your visitors on our behalf, no ads, no third-party enrichment.

Current subprocessor list: Supabase (DB, EU), Sendersy / Postal (outbound email, EU), Yandex Metrika (analytics, optional, consent-only). The full up-to-date list is available on request at support@overcap.ru. Any changes are announced 30 days in advance with a right to object.

Technical and organizational measures (TOMs): AES-256 at rest, TLS 1.3 in transit, MFA for admins, RBAC, audit log, yearly third-party pen-test.

On request — export within 14 days (JSON + media). Deletion at contract end — within 30 days. Security logs rotate on a 12-month schedule.

Any security incident posing a risk to data subjects' rights — notification within 72 hours with scope, response actions and contact.

Once every 12 months you or an independent auditor on your behalf may audit our TOMs (with mutually agreed date, NDA, and at your cost). Alternative: SOC 2 Type II report on request (once available).

The DPA runs alongside the main agreement and cannot be unilaterally terminated while the subscription is active.