Privacy and Data Processing
Content Plan
This document should provide an overview of data privacy requirements and link to specific policy documents.
Planned Content
TL;DR
- Overview of GDPR/privacy compliance requirements
- Quick links to policy templates and examples
- Client communication guidelines for data handling
Key Documents Needed
Sub-Processor List
- All third-party services that process client data
- Categories of data each processor handles
- Data storage locations (regions/countries)
- Regular review and update schedule
Example sub-processors to document:
| Service | Purpose | Data Type | Location |
|---|---|---|---|
| GridPane | Server management | Site data | US/EU |
| Cloudflare | CDN/Security | Traffic data | Global |
| Postmark | Email delivery | Email addresses | US |
| Backblaze | Backups | Full site data | US |
Privacy Policy Template
- Standard clauses for client websites
- Cookie disclosure requirements
- Data collection transparency
- User rights (access, deletion, portability)
- Contact information for data requests
Cookie Policy Template
- Categories of cookies used
- Essential vs optional cookies
- Third-party cookie disclosure
- Consent mechanism requirements
- Cookie banner implementation
Terms of Service
- Service scope and limitations
- User responsibilities
- Acceptable use policy
- Intellectual property provisions
- Liability limitations
Data Processing Addendum (DPA)
- Standard contractual clauses
- Processor obligations
- Security measures
- Breach notification procedures
- Audit rights
- See: Kinsta DPA Example
Client Communication
When to Discuss Data Processing
- During onboarding
- When adding new third-party services
- After significant infrastructure changes
- Annual review/update
Key Points for Clients
- We act as data processor, client is data controller
- Data is stored on infrastructure they control/approve
- We maintain security best practices
- They must inform us of specific compliance requirements
Compliance Checklist
- Sub-processor list documented and shared
- Privacy policy covers all data collection
- Cookie consent mechanism implemented
- DPA available for clients requiring it
- Data retention periods defined
- Breach response procedure documented
- Regular security reviews scheduled
Resources
- Kinsta DPA Example - Reference DPA structure
- Policy Examples - Examples from major companies
- GDPR official text: https://gdpr.eu/
- ICO guidance (UK): https://ico.org.uk/