Last updated: April 6, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Keyvity e.U., operating as ReportLayer ("Processor"). It governs the processing of personal data that the Controller uploads or generates through the ReportLayer Service, as required by Article 28 of the EU General Data Protection Regulation (GDPR).
By accepting the Terms of Service, you agree to the terms of this DPA. No separate signature is required.
Controller: The agency, freelancer, or other entity that has registered a ReportLayer account and uploads or generates personal data about its own clients within the Service.
Processor: Keyvity e.U., Anton-Mahringer-Weg 35, Villach 9500, Austria (VAT: ATU79094445), operating as ReportLayer. Contact: privacy@reportlayer.io.
The subject matter of processing under this DPA is the provision of the ReportLayer software-as-a-service platform, including storing client records, fetching performance data via Google APIs, generating report pages, and delivering scheduled report emails.
This DPA takes effect when the Controller accepts the Terms of Service and remains in force for the duration of the Controller's active account. Upon account deletion or termination, the Processor's obligations regarding deletion of data apply as set out in Section 7.
The Processor processes personal data on behalf of the Controller for the following purposes:
The Processor will not process personal data for any purpose beyond what is necessary to provide the Service as described above.
The Processor processes the following categories of personal data on behalf of the Controller:
The data subjects are the Controller's end clients whose names and email addresses are stored in the Service. The Controller is responsible for ensuring it has a lawful basis to share this information with the Processor for the purpose of generating and delivering reports.
In accordance with Article 28(3) GDPR, the Processor agrees to the following obligations:
The Processor will process personal data only on the documented instructions of the Controller, as set out in these Terms and this DPA. If the Processor is required by EU or member state law to process data beyond those instructions, it will inform the Controller before processing (unless prohibited by law on grounds of public interest).
The Processor will ensure that all persons authorized to process the Controller's personal data are bound by appropriate confidentiality obligations, whether by contract or by operation of law.
The Processor will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art, implementation costs, and the nature of the data (Art. 32 GDPR). These measures include: encrypted data in transit (TLS), database-level row security policies (RLS), hashed credential storage, and access controls limiting system components to only the data they require.
The Processor may engage sub-processors to assist in providing the Service. The Controller provides general authorization for the Processor to engage sub-processors, subject to the conditions in this section.
The Processor will: (a) impose data protection obligations on sub-processors equivalent to those set out in this DPA; (b) remain fully liable to the Controller for the performance of any sub-processor's obligations; and (c) notify the Controller of any intended addition or replacement of sub-processors, giving the Controller reasonable opportunity to object.
The current list of approved sub-processors is set out in Section 9.
The Processor will assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection). Where the Controller requires assistance to respond to a specific request, it should contact privacy@reportlayer.io.
The Processor will assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, breach notification, data protection impact assessments, and prior consultation). In the event of a personal data breach affecting the Controller's data, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information for the Controller to meet its own notification obligations.
Upon termination of the DPA, or upon written request by the Controller, the Processor will delete all personal data processed on the Controller's behalf, unless retention is required by applicable law. The Processor will confirm deletion in writing upon request. Deletion of a specific client's data can be triggered at any time by the Controller by deleting that client from within the Service.
The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA, and will allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor. Where possible, the Processor may satisfy this obligation by providing relevant certifications, security documentation, or third-party audit reports in lieu of an on-site audit. Requests should be directed to privacy@reportlayer.io.
Where the Processor or its sub-processors transfer personal data to countries outside the European Economic Area (EEA), such transfers are subject to appropriate safeguards as described in the Privacy Policy. In particular:
Each party is liable for breaches of this DPA attributable to its own actions or omissions. The Processor's total liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Where a data subject brings a claim against the Controller that relates to a breach caused by the Processor's failure to comply with this DPA, the Processor will indemnify the Controller for that portion of the liability directly attributable to the Processor's breach, subject to the limitations in the Terms of Service.
The following sub-processors are currently authorized to process personal data on the Processor's behalf in connection with the Service:
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase | Database hosting and authentication | Germany (EU) | Within EEA — no transfer |
| Resend Inc. | Transactional and report email delivery | United States | Standard Contractual Clauses (Art. 46 GDPR) |
| Google LLC | Analytics data (GA4) and API access (GSC, Ads) | United States | EU-U.S. Data Privacy Framework + SCCs |
| LemonSqueezy | Payment processing and subscription management | United States | Standard Contractual Clauses (Art. 46 GDPR) |
The Processor will notify the Controller of any intended changes to this list (additions or replacements) with reasonable advance notice via email or a notice on this page, giving the Controller the opportunity to object to such changes before they take effect.
This DPA is governed by the laws of Austria. Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.
For questions about this DPA or to exercise your rights as a Controller, contact us at:
Keyvity e.U. — Privacy
Anton-Mahringer-Weg 35
Villach 9500, Austria
privacy@reportlayer.io