Back

Data Processing Agreement

Last updated: March 12, 2026

This Data Processing Agreement (DPA) forms part of the Terms of Service between you (the data controller) and Proposly (the data processor).

Parties

This agreement is between the Proposly account holder (Controller) and Proposly AB (Processor), concerning the processing of personal data through the Proposly service.

Purpose and scope

Proposly processes personal data on behalf of the Controller solely for the purpose of providing the proposal management service. This includes storing, displaying, and transmitting proposal content, client information, and electronic signatures.

Personal data processed

  • Contact information: names, email addresses, company names of proposal senders and recipients.
  • Proposal content: project descriptions, pricing, timelines, and any text entered by the Controller.
  • Signature data: signer names, email addresses, IP addresses, timestamps, and electronic signature images.
  • Authentication data: email addresses and hashed passwords for account access.
  • Audit data: timestamps, IP addresses, and user agents for compliance and security purposes.

Nature of processing

  • Storage of proposal and account data in encrypted databases.
  • Transmission of email notifications and verification codes.
  • Generation of PDF documents from proposal data.
  • Logging of access and signature events for audit trails.

Sub-processors

Proposly uses the following sub-processors to deliver the service:

  • Supabase Inc. (San Francisco, USA) — Database hosting, authentication, and data storage. EU Standard Contractual Clauses apply.
  • Resend Inc. (San Francisco, USA) — Transactional email delivery for notifications and verification codes.
  • Vercel Inc. (San Francisco, USA) — Application hosting, edge network, and serverless functions. SOC 2 Type II certified.

The Controller will be notified of any changes to sub-processors with 30 days advance notice.

Security measures

  • All data is encrypted in transit (TLS 1.2+) and at rest.
  • Authentication passwords are hashed using bcrypt.
  • Row-level security ensures users can only access their own data.
  • API endpoints are rate-limited to prevent abuse.
  • Security headers (HSTS, CSP, X-Frame-Options) are enforced on all responses.

Data subject rights

Proposly provides tools to help the Controller fulfill data subject rights under GDPR:

  • Right of access and portability: Account holders can export all their data via the Settings page.
  • Right to erasure: Account holders can delete their account and all associated data via the Settings page.
  • Right to rectification: Account holders can update their profile information at any time.

Data retention and deletion

Personal data is retained as long as the Controller's account is active. Upon account deletion, all personal data, proposals, signatures, and audit trails are permanently deleted within 30 days. Backups containing the data are purged within 90 days.

Data breach notification

In the event of a personal data breach, Proposly will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing details of the nature, scope, and recommended measures.

Contact

For DPA-related inquiries, contact us at hello@proposly.tech.