Skip to main content

Shared Responsibility

ConsentForge provides the infrastructure. You are responsible for using it correctly. This page clarifies the division of responsibility.

What ConsentForge is responsible for

  • Platform availability — 99.9% uptime SLA for the runtime CDN and API
  • Data security — Encrypted storage, EU-hosted infrastructure, SOC 2-aligned practices
  • Consent receipt integrity — HMAC-chained receipts that prove tampering has not occurred
  • Vendor library accuracy — Maintaining descriptions and categories for 300+ vendors
  • GDPR-compliant data processing — ConsentForge signs a Data Processing Agreement (DPA) with you
  • Software correctness — The runtime behaves as documented

What you (the customer) are responsible for

  • Correct implementation — Placing the script tag correctly on all pages
  • Vendor completeness — Ensuring all third-party scripts on your site are in your vendor list
  • Accurate descriptions — Reviewing and correcting vendor purpose descriptions for your site
  • Policy configuration — Configuring categories and purposes to reflect your actual data processing
  • Banner language — Ensuring banner texts are accurate, complete, and legally sufficient for your jurisdiction
  • Acting on consent — Implementing script blocking and honoring consent signals in your downstream systems
  • Legal review — Having your legal counsel review your consent setup for compliance with GDPR, ePrivacy, and other applicable laws
ConsentForge is not legal advice

Nothing in this documentation constitutes legal advice. Compliance requirements vary by jurisdiction, industry, and data processing activity. Consult a qualified privacy lawyer for your specific situation.

Data Processing Agreement (DPA)

As a data processor on your behalf, ConsentForge offers a standard DPA. To request your DPA:

  1. Go to Dashboard → Account → Legal → Data Processing Agreement
  2. Download the pre-signed DPA
  3. Sign and retain for your records

Sub-processors

ConsentForge's current sub-processors are listed at consentforge.com/legal/sub-processors. You'll be notified via email 30 days before any sub-processor changes.