Vendor Data Processing Agreement (DPA) Status
Status: PENDING OPERATOR ACTION — no DPAs have been executed yet. This document tracks execution status of GDPR Art. 28 Data Processing Agreements with all sub-processors that handle Raxx customer personal data.
Trigger: Must be completed before the first EU customer signs up. Not a v1 US-only launch blocker (per issue #1647 and BLR research PR #1646 § 6.2).
Last updated: 2026-05-19 UTC Owner: Kristerpher (operator / controller)
Summary Table
| Vendor | Role | DPA Self-Serve? | Status | Signed Date | Drive File | Acknowledgement Doc |
|---|---|---|---|---|---|---|
| Stripe, Inc. | Payment processor | Yes — dashboard | PENDING | — | — | dpas/stripe-dpa-acknowledgement.md |
| Heroku (Salesforce, Inc.) | Cloud infrastructure / hosting | No — support ticket | PENDING | — | — | dpas/heroku-dpa-acknowledgement.md |
| Sentry.io | Error monitoring | Yes — org settings | PENDING | — | — | dpas/sentry-dpa-acknowledgement.md |
| Postmark (ActiveCampaign) | Transactional email | Yes — account settings | PENDING | — | — | dpas/postmark-dpa-acknowledgement.md |
Priority Order
Execute in this order to manage timing risk:
- Heroku first — DPA requires a Heroku Support ticket; processing time is 2–5 business days. File the ticket today so it is not the blocker when the others are done in 2 hours.
- Stripe — self-serve dashboard; ~10 minutes.
- Sentry — self-serve org settings; ~10 minutes.
- Postmark — self-serve account settings; ~10 minutes.
What "Executed" Means
A DPA is considered executed when:
- Kristerpher has clicked through / signed the vendor's standard DPA form in the vendor dashboard (or received a countersigned PDF from Heroku), AND
- The signed PDF has been saved to Google Drive at
legal/DPAs/<vendor>-dpa-<year>.pdf, AND - The acknowledgement doc in
docs/legal/compliance/dpas/<vendor>-dpa-acknowledgement.mdhas been updated with the signed date, Drive link, and Kristerpher's name as signatory.
Scope Notes
- Cloudflare — Cloudflare is a network-layer sub-processor (CDN/WAF/DNS/CF Access). Cloudflare's DPA is available at
https://www.cloudflare.com/cloudflare-customer-dpa/and is accepted by accepting Cloudflare's Terms of Service. No separate execution is required; Cloudflare's DPA is a click-through acceptance built into the ToS. Documented in dpas/cloudflare-dpa-acknowledgement.md. - Google Workspace — Google's DPA (Google Cloud Data Processing Amendment) is accepted as part of Google Workspace terms. No separate execution needed for Workspace email use. Documented in dpas/google-workspace-dpa-acknowledgement.md.
- FreeScout — self-hosted on Lightsail; Raxx/MooseQuest LLC IS the data processor for FreeScout. No vendor DPA needed; instead, the operator (Raxx) must ensure their privacy policy discloses support-ticket data handling. No DPA acknowledgement doc needed; covered by the privacy policy.
- Alpaca — Alpaca is the user's broker, not Raxx's sub-processor. The user independently contracts with Alpaca. Raxx acts as an authorized intermediary under the user's own Alpaca agreement. No DPA required from Raxx's side.
After All Four Are Signed
Update the RoPA Third-Party Processors table at docs/legal/artifacts/ropa-template.md Part C to reflect
"Executed — [date]" for each vendor's DPA column.
Version History
| Date | Change | By |
|---|---|---|
| 2026-05-19 UTC | Initial tracking document created | raxx-dev-bot (feature/vendor-dpa-acknowledgements) |