Terms governing how ForgeStop processes data on behalf of brand partners and clients.
This Data Processing Agreement ("DPA") forms part of the agreement between ForgeStop Technology Corp. ("ForgeStop", "Processor") and the counterparty identified in the applicable Master Service Agreement or Statement of Work ("Client", "Controller") for the provision of ForgeStop's NFC/RFID product authentication platform services.
This DPA establishes the rights and obligations of each party with respect to data protection in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act (DPDPA), Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), and the California Consumer Privacy Act (CCPA).
"ForgeStop Operational Data" means all raw data generated by ForgeStop's platform infrastructure including scan events, authentication results, scan timestamps, non-identifying device signatures, and approximate geolocation signals. ForgeStop is an independent Data Controller of this data.
"Client Brand and Product Data" means data specific to the Client's brand, products, packaging configurations, SKU identifiers, and product metadata. The Client retains ownership.
"Client Personal Data" means any Personal Data of the Client's employees, representatives, or end consumers shared with or collected through the ForgeStop platform. ForgeStop processes this data solely as Processor.
"Sub-processor" means any third party engaged by ForgeStop to process Client Personal Data on behalf of the Controller.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data.
3.1 ForgeStop acts in a dual capacity:
3.2 Each party is individually responsible for complying with Applicable Data Protection Law in its respective capacity.
3.3 The Client is responsible for ensuring a lawful basis for providing Personal Data to ForgeStop.
ForgeStop shall process Client Personal Data only as necessary to provide the authentication platform services described in the applicable MSA/SOW. Categories of data and processing details are set out in Annex 1.
ForgeStop implements and maintains appropriate technical and organisational measures including:
6.1 The Client provides general authorisation for ForgeStop to engage Sub-processors.
6.2 Current Sub-processors are listed in Annex 2. ForgeStop provides 15 days advance written notice before engaging new Sub-processors.
6.3 Client may object within 15 days on reasonable data protection grounds. If unresolved, Client may terminate the affected SOW.
6.4 ForgeStop imposes data protection obligations no less protective than this DPA on each Sub-processor and remains fully liable.
7.1 ForgeStop shall notify the Client within 72 hours of becoming aware of any Security Incident affecting Client Personal Data.
7.2 Notification shall include: nature of incident, categories and approximate number affected, likely consequences, measures taken/proposed, and ForgeStop contact point.
ForgeStop's platform is hosted on AWS, US-based regions (primary: us-east-1; disaster recovery: us-west-2). ForgeStop shall ensure appropriate safeguards for cross-border transfers: Standard Contractual Clauses (SCCs) where GDPR applies, or other recognised transfer mechanisms.
ForgeStop shall assist the Client in responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection). ForgeStop shall forward direct Data Subject requests to the Client.
10.1 ForgeStop retains Client Personal Data only as long as necessary for the services or as required by law.
10.2 Upon termination: Client has a 60-day export window. Client Personal Data deleted within 90 days following the export window.
10.3 ForgeStop Operational Data retained up to 2 years (ForgeStop is independent Controller). Client Brand and Product Data retained up to 1 year post-termination for reactivation, audit, or legal purposes, then purged or anonymised.
10.4 Individual user data deletion requests honoured within 30 days.
10.5 Written confirmation of deletion provided upon request.
10.6 Automated backup retention: RDS PostgreSQL backups purged after 14 days (production). MongoDB Atlas snapshots purged after 35 days. S3 noncurrent versions purged after 90 days via lifecycle rules.
11.1 ForgeStop shall contribute to audits, subject to 60 days advance notice and confidentiality obligations.
11.2 ForgeStop may satisfy audits via documentation (certifications, reports, pen test results, written Q&A). On-site or remote access at ForgeStop's reasonable discretion with written consent.
11.3 Limited to once per calendar year unless required by supervisory authority or following confirmed Security Incident.
This DPA remains in effect for the duration of ForgeStop's processing of Client Personal Data. Sections 5, 7, 10, and 11 survive termination.
Governed by the governing law of the applicable MSA. Where GDPR applies, DPA provisions interpreted in accordance with GDPR regardless of MSA governing law.
| Field | Detail |
|---|---|
| Subject Matter | NFC/RFID product authentication platform services |
| Duration | Duration of MSA/SOW + 60-day export window + 90-day deletion period |
| Nature of Processing | Collection, storage, retrieval, analysis, deletion |
| Purpose | Product authentication, batch management, scan analytics |
| Data Subject Categories | End consumers scanning NFC products; Client personnel (Dashboard/Batchmaker users) |
| Personal Data Categories | Consumer: approximate geolocation, device type, browser, OS, language, timestamp, tag ID. Personnel: name, email, role, Cognito credentials |
| Special Categories | None |
See the full Sub-processor List for details and change notifications.
| Sub-processor | Location | Processing Activities | Assurance |
|---|---|---|---|
| Amazon Web Services (AWS) | United States | Cloud infrastructure: compute (App Runner), database (RDS PostgreSQL), storage (S3), secrets (Secrets Manager), identity (Cognito), CDN (CloudFront), WAF, encryption (KMS) | SOC 2 Type II, ISO 27001, PCI DSS |
| MongoDB Atlas | United States | NoSQL database for analytics and audit logs. VPC-peered (private network). | SOC 2 Type II, ISO 27001 |
| Stripe Inc. | United States | Payment processing (tokenised — no raw card data) | PCI DSS Level 1 |
| Zoho Corporation | India / US | Alternative payment, CRM (metadata only) | SOC 2 Type II available |
| New Relic | United States | Application performance monitoring (APM). No client personal data. | SOC 2 Type II, ISO 27001 |
| Mapbox | United States | Geospatial visualization for scan analytics. Anonymised coordinates. | SOC 2 Type II |
| IPStack / PositionStack | Austria / US | Geolocation APIs for scan location resolution. | Privacy policy available |
| Google reCAPTCHA | United States | Bot protection for authentication pages. No personal data shared. | Google SOC 2 Type II |
| Regional Implementation Partners | Per SOW | On-site Batchmaker installation, production line integration | NDA + ForgeStop approval |
To subscribe to sub-processor change notifications, contact help@forgestop.com.
This document is a template and does not constitute legal advice. Must be reviewed by licensed counsel before execution with any counterparty.
← Back to Legal · Version 1.1 · Last updated: March 2026
.png)
.svg){kind=icon}
.svg){kind=icon}
.svg){kind=icon}
.svg){kind=icon}