Skip to main content

Data Processing Agreement

Our standard DPA, ready to sign. Covers processing of personal data on behalf of the customer.

Contact us for a signed copy

1. Scope and purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between us ("Processor") and the customer ("Controller"). It governs the processing of personal data on behalf of the Controller in connection with use of the platform.

2. Roles and responsibilities

The customer (Controller) determines the purposes and means of processing personal data stored in the platform. We (Processor) process personal data solely on documented instructions from the Controller, as set out in this DPA and the Terms of Service.

3. Categories of personal data processed

  • Contact information (names, email addresses, phone numbers) of the Controller's customers and employees.
  • Project and operational data created by the Controller within the platform.
  • Usage and log data generated through use of the platform.

4. Sub-processors

We use a small set of carefully selected sub-processors. Customers will be notified of any changes at least 30 days in advance.

5. Security measures

  • Encrypted data at rest (AES-256) and in transit (TLS 1.2+).
  • Role-based access control and principle of least privilege.
  • Daily automated backups retained for 30 days.
  • Two-factor authentication for platform administration.
  • Independent penetration testing conducted annually.

6. Data subject rights

We will, to the extent reasonably possible, assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law (access, correction, erasure, portability).

7. Data breach notification

In the event of a personal data breach, we will notify the Controller without undue delay after becoming aware of the breach, and in any case within 72 hours where feasible.

8. Data retention and deletion

Upon termination of the service agreement, the Controller may export their data within 30 days. After 30 days, all personal data will be permanently deleted from production systems. Backups are purged within 60 days of the deletion date.

9. Contact

For DPA-related queries, please get in touch via our contact page.