Legal

Data Processing Agreement

This draft DPA is intended for cases where Cookiezy processes personal data on behalf of a customer in connection with hosted consent features, customer support, licensing, or operational service delivery. Cookiezy is a brand of Paradigma Plus d.o.o., Klopčičeva 4, 1000 Ljubljana, Slovenia, EU. This draft should be reviewed with legal counsel before it is executed.

Draft DPA aligned to the current Cookiezy product and support workflow.

Cookie banner preview

Lightweight. Fast. Clear by default.

Cookie consent. Done easy.

Lightweight consent that keeps your site fast and your data intact.

Necessary

Analytics

Marketing

Parties and scope

When this DPA applies

This DPA is intended to apply when a customer acts as controller and Cookiezy acts as processor or service provider for personal data processed through the hosted service components supplied by Cookiezy.

• The customer is the controller for personal data collected through the customer's own website and consent implementation.
• Cookiezy, operated by Paradigma Plus d.o.o., acts as processor only to the extent it processes such personal data on the customer's documented instructions.
• This DPA does not apply to processing where Cookiezy acts as independent controller for its own website, billing, invoicing, fraud prevention, or customer relationship management.

Processing details

Nature, purpose, and categories of data

Depending on the service configuration, Cookiezy may process operational consent records, account-linked support records, and related service metadata.

• Purpose: provide the service, maintain the hosted consent workflow, troubleshoot incidents, and deliver requested support or technical operations.
• Categories of data: identifiers, consent-related records, hostname or licensing context, technical logs, and support communications where relevant.
• Data subjects: website visitors, customer users, administrators, and support contacts, depending on the implementation.

Processor obligations

Cookiezy processor commitments

When acting as processor, Cookiezy should process personal data only as needed to provide the service and support the customer relationship.

• Process personal data only on the customer's documented instructions unless required otherwise by law.
• Ensure persons authorized to process personal data are bound by confidentiality obligations.
• Apply reasonable technical and organizational security measures proportionate to the service and the data involved.
• Assist the customer, where reasonably possible, with data subject requests, incident response, and compliance-related information.

Subprocessors and transfers

Subprocessors, infrastructure, and transfers

Cookiezy may use hosting, storage, email, analytics, support, or infrastructure subprocessors to operate the service.

• Cookiezy should impose data protection obligations on subprocessors that are materially consistent with the nature of the processing they perform.
• Where personal data is transferred internationally, Cookiezy should seek to rely on appropriate transfer safeguards and contractual measures.
• Customers may request reasonable information about the categories of subprocessors relevant to the active service setup.

Incidents and return or deletion

Security incidents, retention, and end of processing

Cookiezy should maintain a practical security and retention posture that fits a SaaS consent platform and hosted support workflow.

• Cookiezy should notify the customer without undue delay after becoming aware of a personal data breach affecting processor data under the DPA.
• Processor data should be retained only for as long as necessary to operate the service, support the customer, comply with law, or resolve disputes.
• At the end of the processing relationship, Cookiezy should delete or return processor data where reasonably possible, subject to legal retention duties and backup constraints.

FAQ

DPA FAQ

Quick guidance around controller and processor roles.

Does every Cookiezy customer need a DPA?

A DPA is usually relevant when Cookiezy processes personal data on the customer's behalf through hosted service components. It may be less relevant where the customer uses only local adapter downloads without hosted processing.

Who signs the DPA on Cookiezy's side?

Cookiezy is a brand of Paradigma Plus d.o.o., so the contracting entity on Cookiezy's side would be Paradigma Plus d.o.o.

Is this the final legal DPA?

No. This is a product-aligned draft intended to speed up legal review and contracting preparation.