Pursuant to Art. 28 GDPR. Last updated: 12 June 2026.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer") and Christopher Kurr, operating TestiPull (the "Processor", contact details in the Imprint). It applies automatically whenever you use the Service to collect and manage personal data of your own clients. No separate signature is required; this DPA is incorporated into the contract by reference.
1. Roles
For testimonial data you collect through the Service, you are the controller and TestiPull is the processor within the meaning of Art. 4 GDPR. TestiPull processes this data only on your behalf and on your documented instructions; using the Service as intended (collecting, approving, displaying, exporting, and deleting testimonials) constitutes your instructions.
2. Subject matter, nature, and purpose of processing
The Processor hosts, stores, displays, and deletes testimonial data submitted by the Customer's clients via the Customer's collect links, for the purpose of providing the testimonial collection and display service. The duration of processing is the duration of the Customer's account.
3. Data subjects and data categories
Categories of data subjects:
- The Customer's clients and business contacts who submit testimonials
Types of personal data:
- Name, job title, and company of the testimonial author
- Testimonial content and rating
- Optional video URL and avatar image
- Email addresses entered by the Customer when sending testimonial requests
No special categories of personal data (Art. 9 GDPR) are intended to be processed.
4. Obligations of the Processor
- Process personal data only on the Customer's documented instructions, unless required otherwise by EU or member state law
- Ensure that all persons authorized to process the data are bound by confidentiality
- Implement the technical and organizational measures described in the Annex (Art. 32 GDPR)
- Assist the Customer, insofar as possible, in responding to data subject requests (access, rectification, erasure, portability)
- Notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data
- Assist the Customer with data protection impact assessments and consultations with supervisory authorities where required
- Delete all personal data at the end of the provision of services (account deletion removes all testimonial data permanently; backups expire within 30 days)
- Make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer, in a manner proportionate to the size of the service
5. Subprocessors
The Customer grants general authorization to engage the following subprocessors:
- Supabase (database, authentication, file storage — hosted in the EU, eu-west-1, Ireland)
- Vercel (application hosting and content delivery)
- Resend (transactional email, only if the Customer enables email sending)
The Processor will announce changes to this list on this page and, for material changes, by email at least 14 days in advance. The Customer may object to a new subprocessor on reasonable data protection grounds; if no agreement is reached, the Customer may terminate the account.
6. International transfers
Testimonial data is stored in the European Union (Supabase, eu-west-1, Ireland). Where subprocessors based in the United States are involved (Vercel, Resend), transfers are safeguarded by Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, certification under the EU-US Data Privacy Framework.
7. Liability and final provisions
Liability under this DPA follows the limitation of liability in the Terms of Service. In case of conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails. This DPA is governed by the laws of the Federal Republic of Germany.
Annex: Technical and organizational measures (Art. 32 GDPR)
- Encryption in transit: all connections are encrypted via TLS (HTTPS)
- Encryption at rest: database and file storage are encrypted at rest by the hosting provider
- Access control: row-level security ensures each customer can only access their own projects and testimonials; administrative access is limited to the operator
- Authentication: passwords are stored hashed; sessions use signed, expiring tokens
- Data separation: customer data is logically separated per account
- Backups: automated daily backups by the database provider, retained for up to 30 days
- Deletion: self-service account deletion permanently removes all associated data, including uploaded files