Data Processing Agreement
DPA
1. Overview
This Data Processing Agreement (DPA) is a legal agreement between Stellaron VPN ("Service Provider") and users ("Data Controller") of our services. This agreement details how the Service Provider processes personal data entrusted by the Data Controller.
This DPA complies with the General Data Protection Regulation (GDPR), China's Personal Information Protection Law (PIPL), and other applicable data protection laws.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data
- Data Controller: Entity determining purposes and means of processing
- Data Processor: Entity processing data on behalf of controller
- Sub-processor: Third-party service providers engaged by the processor
3. Data Processing Scope and Purpose
3.1 Types of Data Processed
- Account Information: Email address, encrypted password (hashed)
- Usage Data: IP address, access time, features used, traffic consumed
- Payment Information: Processed via third-party payment providers
- Communications: Messages sent via Telegram Bot
3.2 Processing Purposes
- dpa.scope.purposes.items[0])
- dpa.scope.purposes.items[1])
- dpa.scope.purposes.items[2])
- dpa.scope.purposes.items[3])
- dpa.scope.purposes.items[4])
4. Data Processor Obligations
- Lawful Processing: Process personal data only per Data Controller's written instructions
- Confidentiality: Maintain confidentiality of all processed personal data
- Security Measures: Implement appropriate technical and organizational security measures
- Sub-processor Management: Use only approved sub-processors with appropriate DPAs
- Breach Notification: Notify Data Controller within 72 hours of discovering a breach
- Deletion and Return: Delete or return all personal data after service termination
5. Data Security Measures
- Transmission Encryption: All data transmitted using TLS 1.3
- Storage Encryption: Sensitive data encrypted using AES-256
- Access Control: Strict Role-Based Access Control (RBAC)
- Network Isolation: Production and development environments separated
6. Sub-processors
We use the following sub-processors to provide services:
| Service | Purpose |
|---|---|
| Supabase | Supabase - Database and authentication |
| Vercel | Vercel - Website hosting |
| Telegram | Telegram - Customer communications |
| Stripe | Stripe - Payment processing |
We will notify Data Controller in advance of any planned additions or replacements to sub-processors.
9. Data Subject Rights
- Access Right: Obtain copies of personal data we process about you
- Rectification Right: Correct inaccurate personal data
- Erasure Right: Request deletion of personal data under certain circumstances
- Portability Right: Receive your data in structured, commonly used format