Data Processing Agreement
This Data Processing Agreement forms part of the agreement between Silverfern Technology Consultants LLC and the Customer for the Unified DNS Platform.
Version: 1.0
Effective Date: March 17, 2026
Last Updated: March 17, 2026
1. Introduction
This Data Processing Agreement ("DPA") is entered into between Silverfern Technology Consultants LLC, a New York limited liability company ("Processor," "we," "us," or "our"), and the entity agreeing to these terms ("Controller," "Customer," or "you").
This DPA supplements the Unified DNS Platform Terms of Service and Privacy Policy (together, the "Agreement") and applies to the extent that we process Personal Data on your behalf in connection with the Unified DNS Platform ("Service").
By using the Service, you agree to this DPA. If you are an MSP (Managed Service Provider) using the Service to manage DNS for your clients, you represent that you have the authority to bind your organization and that you have appropriate agreements in place with your own clients regarding the processing of their data.
2. Definitions
| "Personal Data" | Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service. |
| "Processing" | Any operation performed on Personal Data, including collection, recording, storage, alteration, retrieval, use, disclosure, transfer, erasure, or destruction. |
| "Controller" | The entity that determines the purposes and means of Processing Personal Data. In the context of the Service, this is the Customer (including MSPs acting on behalf of their clients). |
| "Processor" | The entity that processes Personal Data on behalf of the Controller. In the context of the Service, this is Silverfern Technology Consultants LLC. |
| "Sub-processor" | A third party engaged by the Processor to process Personal Data on behalf of the Controller. |
| "Data Subject" | An identified or identifiable natural person whose Personal Data is processed. |
| "Data Breach" | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. |
| "Data Protection Laws" | All applicable laws relating to data protection and privacy, including the GDPR (EU General Data Protection Regulation), CCPA (California Consumer Privacy Act), and any other applicable data protection legislation. |
3. Scope and Roles
3.1 Roles of the Parties
With respect to the Processing of Personal Data under this DPA:
- (a) The Customer acts as the Controller (or, where applicable, a processor acting on behalf of its own controller).
- (b) Silverfern Technology Consultants LLC acts as the Processor, processing Personal Data only on behalf of and in accordance with the documented instructions of the Controller.
3.2 MSP Customers
If you are an MSP managing DNS for your clients through the Service:
- (a) You are the data controller for your clients' DNS data that you manage through the Service.
- (b) You are responsible for having appropriate data processing agreements in place with your own clients.
- (c) We do not access your client data except as necessary to provide the Service or as required by law.
4. Details of Processing
4.1 Categories of Data Subjects
- Customer employees and authorized users
- MSP client organization personnel (where applicable)
- Domain registrants and DNS administrators
4.2 Categories of Personal Data
| Category | Data Elements |
|---|---|
| Account Information | Full name, email address, phone number (optional), company name, job title, account credentials (stored as secure hash), user preferences |
| DNS Management Data | Domain names, DNS record types and values, TTL settings, zone configurations, DNSSEC settings, provider connection references, client organization names and associated domains |
| Usage & Activity Data | Activity logs, login timestamps, IP addresses, user agents, audit logs with user attribution, session identifiers |
| Technical Information | Browser type, operating system, device type, IP addresses, general geographic location (derived from IP), performance data |
| Support Data | Support ticket content, email communications, feedback, feature requests |
Note: Payment card details are handled exclusively by our PCI DSS Level 1 certified payment processor (Stripe) and are not directly stored by the Processor.
4.3 Purpose of Processing
Personal Data is processed solely for the purpose of providing the Unified DNS Platform service, including:
- Account creation, authentication, and management
- DNS management operations on behalf of the Customer
- Synchronization with connected DNS providers
- Invoice generation and billing
- Customer support
- Security monitoring and incident response
- Audit logging for compliance
- Service improvement (using anonymized and aggregated data)
4.4 Duration of Processing
Processing will continue for the duration of the Agreement. Upon termination, the Processor will delete or anonymize Personal Data within 30 days, except where retention is required by applicable law. Specific retention periods are detailed in Section 8.
5. Obligations of the Processor
The Processor shall:
- (a) Process Personal Data only on documented instructions from the Controller, unless required by applicable law to do otherwise, in which case the Processor shall inform the Controller of that legal requirement before processing (unless legally prohibited from doing so).
- (b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- (c) Implement and maintain appropriate technical and organizational security measures as described in Section 6.
- (d) Not engage another processor (sub-processor) without prior notification to the Controller, subject to the provisions in Section 7.
- (e) Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
- (f) Assist the Controller in ensuring compliance with obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
- (g) At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
- (h) Make available to the Controller all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
6. Security Measures
The Processor implements and maintains the following technical and organizational measures to protect Personal Data:
6.1 Technical Safeguards
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256
- Secure credential storage in Azure Key Vault
- Multi-factor authentication (MFA) support
- Automated vulnerability scanning
- Regular security assessments
6.2 Access Controls
- Role-based access control (RBAC)
- Principle of least privilege
- Regular access reviews
- Secure authentication with JWT tokens
- Complete data isolation between organizations
6.3 Operational Security
- 24/7 infrastructure monitoring
- Incident response procedures
- Regular security training for personnel
- Background checks for employees with data access
- Hosting on Microsoft Azure infrastructure (US and Canada regions)
7. Sub-processors
7.1 Authorization
The Controller provides general written authorization for the Processor to engage sub-processors to assist in providing the Service. A current list of sub-processors is maintained at trust.udns.app/sub-processors.
7.2 Notification of Changes
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors, providing the Controller with an opportunity to object to such changes. Notification will be sent via email to the designated contact and published on the sub-processors page.
7.3 Objection Right
If the Controller has a legitimate data protection concern regarding a new or replacement sub-processor, the Controller may object in writing within the 30-day notice period. The parties shall then engage in good faith discussions for a period of up to 15 business days to resolve the objection. If, after good faith discussions, the Processor cannot reasonably accommodate the objection (for example, by offering an alternative sub-processor or configuration), the Controller may terminate the affected portion of the Service by providing 30 days' written notice, and the Processor shall refund any prepaid fees for the terminated portion covering the period after termination.
7.4 Sub-processor Obligations
The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.
8. Data Retention and Deletion
8.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 30 days after deletion |
| DNS Records and Zones | Duration of account + 30 days after deletion |
| Audit Logs | 7 years (for compliance) |
| Login Activity | 2 years |
| Backup Data | Per configured retention settings (max 10 backups) |
| Payment Records | 7 years (legal/tax requirements) |
| Support Communications | 3 years after resolution |
8.2 Deletion Upon Termination
Upon termination of the Agreement or upon the Controller's request:
- Personal Data will be deleted or anonymized within 30 days
- Data required for legal compliance (audit logs, payment records) may be retained for the periods specified above
- Backups containing Personal Data will be purged according to the backup rotation schedule
- The Processor will provide written confirmation of deletion upon request
8.3 Data Portability
DNS records and zone data managed through the Service remain stored at the Controller's connected DNS providers and can be accessed directly from those providers at any time. For data unique to the Service (audit logs, organizational structure, activity history), the Controller may request an export by contacting support@udns.app.
9. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable Data Protection Laws, including the right to:
- Access: Obtain confirmation of whether Personal Data is being processed and access to that data
- Rectification: Correct inaccurate or incomplete Personal Data
- Erasure: Request deletion of Personal Data (subject to legal retention requirements)
- Restriction: Restrict Processing in certain circumstances
- Portability: Receive Personal Data in a structured, commonly used format
- Objection: Object to Processing based on legitimate interests
The Processor will notify the Controller without undue delay if it receives a request from a Data Subject directly, and will not respond to the request without the Controller's prior authorization unless legally required to do so.
To exercise data subject rights, contact privacy@udns.app. We will respond within 30 days.
10. Data Breach Notification
10.1 Notification
In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall:
- Notify the Controller without undue delay after becoming aware of the Data Breach
- Provide sufficient information to enable the Controller to meet its obligations to report the breach to supervisory authorities and/or affected Data Subjects
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach
10.2 Breach Notification Contents
Notification to the Controller shall include, to the extent available:
- The nature of the Data Breach, including categories and approximate number of Data Subjects and records affected
- The name and contact details of the Processor's point of contact
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
11. Data Location
The Service is hosted on Microsoft Azure infrastructure. Personal Data is stored and processed in the following locations:
- United States
- Canada (Azure Canada Central region)
Where Personal Data is transferred to sub-processors located outside the Controller's jurisdiction, the Processor ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by relevant authorities and Data Processing Agreements with each sub-processor.
12. Audit Rights
The Processor shall make available to the Controller, upon reasonable request, all information necessary to demonstrate compliance with this DPA.
The Controller (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of the Processor's processing activities under this DPA, subject to the following conditions:
- The Controller shall provide at least 30 days' written notice of an audit request
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
- The Controller shall bear its own costs in connection with the audit
- Audits shall be limited to once per twelve-month period unless required by a supervisory authority or following a Data Breach
- Audit findings shall be treated as confidential information
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service). Nothing in this DPA limits either party's liability for breaches of its obligations under applicable Data Protection Laws where such limitations are not permitted.
14. Term and Termination
This DPA shall remain in effect for the duration of the Agreement. The obligations of the Processor with respect to the Processing of Personal Data shall continue for as long as the Processor retains Personal Data on behalf of the Controller.
Upon termination of the Agreement, the Processor shall comply with Section 8.2 regarding deletion or return of Personal Data.
15. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of New York, United States, without regard to its conflict of law provisions, consistent with the governing law provisions of the Agreement.
To the extent that Data Protection Laws of another jurisdiction apply to the Processing, the relevant provisions of those laws shall prevail in the event of a conflict with this DPA.
16. Contact Information
For questions regarding this DPA or to exercise any rights under it, please contact:
Silverfern Technology Consultants LLC
- Legal: legal@udns.app
- Privacy: privacy@udns.app
- Data Protection Officer: dpo@udns.app
- General Support: support@udns.app
This Data Processing Agreement was last updated on March 17, 2026.