Data Processing Agreement
Version 0.9-draft (effective ) · Last updated Draft
Draft — pending legal review. This document is placeholder copy authored by the ForestVPN team and has not been reviewed or approved by counsel. It is provided so the structure and routes are in place; it is not binding legal text and must not be relied upon. Counsel will replace this body before launch.
This Data Processing Agreement ("DPA") forms part of the agreement between ForestVPN and a business customer ("Tenant") that operates a white-label VPN product powered by the ForestVPN platform. It governs ForestVPN's processing of personal data relating to the Tenant's own end users.
1. Roles of the parties
For personal data relating to the Tenant's end users, the Tenant is the controller and ForestVPN is the processor. The Tenant determines the purposes and means of processing its end users' data; ForestVPN processes that data only on the Tenant's documented instructions, including as set out in this DPA and the underlying agreement. Where applicable law uses different terms (for example "business" and "service provider"), the equivalent roles apply.
2. Scope and subject-matter of processing
ForestVPN processes Tenant end-user personal data solely to provide the VPN Service to the Tenant — provisioning accounts and devices, authenticating users, metering and billing usage, securing the network, and supporting the Tenant. Processing lasts for the term of the underlying agreement.
3. Categories of data and data subjects
- Data subjects: the Tenant's end users (and their devices).
- Categories of personal data: account email and identity-provider subject identifiers; device records (name, platform, public keys, last-seen timestamp); billing metadata; and aggregate connection counters (timestamp, region, direction, bytes/packets). Consistent with the no-logs design, ForestVPN does not process browsing history, DNS queries, traffic content, or destination addresses. See the Privacy Policy for the full inventory.
4. ForestVPN's obligations
ForestVPN will: process end-user data only on the Tenant's documented instructions; ensure persons authorized to process the data are bound by confidentiality; implement appropriate technical and organizational security measures; assist the Tenant with data-subject requests and with its own security, breach-notification, and impact-assessment obligations; and, at the Tenant's choice, delete or return end-user data at the end of the engagement, subject to retention required by law.
5. Sub-processors
The Tenant authorizes ForestVPN to engage sub-processors to deliver the Service. ForestVPN's current sub-processors include its payment processors (Stripe, CloudPayments; and Apple/Google for in-app purchases), its email provider (Enbbox), its edge/network provider (Cloudflare), and its hosting and storage providers (Hetzner, and Google Cloud for artifact registry and object storage). ForestVPN remains responsible for its sub-processors' performance and will give the Tenant reasonable notice of intended changes so the Tenant can object.
6. International transfers
Where processing involves transferring personal data across borders, the parties will rely on a lawful transfer mechanism (such as the applicable standard contractual clauses) as confirmed by counsel.
7. Security and breach notification
ForestVPN maintains technical and organizational measures appropriate to the risk, including encryption in transit and access controls, and will notify the Tenant without undue delay after becoming aware of a personal-data breach affecting the Tenant's end users.
8. Audit
ForestVPN will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits as required by applicable law, on reasonable notice and subject to confidentiality.
9. Relationship to the agreement
This DPA supplements the underlying agreement between ForestVPN and the Tenant. The exact form of this DPA — whether a standalone signed agreement or a click-through schedule to the platform terms — and its governing law will be confirmed by counsel before launch.
10. Contact
Questions about this DPA can be sent to [email protected].