Dfence Data Processing Addendum (DPA)

Last modified: 2025-11-21

This is Dfence's standard Data Processing Addendum (DPA) and applies by default to all customers who use Dfence as a data processor. A signed version can be made available upon request.

1. Definitions

  • Customer: The legal entity that has entered into an agreement with Dfence for the provision of services.
  • Dfence: Edgee Cloud SAS, a French company registered at 9 rue des Colonnes, 75002 Paris, France, and its U.S. entity Dfence Inc.
  • Data Protection Laws: All applicable data protection and privacy legislation, including the EU GDPR, UK GDPR, CCPA/CPRA, LGPD, and PIPEDA.
  • End User: An individual whose personal data is processed through the Dfence platform on behalf of the Customer.
  • Services: The Edge Component Platform provided by Dfence.
  • Subprocessor: Any third-party processor engaged by Dfence to support the delivery of the Services.

2. Scope of the Addendum

This DPA applies when Dfence processes personal data on behalf of the Customer in the course of providing the Services. It supplements the main service agreement between Dfence and the Customer.

3. Roles and Responsibilities

  • Customer acts as the Data Controller.
  • Dfence acts as the Data Processor.

Customer determines the purposes and means of processing personal data. Dfence processes data only on documented instructions from the Customer.

4. Categories of Data and Data Subjects

Data Subjects: End users of the Customer's websites, APIs, or applications.

Categories of Data:

  • IP addresses
  • User identifiers
  • Event and network metadata (e.g., pageviews, TCP/IP headers)

Dfence does not collect sensitive personal data unless explicitly configured by the Customer.

5. Processing Activities

Dfence processes personal data solely to:

  • Detect and manage concurrent user sessions and device limits
  • Log user session and event data for security, analytics, and compliance
  • Temporarily log service events to support debugging and reliability (for up to 24 hours)

Dfence does not:

  • Use personal data for marketing or profiling
  • Retain end user event payloads beyond processing
  • Sell personal data

6. Subprocessing

Dfence uses the following subprocessors:

  • Fastly – Edge delivery infrastructure
  • AWS – Hosting and compute services
  • Clickhouse – Analytics and event storage
  • Vercel – Web deployment and frontend delivery

Dfence imposes data protection obligations on all subprocessors via contracts and audits. Customers may request notice of changes to subprocessors. Dfence may add or change subprocessors at any time, and the most up-to-date list of subprocessors will be reflected in this DPA or provided upon request.

7. Data Transfers

  • Data is processed and stored in the European Union by default.
  • Where transfers outside the EU/EEA occur, Dfence relies on:
    • Standard Contractual Clauses (SCCs) (available upon request)
    • Adequacy decisions by the European Commission
    • Technical safeguards, including end-to-end encryption and isolated edge processing

For further information, refer to our Trust Center.

8. Security Measures

Dfence maintains a security program compliant with industry best practices and SOC 2 requirements. Measures include:

  • TLS encryption in transit; AES encryption at rest
  • Role-based access control and audit logs
  • Isolated edge node processing
  • Zero persistent access from browser context

See our Trust Center for full documentation.

9. Data Subject Rights

Customers are responsible for responding to data subject requests. If Dfence receives a request from an end user and can identify the relevant Customer, Dfence will forward the request to the Customer for response.

10. Data Retention

  • Logs: retained up to 25 months
  • Debug events: retained up to 24 hours

11. Data Portability and Export

During the term of the Services, and upon written request, Dfence shall provide Customer with access to its processed personal data in a structured, commonly used, and machine-readable format. This includes any data processed on behalf of the Customer that has not been deleted in accordance with Section 10 (Data Retention).

Upon termination or expiration of the Services, Customer shall have a window of at least 30 days to request export of such data prior to deletion, unless longer retention is mandated by applicable law.

Dfence shall provide reasonable assistance and available tools to facilitate the secure export or migration of data upon termination, subject to the Customer’s written instructions and any applicable fees outlined in the Master Service Agreement or Service Order.

12. Termination and Deletion

Upon termination of the Services, Dfence will delete or return personal data to the Customer, unless required to retain it by law.

13. Audit and Assistance

Dfence will make available relevant documentation and allow for audits upon reasonable notice to demonstrate compliance with this DPA and applicable laws.

14. Liability and Indemnity

Each party's liability is governed by the main service agreement. Dfence shall be liable for its subprocessors in accordance with Article 28 of the GDPR.

15. Governing Law and Jurisdiction

This DPA shall be governed by the same law and jurisdiction as the principal agreement between the Customer and Dfence.

16. Contact

Edgee Cloud SAS

9 rue des Colonnes

75002 Paris

France

Email: privacy@edgee.cloud

Edgee Inc

3222 Pikai Way

Kihei, HI 96753

United States

Email: privacy@edgee.cloud