Data Processing Agreement
Last updated: April 12, 2026
This DPA supplements the Terms of Service and Privacy Policy and applies to users who need a data processing agreement for their compliance requirements.
1. Parties
- "Controller" — You, the user (sender, buyer, or receiver)
- "Processor" — GIGDATA LLC (operating as PartsBroadcast)
2. Scope of Processing
PartsBroadcast processes data on your behalf for:
- Distributing WTS and WTB blast emails to opted-in receivers
- Providing anonymous reply proxying between senders/buyers and receivers
- Managing subscriptions and billing
- Providing aggregate open-rate statistics
- Maintaining suppression lists for CAN-SPAM compliance
Categories of Data
| Category | Data Elements | Retention |
|---|---|---|
| Account data | Email, hashed password, company name, role | Until account deletion + 30 days |
| Blast content | Subject, body, commodity categories | 90 days in archive, then deleted |
| Open tracking | Blast ID, receiver ID, timestamp | 12 months |
| Receiver preferences | Commodity categories, brand preferences, digest schedule | Until account deletion |
| Suppression list | Email, reason, timestamp | 3 years (audit trail) |
| Payment data | Stripe customer/subscription IDs (no card numbers) | Until account deletion |
3. Processor Obligations
- Process personal data only on documented instructions from the Controller
- Ensure authorized persons are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Notify Controller before adding new sub-processors
- Assist in data subject rights requests
- Delete or return data upon service termination
4. Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Contabo GmbH | Infrastructure hosting | United States |
| Cloudflare, Inc. | CDN and security | Global |
We will notify active subscribers at least 14 days before adding a new sub-processor.
5. Security Measures
- Encryption in transit: HTTPS/TLS on all connections
- Password security: Salted hashing, optional TOTP 2FA
- Access control: Role-based (sender/buyer/receiver/admin), JWT authentication
- Network security: Firewall rules, Cloudflare WAF, CSP headers
- Email authentication: SPF, DKIM, DMARC enforced
- Anonymous proxy: Reply messages are not stored; headers are rewritten in transit
6. Data Breach Notification
In the event of a breach, we will notify affected users within 72 hours with: nature of breach, data affected, approximate records, remediation measures.
7. Data Subject Rights
We assist in fulfilling access, rectification, erasure, portability, and restriction requests. Account deletion is self-serve via the dashboard. Contact: admin@partsbroadcast.com, response within 15 business days.
8. International Transfers
All processing occurs in the United States. For GDPR transfer mechanisms, contact us to discuss Standard Contractual Clauses.
9. Audit Rights
Upon reasonable written request (once per year), you may request information about our data processing practices. We will respond within 30 business days.
10. Contact
GIGDATA LLC d/b/a PartsBroadcast
25422 Trabuco Rd STE 184
Lake Forest, CA 92630
admin@partsbroadcast.com