Data Processing Agreement
Last updated: April 18, 2026
This Data Processing Agreement ("DPA") is incorporated into and forms part of the NewsPro Terms of Service between NewsPro ("we," "us," "Processor") and you, the customer ("you," "Controller"). This DPA applies when you use the NewsPro platform to operate a website that collects or processes personal data belonging to your end-users (visitors, readers, commenters, subscribers).
This DPA is intended to comply with the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Israeli Protection of Privacy Law, and other applicable data protection laws. Terms not defined here have the meaning given in the GDPR.
1. Definitions
- Controller — You, the NewsPro customer, who determines the purposes and means of processing your end-users' personal data.
- Processor — NewsPro, who processes personal data on your behalf.
- Sub-Processor — A third-party service provider engaged by NewsPro to assist in processing your data.
- Data Subject — Any natural person whose personal data is processed (your end-users, readers, commenters, subscribers).
- Personal Data — Any information relating to an identified or identifiable natural person.
- Processing — Any operation performed on personal data (collection, storage, use, disclosure, deletion).
- Customer Data — All content, files, and data you submit to or store on the NewsPro platform, including your end-users' data.
2. Roles and Responsibilities
2.1 You Are the Data Controller
When you operate a website on NewsPro, you are the data controller for all personal data collected from your website's visitors, readers, subscribers, and commenters. You are responsible for:
- Providing a lawful basis for every type of personal data you collect
- Publishing a compliant privacy policy on your website
- Obtaining necessary consents (e.g., cookie consent, newsletter opt-in)
- Responding to data subject rights requests (access, deletion, portability)
- Notifying your end-users about how their data is processed
- Ensuring any AI-generated content complies with applicable law
2.2 We Are the Data Processor
NewsPro processes your end-users' data solely on your documented instructions, which consist of your use of the platform and configuration settings. We will not process Customer Data for any other purpose, including our own commercial purposes.
NewsPro is also an independent data controller for data we collect about you (our customer) for billing, account management, support, and platform security — this is governed by our Privacy Policy.
3. Nature and Purpose of Processing
| Category | Data Processed | Purpose |
|---|---|---|
| Analytics | Hashed IP (daily rotation), country/region/city, device, browser, OS, page paths, UTM parameters, session duration, referrer | Traffic analytics dashboard for your site |
| Comments | Name (if provided), email (if provided), comment content, IP address, timestamp | Comment system on your articles |
| User accounts | Name, email, hashed password (bcrypt), social OAuth tokens, profile data | Reader accounts on your site |
| Forms & contacts | Name, email, phone, message content, file attachments | Contact forms and custom forms on your site |
| Subscriptions | Email, name, subscription tier, billing status (payment handled by gateway) | Reader subscription / paywall management |
| Media & content | Uploaded images, videos, audio, documents | Content storage and delivery for your site |
4. Data Isolation and Security
Each NewsPro site operates in a fully isolated database. Your site's data is stored in a dedicated MySQL database (e.g., np_tenant_yoursite) accessible only by your site's dedicated database credentials. No other customer can access your data, and our platform never mixes tenant data.
Technical and organizational measures we maintain:
- Encryption at rest — Payment tokens encrypted with AES-256-CBC; passwords hashed with bcrypt (cost factor 12)
- Encryption in transit — All connections over TLS/HTTPS; media uploads signed with AWS4-HMAC-SHA256
- Access control — Role-based access, session tokens, CSRF protection on all forms, IP-based rate limiting on login
- Audit logging — All authentication events (login, logout, password changes) logged with IP and user agent
- 2FA — Time-based OTP (TOTP) available for admin accounts
- Backups — Automated daily backups with 7–30 day retention depending on plan
- Physical security — Servers hosted in data centers with appropriate physical access controls
5. Data Retention and Deletion
5.1 Active Sites
We retain your Customer Data for as long as your subscription is active. You may export or delete your data at any time through the site dashboard.
5.2 After Cancellation
When a subscription is cancelled or expires:
- Your site enters a suspended state — data is preserved but the site goes offline
- Data is retained for a grace period of 30 days to allow reactivation or export
- After 30 days: the tenant database is permanently dropped (
DROP DATABASE), the database user deleted, and all associated files removed from storage - This deletion is irreversible
5.3 Analytics Data
Built-in site analytics data (page views, sessions) auto-expires after 30 days on a rolling basis. IPs are never stored directly — only a daily-rotating hash is used for deduplication.
5.4 Data Subject Deletion Requests
If one of your end-users requests deletion of their personal data, you are responsible for processing that request through your site's dashboard. We will support you by providing the technical means to delete specific user accounts, comments, and form submissions.
6. Sub-Processors
We engage the following sub-processors to operate the platform. By accepting this DPA you authorize their use. We will notify you of material changes to this list with at least 14 days' notice.
| Sub-Processor | Purpose | Data Transferred | Location |
|---|---|---|---|
| Tranzila | Payment processing (billing for your subscription) | Encrypted card tokens, transaction amounts | Israel |
| SMTP provider | Transactional email delivery (account notifications, billing) | Recipient email address, email content | Varies |
| Cloud storage (R2 / S3 / etc.) | Media file storage for your site (images, video, audio) | Uploaded files | Configurable per account |
| AI providers (xAI, OpenAI, Anthropic, Google) | AI-assisted content generation | Writing prompts, site topic, article drafts — no PII | USA |
| Social platforms (Meta, X, TikTok, etc.) | Auto-publishing your content to connected social accounts | Your OAuth tokens, published article content | USA / Varies |
| PayPal | Affiliate commission payouts (if you participate in the affiliate program) | Your PayPal email address | USA |
7. International Data Transfers
Some sub-processors (AI providers, social platforms) are located outside the EU/EEA. Where we transfer personal data to countries that have not received an EU adequacy decision, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) — EU Commission-approved clauses incorporated into our agreements with sub-processors
- Adequacy decisions — Where the recipient country has been deemed adequate by the European Commission
- Data minimization — We minimize personal data in transfers (e.g., no PII is sent to AI providers)
You may request a copy of applicable SCCs or transfer safeguards by contacting us at support@newspro.io.
8. Confidentiality
We ensure that all personnel authorized to process Customer Data are subject to a contractual or statutory obligation of confidentiality. Access to Customer Data is limited to personnel who need it to fulfill our contractual obligations to you.
9. Data Subject Rights Assistance
We will assist you in fulfilling data subject rights requests to the extent technically possible. This includes:
- Right of access — Data export tools available in the site dashboard
- Right to erasure — User account deletion, comment deletion, form submission deletion via dashboard
- Right to portability — Content export (articles, categories, pages, media) available at any time
- Right to rectification — User profile editing available in the dashboard
Requests that cannot be fulfilled through the dashboard may be submitted to support@newspro.io. We will respond within 72 hours for urgent requests.
10. Security Incident Notification
In the event of a personal data breach affecting Customer Data, we will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide: (a) nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed
- Cooperate with you in notifying supervisory authorities and affected data subjects as required by applicable law
Security incidents must be reported to us at support@newspro.io.
11. Audits and Inspections
We will make available all information reasonably necessary to demonstrate compliance with this DPA. You may request an audit of our data processing practices no more than once per calendar year, with at least 30 days' written notice, subject to confidentiality obligations. Audit costs are borne by you unless a breach is found.
12. Return or Deletion of Data
Upon termination of your subscription, at your choice, we will either:
- Return all Customer Data in a machine-readable format (JSON/CSV export), upon request made within 30 days of termination, or
- Securely delete all Customer Data after the 30-day grace period
Anonymized or aggregated data derived from your use of the platform (e.g., aggregate usage statistics) may be retained.
13. Liability and Indemnification
Each party is liable for its own obligations under this DPA. We are not liable for data protection violations that result from your instructions, your use of the platform, or your failure to comply with your obligations as data controller. Our total liability under this DPA is subject to the limitations set out in the main Terms of Service.
14. Term
This DPA is effective from the date you accept the Terms of Service and remains in force for as long as we process Customer Data on your behalf. It terminates automatically upon permanent deletion of all Customer Data.
15. Governing Law
This DPA is governed by the same law as the main Terms of Service. For customers in the EU/EEA, it incorporates the requirements of the GDPR and any applicable national implementing legislation.
16. Contact
For questions about this DPA, data subject rights requests, or to report a security incident:
- Email: support@newspro.io
- Subject line: "DPA Request — [your site name]"