← 返回首页 / Back

数据处理协议(DPA)

最近更新:2026 年 5 月 8 日 · GDPR + PIPL 双合规版本 · 中文为权威文本

本协议在用户接受 服务条款 时自动生效,构成 Filial Plus, Inc.("处理者")与用户("控制者")之间关于个人信息处理的约束性协议。

1. 定义

2. 处理目的与范围

处理者仅根据控制者文档化指示,为下列目的处理个人信息:

处理者不得用于上述外目的(包括但不限于:广告、画像、训练机器学习模型、出售、跨业共享)。

3. 处理者义务

  1. 仅按文档化指示处理,控制者可随时书面变更指示
  2. 对处理人员实施保密义务
  3. 采用 Annex II 所列技术与组织措施
  4. 聘用子处理者前给予 30 天事先通知,控制者可在合理理由下反对
  5. 协助控制者响应数据主体行权(访问、更正、删除、可携、反对)— 5 个工作日内
  6. 在已知或应知数据安全事件后72 小时内书面通知(GDPR 33 / PIPL 57)
  7. 协助控制者完成 DPIA / PIPIA / 监管沟通
  8. 合同终止后 30 天内删除或返还全部个人信息(除法律强制保留外,如 audit_log 7 年)
  9. 提供必要信息证明合规,配合审计(每 12 个月一次或事件后随时)

4. 跨境传输

4.1 PIPL 第 38 条 — 中国父母数据出境

由于父母位于中国大陆而子女位于境外,父母个人信息出境采用以下机制(处理者负责备案与执行):

4.2 GDPR 第 V 章 — 欧盟数据传输

5. 数据主体权利支持

处理者协助控制者在下列时限内响应数据主体请求:

请求类型响应时限实现方式
访问 / 可携15 日Dashboard 自助 JSON 导出
更正5 日Dashboard 自助编辑
删除30 日宽限期 + 立即执行Dashboard 自助 + 邮件二次确认
限制处理10 日邮件 dpo@filialplus.com
反对10 日邮件 dpo@filialplus.com
父母独立行权15 日SMS OTP 验证身份后通过 dpo@filialplus.com

6. 责任与赔偿

处理者因违反本 DPA 给控制者或数据主体造成损失的,承担相应赔偿责任,但累计责任不超过控制者过去 12 个月已支付费用(适用法律不允许的情形除外)。

7. 期限与终止

本 DPA 与服务条款同时生效,至全部个人信息删除或返还为止有效。终止后保密义务继续有效。


Annex I — 处理详情

I.A 各方

  • 控制者(Controller):终端用户(子女)— 邮箱与 Dashboard 中显示
  • 处理者(Processor):Filial Plus, Inc., Delaware, USA · DPO: dpo@filialplus.com

I.B 处理描述

数据主体类别子女(付费用户)、父母(被监护方)
个人信息类别身份(邮箱、姓名、locale)、敏感(血压、血糖、用药、心情、备注)、家庭关系、电话号码、IP / UA
敏感数据类型健康数据(GDPR 9 / PIPL 28)— 血压、血糖、心理状态、用药记录
处理频次持续(用户使用期间)
处理性质存储、阈值计算、邮件/短信派发、PDF 生成、JSON 导出
处理目的提供 SaaS、告警、订阅、安全审计
保留期限账户存续期间 + 30 天宽限删除;audit_log 7 年;Stripe 发票 7 年

Annex II — 技术与组织措施

  • 加密:传输 TLS 1.3;静态 SQLite 文件系统层加密
  • 认证:scrypt 密码哈希、JWT HS256 + 7 天过期、父母端 SMS OTP + 30 天 session 轮换
  • 访问控制:最小权限、内部访问仅 DPO + 工程负责人、所有访问审计
  • 审计:audit_log 不可篡改、7 年保留、含 IP/UA
  • 容灾:每日全量备份(保留 30 天)、跨可用区复制
  • 暴力破解防护:5 次错误锁定 + 60 秒 OTP 节流
  • 错误监控:Sentry,PII 自动脱敏
  • 员工培训:年度 GDPR + PIPL 培训 + 保密协议
  • 事件响应:72 小时通知机制、外部安全顾问 on-call
  • 第三方审计:年度渗透测试、依赖项 SCA 扫描

Annex III — 子处理者清单(含跨境)

子处理者用途处理位置跨境合规合同链接
Amazon Web Services, Inc.主托管 (us-east-1)美国SCC + DPF + PIPL SCCaws.amazon.com/compliance
Cloudflare, Inc.公开网站边缘托管全球SCC + DPFcloudflare.com/cloudflare-customer-dpa
Stripe, Inc.支付处理美国 / 欧盟SCC + DPF + PCI-DSS L1stripe.com/legal/dpa
Twilio, Inc.父母 OTP 短信(国际)美国 / 新加坡SCC + DPFtwilio.com/legal/data-protection-addendum
国内短信通道(占位)父母 OTP 短信(中国境内 fallback)中国大陆PIPL 数据本地化、与境外不互通
Resend子女邮件通知美国 / 欧盟SCC + DPFresend.com/legal/dpa
Sentry (Functional Software, Inc.)错误监控(无健康数据)美国SCC + DPFsentry.io/legal/dpa

变更子处理者前 30 天邮件通知所有付费用户,用户可在 30 天内反对并退订。

Data Processing Agreement (DPA)

Last updated: May 8, 2026 · GDPR + PIPL dual-compliance · Chinese version is authoritative

This DPA enters into force when the user accepts the Terms of Service and forms a binding agreement between Filial Plus, Inc. ("Processor") and the user ("Controller") regarding personal-information processing.

1. Definitions

2. Purpose & Scope

The Processor processes PI only on the Controller's documented instructions for:

The Processor MUST NOT use PI for any other purpose (no ads, profiling, ML training, sale, or cross-business sharing).

3. Processor Obligations

  1. Process only on documented instructions; Controller may amend in writing
  2. Confidentiality of personnel
  3. Implement Annex II measures
  4. 30-day prior notice before adding sub-processors; Controller may object on reasonable grounds
  5. Assist with data-subject rights — within 5 business days
  6. Notify in writing within 72 hours of awareness of a security incident (GDPR 33 / PIPL 57)
  7. Assist with DPIA / PIPIA / regulator communication
  8. Delete or return all PI within 30 days of termination (except statutorily retained data, e.g., audit_log 7 years)
  9. Provide compliance evidence and submit to audits (annual or event-driven)

4. Cross-border Transfer

4.1 PIPL Art. 38 — Parent Data Export from China

4.2 GDPR Chapter V — EU Transfers

5. Data-Subject Rights Support

RequestDeadlineHow
Access / Portability15 daysSelf-serve JSON export
Rectification5 daysSelf-serve edit
Erasure30-day grace + immediateSelf-serve + email re-confirm
Restrict processing10 daysdpo@filialplus.com
Object10 daysdpo@filialplus.com
Parent self-service15 daysSMS OTP + dpo@filialplus.com

6. Liability

Liability for breach is capped at fees paid in the preceding 12 months, except where statute prohibits such cap.

7. Term & Termination

Co-extensive with the Terms; survives until all PI is deleted/returned. Confidentiality survives termination.


Annex I — Processing Details

I.A Parties

  • Controller: end user (child)
  • Processor: Filial Plus, Inc., Delaware, USA · DPO: dpo@filialplus.com

I.B Processing description

Data subjectsChild (paying user), Parent (monitored)
PI categoriesidentity (email, name, locale), sensitive (BP, glucose, medication, mood, note), family relation, phone, IP/UA
Sensitive typesHealth data (GDPR 9 / PIPL 28) — BP, glucose, mental state, medication
FrequencyContinuous during use
NatureStorage, threshold computation, email/SMS dispatch, PDF generation, JSON export
PurposeSaaS provision, alerting, subscription, security audit
RetentionAccount life + 30-day grace; audit_log 7 yrs; Stripe invoices 7 yrs

Annex II — Technical & Organizational Measures

  • Encryption: TLS 1.3 in transit; SQLite at rest via filesystem encryption
  • Authentication: scrypt password hash, JWT HS256 + 7-day expiry, parent SMS OTP + 30-day session rotation
  • Access control: least privilege, internal access limited to DPO + Eng lead, all access audited
  • Auditing: tamper-evident audit_log, 7-year retention
  • BCP/DR: daily backups (30-day retention), cross-AZ replication
  • Brute-force protection: 5-attempt lockout + 60s OTP throttle
  • Error monitoring: Sentry, PII auto-redacted
  • Training: annual GDPR + PIPL training + NDA
  • Incident response: 72-hour notification mechanism, external security advisor on-call
  • Third-party audit: annual penetration test, dependency SCA scan

Annex III — Sub-processor List (incl. cross-border)

Sub-processorPurposeLocationComplianceContract
Amazon Web Services, Inc.Primary hosting (us-east-1)USASCC + DPF + PIPL SCCaws.amazon.com/compliance
Cloudflare, Inc.Public website edge hostingGlobalSCC + DPFcloudflare.com/cloudflare-customer-dpa
Stripe, Inc.PaymentsUS / EUSCC + DPF + PCI-DSS L1stripe.com/legal/dpa
Twilio, Inc.Parent OTP SMS (intl)US / SingaporeSCC + DPFtwilio.com/legal/data-protection-addendum
PRC SMS gateway (placeholder)Parent OTP SMS (PRC fallback)Mainland ChinaPIPL local storage, no cross-border
ResendChild emailUS / EUSCC + DPFresend.com/legal/dpa
Sentry (Functional Software, Inc.)Error monitoring (no health data)USASCC + DPFsentry.io/legal/dpa

30-day prior email notice for any sub-processor change; users may object and cancel within 30 days.