Effective April 12, 2026
This Data Processing Agreement ("DPA") is entered into between the Client ("Controller") and YouSeemLegit ("Processor") and forms part of the Terms of Service.
Personal Data means any information relating to an identified or identifiable natural person processed through the Service. Processing means any operation performed on Personal Data. Data Subject means the End User whose Personal Data is processed. GDPR means the General Data Protection Regulation (EU) 2016/679. Sub-processor means any third party engaged by Processor to process Personal Data.
The Client is the Data Controller and determines the purposes and means of processing End User Personal Data. YouSeemLegit is the Data Processor and processes Personal Data only on behalf of and under the instructions of the Controller.
| Subject matter | Authentication services for the Controller's application |
| Duration | For the term of the Agreement |
| Nature | Collection, storage, retrieval, deletion of authentication data |
| Purpose | Authenticating End Users on behalf of the Controller |
| Data types | Email addresses, authentication tokens, session data, IP addresses |
| Data subjects | End Users of the Controller's application |
YouSeemLegit agrees to: process Personal Data only on documented Controller instructions; ensure personnel are bound by confidentiality obligations; implement appropriate technical and organizational security measures; maintain a list of approved Sub-processors; assist with Data Subject rights requests within 5 business days; notify Controller of data breaches within 72 hours; delete or return all Personal Data within 30 days of termination.
The Controller agrees to ensure a lawful basis exists for processing End User Personal Data, provide all required notices to End Users, obtain necessary consents, and ensure instructions to YouSeemLegit comply with applicable data protection laws.
YouSeemLegit implements: TLS 1.2+ encryption in transit; bcrypt password hashing at cost factor 12; signed JWT tokens; PKCE on OAuth flows; rate limiting and account lockout; HTTP security headers (HSTS, CSP, X-Frame-Options); access controls on all administrative functions.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, database hosting | United States / EU |
| Upstash | Rate limiting (IP addresses only) | United States |
| Resend | Transactional email delivery | United States |
YouSeemLegit will provide 30 days notice of any changes to Sub-processors.
Where Personal Data is transferred outside the EEA, YouSeemLegit ensures appropriate safeguards including Standard Contractual Clauses approved by the European Commission.
In the event of a Personal Data breach, YouSeemLegit will notify the Controller within 72 hours, providing details of the breach, affected data subjects, likely consequences, and remediation measures taken.
This DPA is governed by the same law as the Terms of Service. Where GDPR applies, EU law governs the relevant provisions.
Email: privacy@youseemlegit.com
Website: youseemlegit.com/dpa