DPA Firebase Summary

Firebase Data Processing Agreement (DPA) – Summary

Last updated: 2025-02-10

This document summarizes how Firebase acts as a GDPR-compliant data processor for Freeck.

---

1. Roles

Under GDPR:

• Freeck: Data Controller
• Google Ireland Ltd (Firebase): Data Processor

The Firebase Data Processing Agreement (DPA) is accepted as part of Firebase Terms of Service.

---

2. Firebase Services in Use

• Firebase Authentication
• Firestore Database
• Firebase Crashlytics
• Firebase Analytics (technical usage data)
• Firebase Storage (optional)
• Cloud Functions (optional)

All these services fall under the same DPA.

---

3. Data Location

• Data is primarily processed in EU data centers when configured accordingly.
• When data may leave the EU, Standard Contractual Clauses (SCCs) apply as provided by Google.

---

4. Processor Obligations (Google)

Google as processor commits to:

• Process data only on documented instructions from the Controller
• Implement appropriate technical and organizational security measures
• Assist the Controller with data subject requests and DPIAs
• Notify the Controller without undue delay of any personal-data breach
• Ensure sub-processors are bound by equivalent obligations

---

5. Subprocessors

Google uses subprocessors for infrastructure and related services.
A current list is available at:
https://firebase.google.com/support/privacy#subprocessors

---

6. Controller Responsibilities (Freeck)

The Controller must:

• Configure Firestore Security Rules properly
• Minimize personal data stored in Firebase
• Implement adequate retention and deletion mechanisms
• Provide data subjects with access, deletion, and export options
• Keep documentation of processing activities (GDPR register)

---

7. Conclusion

Firebase provides a GDPR-aligned processing framework, reducing operational effort and enabling secure, compliant data handling for Freeck.