Data Processing Agreement
Version 1.0.0 (effective ) · Last updated
This Data Processing Agreement ("DPA") forms part of the agreement (the "Agreement") between the ForestVPN operating company located at #27, 36-38, Takaishvili st., Batumi, Georgia, 6004 ("ForestVPN") and a business customer ("Tenant") that operates a white-label VPN product powered by the ForestVPN platform. It governs ForestVPN's processing of personal data relating to the Tenant's own end users. By accepting the platform Terms of Service or signing this DPA, the Tenant agrees to these terms. This DPA is incorporated into the Agreement and is a click-through schedule to the platform Terms of Service; ForestVPN will sign a countersigned copy on a Tenant's reasonable request.
1. Roles of the parties
For personal data relating to the Tenant's end users, the Tenant is the controller and ForestVPN is the processor. The Tenant determines the purposes and means of processing its end users' data; ForestVPN processes that data only on the Tenant's documented instructions, including as set out in this DPA and the Agreement. Where applicable law uses different terms (for example "business" and "service provider" under California law), the equivalent roles apply.
2. Subject-matter, duration, nature, and purpose
ForestVPN processes Tenant end-user personal data solely to provide the VPN Service to the Tenant — provisioning accounts and devices, authenticating users, metering and billing usage, securing the network, and supporting the Tenant. The nature of processing is the hosting, transmission, storage, and operational handling of the data categories in section 3. Processing lasts for the term of the Agreement and the limited wind-down period in section 9.
3. Categories of data and data subjects
- Data subjects: the Tenant's end users (and their devices).
- Categories of personal data:
- account email and identity-provider subject identifiers;
- device records (name, platform, public networking keys, last-seen timestamp, operational configuration);
- billing metadata (plan, subscription status, payment vendor, card brand/country/last-four — never the full card number); and
- aggregate connection counters (timestamp, account/device/session, direct-vs- relay, broad region, direction, bytes/packets), retained for 90 days.
- Excluded data. Consistent with the no-logs design, ForestVPN does not process browsing history, DNS queries, traffic content, or destination addresses. See the Privacy Policy for the full inventory.
- No special-category data is requested or required by the Service; the Tenant must not instruct ForestVPN to process special-category data through the Service.
4. ForestVPN's obligations
ForestVPN will:
- process end-user data only on the Tenant's documented instructions, including for international transfers, unless required to act otherwise by law (in which case it will inform the Tenant unless legally prohibited);
- ensure persons authorized to process the data are bound by confidentiality;
- implement the technical and organizational security measures in section 7;
- assist the Tenant, taking into account the nature of processing, with responding to data-subject requests and with the Tenant's own security, breach-notification, and data-protection-impact-assessment obligations; and
- at the Tenant's choice, delete or return end-user data at the end of the engagement, subject to retention required by law (section 9).
5. Sub-processors
The Tenant provides general authorization for ForestVPN to engage the sub-processors below to deliver the Service:
| Sub-processor | Function |
|---|---|
| Stripe, CloudPayments | Card payment processing |
| Apple App Store, Google Play | In-app purchases and subscriptions |
| Enbbox | Transactional email |
| Cloudflare | Edge network, DNS, DDoS protection |
| Hetzner | Core platform server/infrastructure hosting |
| Linode / Akamai | Relay (DERP) and network-edge server hosting |
| Google Cloud | Artifact registry and object storage |
| Backblaze | Encrypted off-site backup storage |
ForestVPN will impose data-protection obligations on each sub-processor no less protective than those in this DPA, remains responsible for its sub-processors' performance, and will give the Tenant reasonable prior notice of any intended addition or replacement so the Tenant may object on reasonable data-protection grounds. The current list also appears in the Privacy Policy.
6. International transfers
Where processing involves transferring personal data out of the EEA, the UK, or another protected region, the parties rely on a lawful transfer mechanism — the applicable module of the European Commission's Standard Contractual Clauses (and the UK Addendum where the UK GDPR applies), which are incorporated into this DPA by reference and completed with the details in sections 1–5.
7. Security measures
ForestVPN maintains technical and organizational measures appropriate to the risk, including:
- Encryption in transit — TLS for all network communication with the platform.
- Encryption at rest — sensitive credentials and secrets are encrypted at rest using AES-256-GCM.
- Access control — role-based access control across the three-plane (system / platform / consumer) architecture, with least-privilege scoping.
- Secret management — secrets are managed with SOPS-based encrypted configuration, not stored in plaintext.
- Backups — encrypted off-site backups with restricted access.
- Operational safeguards — logging and monitoring designed around the no-logs data model, so activity content is never collected in the first place.
8. Personal-data breach notification
ForestVPN will notify the Tenant without undue delay after becoming aware of a personal-data breach affecting the Tenant's end-user data, and will provide information reasonably available to help the Tenant meet its own notification duties. Breach reports and security contact: [email protected].
9. Deletion and return on termination
On expiry or termination of the Agreement, ForestVPN will, at the Tenant's choice, delete or return the Tenant's end-user personal data and delete existing copies within a reasonable wind-down period, except to the extent retention is required by law. The 90-day connection-counter TTL and standard billing-record retention continue to apply during wind-down.
10. Audit
ForestVPN will make available to the Tenant information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Tenant or an auditor it mandates, on reasonable notice, no more than once per year (or as required by a supervisory authority), and subject to confidentiality and not unduly disrupting ForestVPN's operations.
11. Relationship to the Agreement and governing law
This DPA supplements and forms part of the Agreement. In the event of a conflict between this DPA and the rest of the Agreement on a data-protection matter, this DPA prevails. This DPA is governed by the laws of Georgia (the country), except where the Standard Contractual Clauses specify their own governing law.
12. Contact
ForestVPN — #27, 36-38, Takaishvili st., Batumi, Georgia, 6004. Questions about this DPA can be sent to [email protected]; security and breach matters to [email protected].