Legal

Data Processing
Addendum.

Effective {{EFFECTIVE_DATE}} · {{COMPANY_LEGAL_NAME}}

1. Parties & scope

This Data Processing Addendum (“DPA”) supplements the Terms of Use between {{COMPANY_LEGAL_NAME}} (“Processor”) and you (“Controller”). It governs the Processing of Personal Data subject to the GDPR (EU Regulation 2016/679) and/or the UK GDPR.

If there’s any conflict between this DPA and the Terms, this DPA controls with respect to the Processing of Personal Data.

2. Definitions

Capitalized terms not defined here have the meaning given in the GDPR. “Customer Data,” “Service,” and “Processor” are used as in the Terms. “Sub-processor” means any third party engaged by us to process Personal Data on your behalf.

3. Roles & responsibilities

  • You are the Controller of Personal Data you enter into the Service.
  • We are a Processor acting on your documented instructions. We process Personal Data only as needed to provide the Service or comply with the law.
  • Each party will comply with its respective obligations under Data Protection Laws.

4. Processing instructions

Your written instructions to us are: (a) the Terms; (b) this DPA; (c) any documented written instructions you give us in connection with your use of the Service. If we believe an instruction violates Data Protection Law, we’ll notify you.

The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of data subjects, are described in Annex I.

5. Sub-processors

You authorize us to engage Sub-processors. Our current list is in the Privacy Policy. We’ll give you at least 14 days notice before adding a Sub-processor that has access to Personal Data, and you may object on reasonable data-protection grounds. If we can’t accommodate the objection, you may terminate the affected portion of the Service and receive a pro-rated refund of pre-paid fees.

We require each Sub-processor to commit in writing to data-protection terms substantially equivalent to this DPA. We remain liable for our Sub-processors’ performance to the same extent as our own.

6. Security

We implement the technical and organizational measures described in Annex II and in our Security overview. Personnel with access to Personal Data are bound by confidentiality obligations.

7. Personal data breach

We’ll notify you without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting your Personal Data, and provide reasonable assistance with your notification obligations.

8. Data subject rights

Taking into account the nature of the Processing, we’ll assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligation to respond to requests from data subjects to exercise their rights under Data Protection Law. Most of these rights are satisfiable through the Service’s built-in export, edit, and delete features.

9. International transfers

Personal Data is hosted in the United States. For transfers from the EEA, Switzerland, or the UK to a country not deemed adequate by the European Commission or UK ICO, the parties agree to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor), incorporated by reference. For UK transfers, the parties agree to the UK International Data Transfer Addendum to the EU SCCs.

Where the SCCs require additional information:

  • Docking clause: not applied.
  • Sub-processing (Clause 9): Option 2 (general written authorization), with 14 days notice.
  • Redress (Clause 11): independent dispute-resolution body not added.
  • Governing law (Clause 17): Ireland (for EU SCCs) / England and Wales (for the UK IDTA).
  • Choice of forum (Clause 18): courts of Ireland / England and Wales respectively.

10. Audits

We’ll make available to you the information necessary to demonstrate compliance with this DPA. Audits will be limited to: (a) review of certifications and audit reports we make available; (b) once per 12-month period, a remote audit limited to information necessary to verify our compliance, conducted on at least 30 days’ notice and during normal business hours, at your expense, and subject to confidentiality obligations. We’ll cooperate in good faith but may decline access that would compromise the security of other customers’ data.

11. Termination & deletion

On termination of the Service, we’ll delete or return all Personal Data within 30 days unless retention is required by law. Backups containing Personal Data are deleted on our standard retention cycle (typically 30–90 days) and remain protected by this DPA until deleted.

Annex I — Description of Processing

Categories of data subjects
Controller’s end customers, contacts, employees, and other individuals whose data Controller chooses to enter into the Service.
Categories of Personal Data
Name, contact information (email, phone, shipping address), business communications, order history, and any other data Controller chooses to enter.
Special categories
None expected. Controller is responsible for not entering special categories (Article 9 GDPR) unless a separate written agreement is in place.
Frequency
Continuous, for the duration of the Service term.
Purpose
Providing the Service to Controller; processing strictly on Controller’s documented instructions.
Retention
As specified in the Privacy Policy.

Annex II — Technical & organizational measures

  • Encryption. TLS in transit for all client and inter-service communication. AES-256 at rest for database, backups, and object storage.
  • Tenant isolation. Row-level security policies enforce that data from one Controller’s organization cannot be returned to another’s session. Verified by automated cross-org isolation tests that block deploys on failure.
  • Access control. Role-based access, least-privilege defaults, MFA recommended for accounts with elevated privileges. Service-role keys are restricted to server-side environments and never shipped to browsers.
  • Audit logging. Append-only log records actor, timestamp, and before/after state of every operational mutation.
  • Backups. Encrypted automated backups; restore tested periodically.
  • Personnel. Confidentiality obligations; access on need-to-know basis.
  • Vulnerability management. Dependency scanning, prompt patching of critical CVEs.
  • Incident response. Defined response plan; breach notification within 72 hours of awareness.

More detail: Security overview.