数据处理协议(DPA)
最近更新:2026 年 5 月 8 日 · GDPR + PIPL 双合规版本 · 中文为权威文本
本协议在用户接受
服务条款 时自动生效,构成 Filial Plus, Inc.("
处理者")与用户("
控制者")之间关于个人信息处理的约束性协议。
1. 定义
- 个人信息(PI):GDPR 4(1) / PIPL 4 项下的可识别自然人信息,本服务下含子女账户与父母敏感健康数据
- 敏感个人信息:GDPR 第 9 条 / PIPL 第 28 条 — 健康数据(血压、血糖、用药)、家庭关系
- 子处理者:见 Annex III
- 境外接收方:PIPL 38 条意义下,位于中国境外接收个人信息的实体
2. 处理目的与范围
处理者仅根据控制者文档化指示,为下列目的处理个人信息:
- 提供子女远程监护父母的 SaaS 功能
- 父母 OTP 短信验证
- 子女邮件 / 短信告警
- 支付订阅(Stripe)
- 系统安全审计(audit_log)
处理者不得用于上述外目的(包括但不限于:广告、画像、训练机器学习模型、出售、跨业共享)。
3. 处理者义务
- 仅按文档化指示处理,控制者可随时书面变更指示
- 对处理人员实施保密义务
- 采用 Annex II 所列技术与组织措施
- 聘用子处理者前给予 30 天事先通知,控制者可在合理理由下反对
- 协助控制者响应数据主体行权(访问、更正、删除、可携、反对)— 5 个工作日内
- 在已知或应知数据安全事件后72 小时内书面通知(GDPR 33 / PIPL 57)
- 协助控制者完成 DPIA / PIPIA / 监管沟通
- 合同终止后 30 天内删除或返还全部个人信息(除法律强制保留外,如 audit_log 7 年)
- 提供必要信息证明合规,配合审计(每 12 个月一次或事件后随时)
4. 跨境传输
4.1 PIPL 第 38 条 — 中国父母数据出境
由于父母位于中国大陆而子女位于境外,父母个人信息出境采用以下机制(处理者负责备案与执行):
- 个人信息出境标准合同(CAC 颁布的 SCC for PI Export,2023 年版)— 与境外接收方(AWS Inc. 等)签署并备案
- 已完成个人信息保护影响评估(PIPIA),覆盖出境必要性、风险评估、保护措施
- 父母在注册子女账户时通过子女 proxy 独立勾选"同意出境传输",并留存证据 7 年
- 父母可随时通过短信 OTP 验证身份后撤回同意,撤回后停止后续出境(已传输数据按 GDPR/PIPL 删除规则处理)
- 中国境内子处理者(如国内短信通道占位)数据本地化存储,不出境
4.2 GDPR 第 V 章 — 欧盟数据传输
- 欧盟 → 美国传输采用2021 EU SCCs Module 2(控制者→处理者)
- 处理者已加入 EU-US Data Privacy Framework (DPF)
- 必要时补充 Transfer Impact Assessment (TIA)
5. 数据主体权利支持
处理者协助控制者在下列时限内响应数据主体请求:
| 请求类型 | 响应时限 | 实现方式 |
| 访问 / 可携 | 15 日 | Dashboard 自助 JSON 导出 |
| 更正 | 5 日 | Dashboard 自助编辑 |
| 删除 | 30 日宽限期 + 立即执行 | Dashboard 自助 + 邮件二次确认 |
| 限制处理 | 10 日 | 邮件 dpo@filialplus.com |
| 反对 | 10 日 | 邮件 dpo@filialplus.com |
| 父母独立行权 | 15 日 | SMS OTP 验证身份后通过 dpo@filialplus.com |
6. 责任与赔偿
处理者因违反本 DPA 给控制者或数据主体造成损失的,承担相应赔偿责任,但累计责任不超过控制者过去 12 个月已支付费用(适用法律不允许的情形除外)。
7. 期限与终止
本 DPA 与服务条款同时生效,至全部个人信息删除或返还为止有效。终止后保密义务继续有效。
Annex I — 处理详情
I.A 各方
- 控制者(Controller):终端用户(子女)— 邮箱与 Dashboard 中显示
- 处理者(Processor):Filial Plus, Inc., Delaware, USA · DPO: dpo@filialplus.com
I.B 处理描述
| 数据主体类别 | 子女(付费用户)、父母(被监护方) |
| 个人信息类别 | 身份(邮箱、姓名、locale)、敏感(血压、血糖、用药、心情、备注)、家庭关系、电话号码、IP / UA |
| 敏感数据类型 | 健康数据(GDPR 9 / PIPL 28)— 血压、血糖、心理状态、用药记录 |
| 处理频次 | 持续(用户使用期间) |
| 处理性质 | 存储、阈值计算、邮件/短信派发、PDF 生成、JSON 导出 |
| 处理目的 | 提供 SaaS、告警、订阅、安全审计 |
| 保留期限 | 账户存续期间 + 30 天宽限删除;audit_log 7 年;Stripe 发票 7 年 |
Annex II — 技术与组织措施
- 加密:传输 TLS 1.3;静态 SQLite 文件系统层加密
- 认证:scrypt 密码哈希、JWT HS256 + 7 天过期、父母端 SMS OTP + 30 天 session 轮换
- 访问控制:最小权限、内部访问仅 DPO + 工程负责人、所有访问审计
- 审计:audit_log 不可篡改、7 年保留、含 IP/UA
- 容灾:每日全量备份(保留 30 天)、跨可用区复制
- 暴力破解防护:5 次错误锁定 + 60 秒 OTP 节流
- 错误监控:Sentry,PII 自动脱敏
- 员工培训:年度 GDPR + PIPL 培训 + 保密协议
- 事件响应:72 小时通知机制、外部安全顾问 on-call
- 第三方审计:年度渗透测试、依赖项 SCA 扫描
Annex III — 子处理者清单(含跨境)
| 子处理者 | 用途 | 处理位置 | 跨境合规 | 合同链接 |
| Amazon Web Services, Inc. | 主托管 (us-east-1) | 美国 | SCC + DPF + PIPL SCC | aws.amazon.com/compliance |
| Cloudflare, Inc. | 公开网站边缘托管 | 全球 | SCC + DPF | cloudflare.com/cloudflare-customer-dpa |
| Stripe, Inc. | 支付处理 | 美国 / 欧盟 | SCC + DPF + PCI-DSS L1 | stripe.com/legal/dpa |
| Twilio, Inc. | 父母 OTP 短信(国际) | 美国 / 新加坡 | SCC + DPF | twilio.com/legal/data-protection-addendum |
| 国内短信通道(占位) | 父母 OTP 短信(中国境内 fallback) | 中国大陆 | PIPL 数据本地化、与境外不互通 | — |
| Resend | 子女邮件通知 | 美国 / 欧盟 | SCC + DPF | resend.com/legal/dpa |
| Sentry (Functional Software, Inc.) | 错误监控(无健康数据) | 美国 | SCC + DPF | sentry.io/legal/dpa |
变更子处理者前 30 天邮件通知所有付费用户,用户可在 30 天内反对并退订。
Data Processing Agreement (DPA)
Last updated: May 8, 2026 · GDPR + PIPL dual-compliance · Chinese version is authoritative
This DPA enters into force when the user accepts the
Terms of Service and forms a binding agreement between Filial Plus, Inc. ("
Processor") and the user ("
Controller") regarding personal-information processing.
1. Definitions
- Personal Information (PI): GDPR 4(1) / PIPL 4 — identifiable natural-person information; here includes child accounts and parent sensitive health data
- Sensitive PI: GDPR Art. 9 / PIPL Art. 28 — health data (BP, glucose, medication), family relations
- Sub-processor: see Annex III
- Overseas recipient: under PIPL Art. 38, an entity outside Mainland China receiving PI
2. Purpose & Scope
The Processor processes PI only on the Controller's documented instructions for:
- SaaS for child remote monitoring of parents
- Parent OTP SMS verification
- Child email/SMS alerts
- Subscription (Stripe)
- Security audit (audit_log)
The Processor MUST NOT use PI for any other purpose (no ads, profiling, ML training, sale, or cross-business sharing).
3. Processor Obligations
- Process only on documented instructions; Controller may amend in writing
- Confidentiality of personnel
- Implement Annex II measures
- 30-day prior notice before adding sub-processors; Controller may object on reasonable grounds
- Assist with data-subject rights — within 5 business days
- Notify in writing within 72 hours of awareness of a security incident (GDPR 33 / PIPL 57)
- Assist with DPIA / PIPIA / regulator communication
- Delete or return all PI within 30 days of termination (except statutorily retained data, e.g., audit_log 7 years)
- Provide compliance evidence and submit to audits (annual or event-driven)
4. Cross-border Transfer
4.1 PIPL Art. 38 — Parent Data Export from China
- Standard Contract for PI Export (CAC 2023 SCC) signed with overseas recipients (AWS Inc. etc.) and filed
- PIPIA completed, covers necessity, risk, safeguards
- Parent grants separate consent (via child proxy at signup) for cross-border transfer; evidence kept 7 years
- Parent may withdraw consent any time after SMS OTP identity verification; subsequent export ceases
- PRC sub-processors (e.g., domestic SMS gateway placeholder) store data locally and do not export
4.2 GDPR Chapter V — EU Transfers
- EU → US transfer uses 2021 EU SCCs Module 2 (Controller→Processor)
- Processor is enrolled in EU-US Data Privacy Framework (DPF)
- Transfer Impact Assessment (TIA) supplemented when required
5. Data-Subject Rights Support
| Request | Deadline | How |
| Access / Portability | 15 days | Self-serve JSON export |
| Rectification | 5 days | Self-serve edit |
| Erasure | 30-day grace + immediate | Self-serve + email re-confirm |
| Restrict processing | 10 days | dpo@filialplus.com |
| Object | 10 days | dpo@filialplus.com |
| Parent self-service | 15 days | SMS OTP + dpo@filialplus.com |
6. Liability
Liability for breach is capped at fees paid in the preceding 12 months, except where statute prohibits such cap.
7. Term & Termination
Co-extensive with the Terms; survives until all PI is deleted/returned. Confidentiality survives termination.
Annex I — Processing Details
I.A Parties
- Controller: end user (child)
- Processor: Filial Plus, Inc., Delaware, USA · DPO: dpo@filialplus.com
I.B Processing description
| Data subjects | Child (paying user), Parent (monitored) |
| PI categories | identity (email, name, locale), sensitive (BP, glucose, medication, mood, note), family relation, phone, IP/UA |
| Sensitive types | Health data (GDPR 9 / PIPL 28) — BP, glucose, mental state, medication |
| Frequency | Continuous during use |
| Nature | Storage, threshold computation, email/SMS dispatch, PDF generation, JSON export |
| Purpose | SaaS provision, alerting, subscription, security audit |
| Retention | Account life + 30-day grace; audit_log 7 yrs; Stripe invoices 7 yrs |
Annex II — Technical & Organizational Measures
- Encryption: TLS 1.3 in transit; SQLite at rest via filesystem encryption
- Authentication: scrypt password hash, JWT HS256 + 7-day expiry, parent SMS OTP + 30-day session rotation
- Access control: least privilege, internal access limited to DPO + Eng lead, all access audited
- Auditing: tamper-evident audit_log, 7-year retention
- BCP/DR: daily backups (30-day retention), cross-AZ replication
- Brute-force protection: 5-attempt lockout + 60s OTP throttle
- Error monitoring: Sentry, PII auto-redacted
- Training: annual GDPR + PIPL training + NDA
- Incident response: 72-hour notification mechanism, external security advisor on-call
- Third-party audit: annual penetration test, dependency SCA scan
Annex III — Sub-processor List (incl. cross-border)
| Sub-processor | Purpose | Location | Compliance | Contract |
| Amazon Web Services, Inc. | Primary hosting (us-east-1) | USA | SCC + DPF + PIPL SCC | aws.amazon.com/compliance |
| Cloudflare, Inc. | Public website edge hosting | Global | SCC + DPF | cloudflare.com/cloudflare-customer-dpa |
| Stripe, Inc. | Payments | US / EU | SCC + DPF + PCI-DSS L1 | stripe.com/legal/dpa |
| Twilio, Inc. | Parent OTP SMS (intl) | US / Singapore | SCC + DPF | twilio.com/legal/data-protection-addendum |
| PRC SMS gateway (placeholder) | Parent OTP SMS (PRC fallback) | Mainland China | PIPL local storage, no cross-border | — |
| Resend | Child email | US / EU | SCC + DPF | resend.com/legal/dpa |
| Sentry (Functional Software, Inc.) | Error monitoring (no health data) | USA | SCC + DPF | sentry.io/legal/dpa |
30-day prior email notice for any sub-processor change; users may object and cancel within 30 days.