DPA EVIDENCE
Vendor DPA Register
A concise register of provider DPA evidence that must be collected before scaling real customer data.
This is an operational launch pack, not a legal opinion. Final wording must be approved by Cyprus counsel before signed customer use.
Collect before launch scale
Hosting provider DPA and transfer terms.
PostgreSQL provider DPA, region and backup retention terms.
Stripe data processing terms for billing and payment metadata.
SMTP/email provider privacy and processing terms.
File storage provider DPA before raw documents move out of database or local storage.
Collect before enabling later features
KYC provider DPA, identity verification terms, data retention and biometric/photo handling rules before automated KYC is enabled.
Open banking provider DPA, PSD2/open banking terms and financial data retention rules before bank verification moves beyond manual proof.
AI provider DPA, no-training commitments, region, retention and safety review before sensitive inspection media is processed externally.
Escrow or payment institution agreements before any real deposit holding or regulated escrow feature is offered.
Internal evidence fields
Each vendor record should store provider name, service category, data categories, region, DPA URL or signed file reference, reviewer, approval date, renewal date and notes.