Data Processing Agreement
Pursuant to Art. 28 of the General Data Protection Regulation (GDPR)
How this DPA becomes binding - no signature required
This Data Processing Agreement is incorporated by reference into the Selge Terms of Service. By creating a Selge account and accepting the Terms of Service, you (as the data controller) and Selge (as the data processor) enter into this DPA as a binding agreement under Art. 28 GDPR.
No separate signature or click-through is required. This approach is legally valid under EU law (Art. 28(3) GDPR permits contracts “or other legal acts under Union or Member State law”; electronic agreements in text form satisfy this requirement under Sec. 126b BGB).
This is the same model used by Stripe, Google Cloud, AWS, Intercom, and most major SaaS providers operating under GDPR.
Need a countersigned PDF for your procurement / compliance team?
We can provide a signed copy on request. Contact privacy@selge.app with your company name and we will send a countersigned DPA within 5 business days. The terms will be identical to this page.
Parties to this Agreement
The legal entity or individual that has accepted the Selge Terms of Service and uses the Selge platform to collect feedback from their website visitors. (“Controller” or “Customer”)
[OPERATOR_FULL_NAME], operating as Selge ([OPERATOR_STREET_ADDRESS], [POSTAL_CODE] [CITY], Germany). (“Processor” or “Selge”)
This DPA has been in effect since 19 February 2026 and applies to all accounts created after that date. For accounts created before that date, a transitional period of 30 days applies.
1. Definitions
In this DPA, the following terms have the meanings given below. Terms not defined here have the meaning ascribed to them in the GDPR or the Terms of Service.
- "GDPR" — Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Personal Data" — Any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
- "Processing" — Any operation or set of operations performed on personal data, as defined in Art. 4(2) GDPR.
- "Controller" — The Customer — the natural or legal person that determines the purposes and means of processing personal data via the Selge Service.
- "Processor" — Selge — processes personal data on behalf of the Controller.
- "Sub-processor" — Any third party engaged by Selge to carry out processing activities on behalf of the Controller.
- "Data Subjects" — Website visitors who complete surveys embedded on the Controller's website.
- "Services" — The Selge on-site survey platform as described in the Terms of Service.
- "SCCs" — EU Standard Contractual Clauses for the transfer of personal data to third countries, as adopted by the European Commission.
2. Subject matter and duration
This DPA governs the processing of personal data by Selge on behalf of the Controller in connection with the provision of the Services. Selge processes personal data only as a processor acting on the Controller's behalf.
This DPA remains in effect for as long as the Controller has an active Selge account or Selge otherwise processes personal data on behalf of the Controller. It terminates automatically when the Services agreement terminates and all personal data has been deleted pursuant to Section 11.
3. Nature and purpose of processing
Selge processes personal data for the following purposes, solely as instructed by the Controller:
- Storing and retrieving survey responses submitted by Data Subjects on the Controller's website
- Displaying survey response data in the Controller's dashboard
- Generating AI-powered summaries of open-text responses (when the Controller uses this feature — powered by Anthropic)
- Delivering survey response notifications to the Controller via Slack (when the Slack integration is enabled)
- Providing CSV export functionality for survey response data
- Operating technical infrastructure necessary to deliver the Services (hosting, CDN, error monitoring)
Selge does not process personal data for its own purposes, for advertising, or to train AI models beyond what is strictly necessary to provide the Services.
4. Categories of data and data subjects
Categories of data subjects
Website visitors who visit pages on the Controller's website where a Selge survey is active and who complete or interact with such a survey.
Categories of personal data processed
| Data field | Notes |
|---|---|
| Survey answers | Content varies by survey design. Open-text responses may contain personal data volunteered by the data subject. The Controller is responsible for designing surveys that do not collect disproportionate personal data. |
| Page URL | The URL of the page on the Controller's website where the survey was shown. |
| Browser type and version | Technical metadata, not directly identifying on its own. |
| Device type | Desktop or mobile. Not directly identifying. |
| Country of origin | Derived from IP address at submission time. The full IP address is discarded immediately and never stored by Selge. |
| Session identifier | A random pseudonymous ID stored in the visitor's browser sessionStorage (not a cookie) for the duration of the browser session only. Used to prevent duplicate submissions. |
Important notice for Controllers
You (the Controller) are responsible for ensuring that your survey questions are appropriate and that you have a valid legal basis for collecting the data you ask for. In particular, avoid asking for sensitive data categories (Art. 9 GDPR) such as health information, political opinions, or ethnic origin unless you have explicit consent and a clear legal basis. Selge processes whatever data your surveys collect — you design what that is.
5. Controller obligations
The Controller warrants and undertakes that:
- All instructions given to Selge for the processing of personal data comply with applicable data protection laws, including GDPR.
- The Controller has obtained, or will obtain, any necessary consents or has another valid legal basis (Art. 6 GDPR) for the processing of personal data via the Service.
- The Controller has published, or will publish, a privacy notice on its website that informs data subjects about the collection and processing of their data via on-site surveys, and identifies Selge as a data processor.
- The Controller will provide data subjects with appropriate information about the processing of their data (Art. 13/14 GDPR) before or at the time of data collection.
- The Controller will not use the Service to collect sensitive personal data (Art. 9 GDPR) without ensuring appropriate additional safeguards and legal basis.
- The Controller will notify Selge promptly if it becomes aware of any data subject rights requests, data breaches, or regulatory enquiries relating to data processed under this DPA.
6. Processor obligations
Selge shall, with respect to personal data processed under this DPA:
- Process personal data only on documented instructions from the Controller, unless required by EU or Member State law (in which case Selge will inform the Controller unless prohibited by law).
- Ensure that persons authorised to process the personal data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organisational measures as set out in Section 7.
- Not engage sub-processors without the Controller's general written authorisation, and ensure sub-processors are bound by obligations equivalent to those in this DPA (see Section 8).
- Assist the Controller in fulfilling obligations to respond to requests from data subjects exercising their rights (Art. 15-22 GDPR), taking into account the nature of processing.
- Assist the Controller in ensuring compliance with the obligations under Art. 32-36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available.
- At the choice of the Controller, delete or return all personal data at the termination of the Services and delete existing copies unless storage is required by EU or Member State law (Section 11).
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
7. Technical and organisational measures (Art. 32 GDPR)
Selge implements the following measures to protect personal data
| Category | Measures in place |
|---|---|
| Access control | Authentication required for dashboard access. Row Level Security (RLS) in database ensures users can only access their own data. No direct database access by widget — insert-only via API with domain validation. |
| Encryption | All data in transit encrypted via TLS 1.2+. Data at rest encrypted by Supabase (AES-256). Passwords stored as bcrypt hashes (never in plain text). |
| Data minimisation | Full IP addresses never stored — country derived at submission time and IP discarded. No persistent visitor identifiers (sessionStorage only, cleared on tab close). No unnecessary data collected. |
| Pseudonymisation | Survey responses are stored with a random session ID (not linked to any user identity). No name, email, or account identifier is associated with responses unless voluntarily provided by the visitor in an open-text field. |
| Bot/spam protection | Honeypot fields, timing checks (submissions under 2 seconds rejected), IP-based rate limiting (1 response per IP per survey per hour). |
| Error monitoring | Sentry used for error tracking. Configured to minimise personal data capture in error logs. |
| Infrastructure security | App and widget hosted on Hetzner (EU-based, ISO 27001 certified) and Supabase (SOC 2 Type II). EU region (Germany) for all data storage. |
| Availability | Widget includes kill switch: if config API fails, widget loads nothing. Responses are queued in sessionStorage on submission failure and retried. No single point of failure for response submission. |
| Review and testing | Security controls reviewed periodically. Dependencies updated regularly. |
8. Sub-processors
The Controller grants Selge general authorisation to engage sub-processors. The current sub-processors engaged by Selge to process personal data covered by this DPA are:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Primary database (survey responses, configurations, account data) | EU (Frankfurt, Germany) | No transfer — EU region |
| Hetzner Online GmbH | Application hosting, server infrastructure, and widget script delivery | EU (Germany) | No transfer — EU region |
| Anthropic, PBC | AI text analysis — used only when Controller uses the AI summary feature on open-text responses | United States | Standard Contractual Clauses (SCCs) |
| Functional Software, Inc. (Sentry) | Error monitoring and crash reporting | United States | Standard Contractual Clauses (SCCs) |
| Slack Technologies, LLC (Salesforce) | Response notification delivery — used only when Controller has enabled the Slack integration | United States | Standard Contractual Clauses (SCCs) |
Changes to sub-processors
Selge will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days in advance by updating this page and notifying active Controllers by email. The Controller may object to such changes within 14 days by notifying Selge at privacy@selge.app. If the Controller objects and the parties cannot resolve the issue, the Controller may terminate the Services on 30 days notice.
9. Data subject rights assistance
Selge will assist the Controller in responding to data subject rights requests (Art. 15-22 GDPR) as follows:
- If a data subject contacts Selge directly with a rights request relating to survey responses, Selge will redirect the request to the Controller and notify the Controller promptly.
- Selge will provide the Controller with technical tools (where available) to access, export, correct, or delete individual responses in order to fulfil data subject rights requests.
- If a data subject requests deletion and the Controller instructs Selge to delete specific responses, Selge will do so within 30 days of receiving the instruction.
- Selge will not independently fulfil data subject rights requests without instruction from the Controller, as the Controller is the data controller for survey response data.
10. Data breach notification
In the event of a personal data breach (Art. 4(12) GDPR) affecting personal data processed under this DPA, Selge shall:
- Notify the Controller without undue delay and in any case within 72 hours after becoming aware of the breach.
- Provide the Controller with sufficient information to allow the Controller to fulfil its own notification obligations to supervisory authorities (Art. 33 GDPR) and affected data subjects (Art. 34 GDPR).
- Co-operate with the Controller and take reasonable steps to remediate the breach and mitigate its effects.
Notifications shall be sent to the email address registered on the Controller's Selge account. The Controller is responsible for keeping this email address current.
11. Deletion and return of data
Upon termination or expiry of the Services agreement, or at the Controller's earlier request:
- The Controller may export all survey response data as CSV at any time via the dashboard, for up to 30 days after account deletion.
- Selge will permanently delete all personal data processed under this DPA within 30 days of account termination, unless storage is required by applicable law.
- Data stored in backup systems will be overwritten within the normal backup rotation cycle (maximum 30 days after the deletion instruction).
- Upon request, Selge will confirm in writing that deletion has been completed.
Routine data retention during active use: survey responses are retained for 12 months by default. Controllers may configure shorter retention periods in project settings.
12. Audit and demonstration of compliance
Selge shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR, including:
- Providing this DPA and the sub-processor list upon request.
- Responding to reasonable written questionnaires from the Controller about data processing practices.
- Where required by supervisory authority, facilitating audits or inspections by the Controller or an auditor mandated by the Controller, provided reasonable notice (at least 30 days) is given, audit scope is agreed in advance, and the Controller bears the costs of any third-party auditor.
- Selge may satisfy audit requirements by providing relevant certifications, third-party audit reports (SOC 2), or by self-assessment documentation where these adequately cover the Controller's requirements.
13. Liability
Each party shall be liable to the other in accordance with applicable law for any damage caused by a breach of their respective obligations under this DPA and the GDPR.
Selge's liability under this DPA is subject to the limitations set out in the Selge Terms of Service. Nothing in this DPA limits either party's liability for fraud, gross negligence, or wilful misconduct.
The parties agree that the allocation of liability under Art. 82 GDPR shall follow the principles set out in that Article: each party is liable for the damage caused by the processing for which it is responsible.
14. Governing law and jurisdiction
This DPA is governed by the laws of the Federal Republic of Germany, without regard to conflict-of-law provisions, and subject to the mandatory provisions of GDPR.
Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of [CITY], Germany, unless the parties agree otherwise.
15. Order of precedence
In the event of any conflict or inconsistency between this DPA, the Selge Terms of Service, and applicable data protection law, the following order of precedence applies:
- 1Applicable data protection law (including GDPR and national implementing legislation) — takes precedence over all
- 2This Data Processing Agreement
- 3The Selge Terms of Service
Annex: International data transfers
Where personal data is transferred to sub-processors located outside the European Economic Area (EEA), Selge relies on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism under Art. 46 GDPR (Commission Implementing Decision (EU) 2021/914).
By entering into this DPA, the Controller is deemed to have entered into the SCCs with Selge for any such transfers, with Selge as the data exporter and the relevant sub-processor as the data importer. Selge has conducted Transfer Impact Assessments (TIAs) for US-based sub-processors.
Copies of the SCCs and TIA summaries are available on request at privacy@selge.app.