ConmaCMP
Legal · DPA

Data Processing Agreement

Conditions under which Conma Systems processes end users' personal data on behalf of its clients (GDPR Art. 28 · Colombia Law 1581/2012).

Version 1.0Updated May 8, 2026Conma Systems · conma.lat

1.Parties and Purpose

This Data Processing Agreement ("DPA") governs the processing of personal data that Conma Systems ("Processor") carries out on behalf of the Client ("Controller") within the provision of the Consent Management Platform (CMP) service contracted through conma.lat.

This DPA forms an integral part of Conma's Terms and Conditions and takes effect automatically from the service contracting date.

2.Roles and Responsibilities

The Client is the Controller with respect to the personal data of their end users collected through Conma's consent banner. The Client determines the purposes and means of the processing.

Conma is the Processor and processes the data only in accordance with the Client's documented instructions and strictly as necessary to provide the service.

3.Data Processed

In delivering the service, Conma processes the following categories of personal data of the Client's end users:

CategoryDescriptionSource
Technical identifierAnonymous session ID (not linked to identity)Generated by the banner
Consent decisionAccepted / Rejected / Granular by categoryUser interaction
TimestampExact date and time of the decisionSystem
Policy versionApplied banner versionClient configuration
Hashed IPSalted SHA-256 hash — GDPR Art. 25Server
User Agent (optional)Device and browser typeUser's browser
Integrity certificateSHA-256 hash of the full recordGenerated by Conma

Special categories: Conma never processes sensitive end-user data (GDPR Art. 9) under any circumstances.

4.Processing Instructions

Conma processes the data solely to:

  • Record and store the consent decisions of the Client's end users
  • Generate compliance certificates and consent evidence
  • Allow the Client to audit and export their consent records
  • Respond to data subject rights requests channeled by the Client

Conma will not use the Client's end-user data for its own commercial purposes or market analysis, nor share it with third parties except the sub-processors authorized in Section 6.

5.Security Measures (GDPR Art. 32)

Technical

  • Encryption in transit: TLS 1.3 mandatory
  • Encryption at rest: AES-256 at the database level (Supabase)
  • Per-tenant isolation: PostgreSQL Row-Level Security (RLS)
  • Salted, hashed IPs before permanent storage
  • Consent certificates signed with HMAC-SHA256
  • Audit table partitioning by year
  • Privileged access with multi-factor authentication

Organizational

  • Role-based access control (OWNER / ADMIN / VIEWER)
  • Full logging of Super Admin actions
  • Automated retention and deletion policy
  • Periodic review of access and permissions

6.Authorized Sub-processors

The Client expressly authorizes the use of the following sub-processors:

Sub-processorFunctionLocationSafeguard
Supabase Inc.PostgreSQL databaseBrazil (São Paulo)DPA with GDPR SCCs 2021
Railway Corp.Application and API infrastructureUSA / GlobalDPA with GDPR SCCs 2021
Upstash Inc.Redis cache (reports, sessions)AWS us-east-1DPA with GDPR SCCs 2021

Conma will notify the Client at least 30 days in advance of any change to the sub-processors, granting a right to object. Sub-processors are contractually bound to apply protection measures equivalent to those of this DPA.

7.Security Breach Notification

In the event of a security breach, Conma will notify the Client without undue delay and within a maximum of 72 hours after becoming aware of the incident (GDPR Art. 33).

The notification will include:

  • Nature of the breach and categories of affected data
  • Approximate volume of compromised records
  • Measures taken to contain the incident
  • Recommendations for the Client

The Client is responsible for notifying their competent supervisory authority when required by applicable regulations.

8.Data Subject Rights Requests

If Conma directly receives a rights request from an end user of a Client:

  1. Conma will redirect the requester to the relevant Client
  2. Conma will provide technical assistance to the Client to respond within 30 days
  3. Per-user export and deletion of records is available from the Client's dashboard

9.Audit and Compliance

The Client has the right to:

  • Request information about the security measures implemented
  • Conduct audits with 30 days' notice or appoint an external auditor
  • Receive copies of relevant security certifications (SOC 2, ISO 27001 when available)

Conma will reasonably cooperate with such audits and with supervisory authorities.

10.Term, Return and Deletion of Data

This DPA remains in force for the duration of the contractual relationship between the Client and Conma.

After termination of the contract

  • Conma will make a full export of the Client's records available in JSON/CSV format for 30 days from the termination date
  • After that period, Conma will securely and permanently delete all Client data from its systems
  • Conma will issue a deletion certificate if the Client requests it

11.Governing Law

This DPA is governed by the laws of the Republic of Colombia and, with respect to the GDPR, by the applicable law of the European Union.

Other policies:Privacy PolicyTerms and Conditions
Sales