pub-registry

Data Processing Agreement

For business customers.

DATA PROCESSING AGREEMENT (DPA)

Last updated: June 18, 2026

This Data Processing Agreement ('DPA') forms part of the Team/Subscription Software License Agreement (the 'Agreement') between Alexandru Florian Mariuti ('Processor', 'we', 'us') operating pub.mariuti.com, and the customer organization that purchases seats ('Controller', 'you'). It governs the processing of personal data carried out by us on your behalf under GDPR Article 28 and equivalent laws.


1. DEFINITIONS

'Data Protection Laws' means all laws applicable to the processing of personal data under the Agreement, including the EU General Data Protection Regulation 2016/679 (GDPR), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

'Controller', 'Processor', 'Data Subject', 'Personal Data', 'Processing', and 'Sub-processor' have the meanings given in the Data Protection Laws.

'Customer Personal Data' means personal data we process on your behalf under the Agreement, as described in Annex I.


2. ROLES AND SCOPE

2.1 You are the Controller and we are the Processor with respect to Customer Personal Data (your seat roster and the per-seat usage/download logs we generate on your behalf).

2.2 We are an independent Controller for data we determine the purposes of -- billing and payment records, our own account, security and fraud-prevention logs, and aggregated analytics. That data is governed by our Privacy Policy, not this DPA.

2.3 The subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Personal Data are set out in Annex I.


3. PROCESSING ON INSTRUCTIONS

3.1 We process Customer Personal Data only on your documented instructions, including the Agreement and your configuration of the Services, unless required to do otherwise by applicable law (in which case we will inform you unless that law prohibits it on important grounds of public interest).

3.2 We will inform you if, in our opinion, an instruction infringes the Data Protection Laws.


4. CONFIDENTIALITY

We ensure that persons authorised to process Customer Personal Data are bound by an appropriate obligation of confidentiality.


5. SECURITY (ARTICLE 32)

5.1 We implement appropriate technical and organisational measures to protect Customer Personal Data, including: encryption in transit (TLS) and at rest; access controls and least-privilege administration; hashing of authentication tokens (we never store token plaintext); network and platform isolation; and logging and monitoring. A summary is in Annex II.

5.2 We regularly review and, where appropriate, improve these measures.


6. SUB-PROCESSORS

6.1 You provide general written authorisation for us to engage Sub-processors. The current Sub-processors are listed in Annex III.

6.2 We will give you prior notice of the addition or replacement of any Sub-processor and a reasonable opportunity to object on reasonable data-protection grounds.

6.3 We impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remain liable for their performance.


7. ASSISTANCE

7.1 Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection).

7.2 We assist you in ensuring compliance with Articles 32 to 36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to us.


8. PERSONAL DATA BREACH

We notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide information reasonably available to us to help you meet your breach-notification obligations.


9. INTERNATIONAL TRANSFERS

Where we transfer Customer Personal Data outside the EEA or UK, we rely on an appropriate transfer mechanism, including the EU Standard Contractual Clauses (Module Two: controller-to-processor), incorporated by reference in Annex IV, and the UK International Data Transfer Addendum, together with any supplementary measures required following a transfer impact assessment.


10. RETURN OR DELETION

On termination of the Agreement, we delete or return all Customer Personal Data at your choice, and delete existing copies, within the window stated in the Agreement (target: 30 days), unless retention is required by law.


11. AUDIT

We make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and security conditions and reasonable notice.


12. CCPA / CPRA SERVICE-PROVIDER ADDENDUM

12.1 With respect to personal information governed by the CCPA/CPRA, we act as a 'service provider'. We shall not: (a) sell or share the personal information; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship; or (d) combine it with personal information received from other sources, except as permitted by the CCPA.

12.2 We certify that we understand and will comply with these restrictions. You may take reasonable and appropriate steps to ensure we use personal information consistently with your CCPA obligations, and to stop and remediate unauthorised use.


13. GENERAL

13.1 This DPA forms part of and is subject to the Agreement. In case of conflict on data-protection matters, this DPA prevails.

13.2 Our total liability arising out of this DPA is subject to the limitations of liability in the Agreement.


ANNEX I — DETAILS OF PROCESSING

Subject matter: Provision of a private package registry to the Controller's developers.
Duration: For the term of the Agreement plus the deletion window.
Nature and purpose: Authentication, access control, seat administration, and security/audit logging on the Controller's behalf.
Categories of Data Subjects: The Controller's developers (seat holders) and invited users.
Categories of Personal Data: Names; work email addresses; usernames; authentication tokens (credentials); IP addresses; usage/download logs (packages/versions fetched, timestamps).
Special categories: None.


ANNEX II — TECHNICAL AND ORGANISATIONAL MEASURES

Encryption in transit (TLS) and at rest; hashing of authentication and service tokens; role-based access control and least privilege; network/platform isolation; logging and monitoring; backup and recovery; vendor due diligence.


ANNEX III — SUB-PROCESSORS

- Cloudflare, Inc. — edge hosting / CDN / Worker runtime.
- Application host (Coolify-managed infrastructure) — PocketBase backend hosting.
- Paddle.com Market Limited — payments and Merchant of Record.
- Transactional email provider — delivery of developer invitations.
- Discord — internal purchase notifications (no Data Subject content beyond package name and amount).
- Umami (self-hosted) — aggregated, cookie-free analytics.


ANNEX IV — STANDARD CONTRACTUAL CLAUSES

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor), and the UK Addendum, are incorporated by reference and completed using the details in Annexes I to III. [To be attached in the executed version.]


Questions about this DPA: info@mariuti.com