Heads up: These documents adapt to your theme settings. Because why shouldn't legal be beautiful?

Data Processing Agreement

Last updated: May 6, 2026

Each section includes a plain English explanation.

This Data Processing Agreement ('DPA') is automatically incorporated into the Terms of Service between you (the 'Controller') and Ruud Digital Solutions (org. nr. 932375311), operating Assembo (the 'Processor'). The Processor's registered address is Botnafjellsvegen 47, 5353 Straume, Norway. By accepting the Terms of Service or continuing to use Assembo, you accept this DPA. No separate signature is required. This DPA reflects our commitment to processing your data in compliance with GDPR and other applicable data protection laws.

You already accepted this when you signed up - no separate signature needed. This is standard modern SaaS practice and legally valid in the EU. If you're a business handling EU user data, you need this on file. We've made it readable so you actually know what you agreed to.

1. Definitions

  • 'Controller' means the entity that determines the purposes and means of processing personal data.
  • 'Processor' means the entity that processes personal data on behalf of the Controller.
  • 'Data Subject' means an identified or identifiable natural person.
  • 'Personal Data' means any information relating to a Data Subject.
  • 'Processing' means any operation performed on Personal Data.
  • 'Sub-processor' means any third party engaged by the Processor to process Personal Data.

What it means

Quick vocab lesson: You (the customer) are the Controller - you decide what data to put in Assembo. We're the Processor - we handle it for you. Sub-processors are the other services we use (Supabase, Stripe, etc.).

2. Scope and purpose

  • This Data Processing Agreement ('DPA') is automatically incorporated into the Terms of Service between you ('Controller') and Assembo ('Processor').
  • By accepting the Terms of Service or continuing to use Assembo, the Customer accepts this DPA. No separate signature is required.
  • This DPA applies to all processing of Personal Data by Assembo on your behalf in connection with the services provided.
  • In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail.

What it means

This DPA is automatically part of our Terms - you accepted it when you signed up. No signatures, no PDFs, no faxing anything to anyone. It's legally valid in the EU (and everywhere else). If the Terms and DPA ever conflict, the DPA wins.

3. Data processing details

  • Subject matter: Provision of theme and block library services.
  • Duration: For the duration of your subscription plus any legally required retention period.
  • Nature and purpose: Storage, retrieval, and processing of user account data and themes.
  • Type of Personal Data: Email addresses, names, profile information, theme preferences, usage data.
  • Categories of Data Subjects: Your end users and account holders.

What it means

What we process: emails, names, themes, and how you use the app. Why: to make Assembo work. How long: while you're a customer, plus whatever the law requires us to keep.

4. Processor obligations

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure persons authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller in responding to Data Subject rights requests.
  • Delete or return all Personal Data upon termination, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance.

What it means

We promise to: only do what you tell us with your data, keep it confidential, keep it secure, help you with GDPR requests, delete it when you leave (unless we legally can't), and prove we're following the rules.

5. Sub-processors

  • The Controller authorizes the use of Sub-processors for providing the Service.
  • Current Sub-processors: Supabase (database, EU), Stripe (payments, US/EU), Resend (email, US), PostHog (analytics, EU), Vercel (hosting, Global).
  • We will notify you of any intended changes to Sub-processors with reasonable notice.
  • You may object to a new Sub-processor on legitimate data protection grounds.

What it means

We use other services to run Assembo. Here's who: Supabase stores your data in the EU. Stripe handles payments. Resend sends emails. PostHog does analytics (EU servers). Vercel hosts the site. If we add new ones, we'll tell you.

6. Data transfers

  • Personal Data may be transferred outside the EEA to Sub-processors in the US.
  • Such transfers rely on Standard Contractual Clauses (SCCs) approved by the EU Commission.
  • We ensure all Sub-processors provide adequate data protection guarantees.
  • You consent to these transfers by accepting this DPA.

What it means

Some of our tools are US-based. We use Standard Contractual Clauses (the EU-approved way) to make these transfers legal. All our sub-processors have solid data protection in place.

7. Security measures

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls and authentication for all systems containing Personal Data.
  • Regular security assessments and vulnerability testing.
  • Incident response procedures for potential data breaches.
  • Employee training on data protection and security.
  • Physical security measures at data center facilities (managed by Sub-processors).

What it means

Technical security stuff: everything's encrypted (both in storage and when moving around), only authorized people can access data, we test for vulnerabilities, we have a plan if something goes wrong, and our team knows how to handle data properly.

8. Data breach notification

  • We will notify you without undue delay (within 72 hours where feasible) upon becoming aware of a Personal Data breach.
  • Notification will include: nature of the breach, categories of data affected, likely consequences, and measures taken.
  • We will cooperate with you in investigating and mitigating any breach.

What it means

If something bad happens to your data, we'll tell you within 72 hours with all the details you need. Then we'll work together to fix it.

9. Data subject rights

  • We will assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
  • If we receive a request directly, we will redirect the Data Subject to you unless legally required to respond.
  • We provide tools in your account settings to export and delete your data.

What it means

GDPR gives people rights over their data. When someone asks you about their data, we'll help you handle it. If they come to us directly, we'll point them back to you. You can also export or delete everything from your settings.

10. Audits

  • We will make available information necessary to demonstrate compliance with GDPR.
  • You may conduct audits or inspections, or mandate an independent auditor, with reasonable notice.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations.

What it means

You have the right to verify we're doing what we say. Want to audit us? Give us reasonable notice and we'll make it happen. Just don't show up unannounced expecting a tour.

11. Term and termination

  • This DPA remains in effect as long as we process Personal Data on your behalf.
  • Upon termination of services, we will delete your Personal Data within 30 days, unless retention is legally required.
  • You may request a copy of your data before deletion.

What it means

This agreement lasts as long as you're a customer. When you leave, we delete your data within 30 days (grab a copy first if you want it). Some stuff might stick around if the law requires it.

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor shall be liable for damages caused by processing only where it has not complied with GDPR obligations specifically directed to Processors, or where it has acted outside of lawful instructions.

What it means

If we mess up on our GDPR obligations, we're responsible. The overall liability limits from the Terms of Service still apply though.

13. Contact for data protection

For any questions about this DPA or data protection matters, contact us at: marcruud@gmail.com

What it means

Data protection questions? Email our DPO (Data Protection Officer) at marcruud@gmail.com. We actually read these.