Last Updated: Feb 25, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Processor," "we," "us"), between us and the entity agreeing to these terms ("Controller," "you," "Customer"), collectively the "Parties."
This DPA applies where and only to the extent that we process Personal Data on your behalf in the course of providing the Service, and such processing is subject to applicable Data Protection Laws.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including (where applicable) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and any other applicable privacy legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on behalf of the Customer in connection with the Service.
"Processing" means any operation performed on Personal Data, including collection, use, storage, disclosure, and deletion.
"Sub-processor" means any third party engaged by us to process Personal Data on behalf of the Customer.
"Security Incident" means a confirmed unauthorized access to, or unauthorized disclosure of, Personal Data processed by us under this DPA.
2.1. The Customer acts as the Controller (or Business, under CCPA) and we act as the Processor (or Service Provider, under CCPA) with respect to Personal Data processed in connection with the Service.
2.2. We will process Personal Data only as necessary to provide the Service in accordance with the Terms of Service and your documented instructions. We will not sell Personal Data or process it for any purpose other than performing the Service.
The Personal Data processed in connection with the Service may include:
4.1. Instructions. We will process Personal Data only in accordance with the Customer's documented instructions, unless required to do otherwise by applicable law. If such a legal requirement arises, we will notify the Customer before processing unless prohibited by law.
4.2. Confidentiality. All personnel authorized to process Personal Data are bound by obligations of confidentiality.
4.3. Data Minimization. We collect and process only the minimum Personal Data necessary to provide the Service.
We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
6.1. The Customer grants general written authorization for us to engage Sub-processors to assist in providing the Service. Our current list of Sub-processors is available at our trust center.
6.2. We will notify the Customer of any new Sub-processor by updating the Sub-processor list at least fourteen (14) days before the new Sub-processor begins processing Personal Data.
6.3. If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Customer may notify us in writing within fourteen (14) days of the update. The Parties will work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected Service by providing written notice.
6.4. We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
7.1. We will assist the Customer, to the extent commercially reasonable, in responding to requests from data subjects to exercise their rights under applicable Data Protection Laws (e.g., access, rectification, deletion, portability, objection).
7.2. If we receive a request directly from a data subject, we will promptly redirect the individual to the Customer unless legally required to respond.
8.1. We will notify the Customer of any confirmed Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident.
8.2. The notification will include, to the extent reasonably available: (a) the nature of the incident, (b) the categories and approximate number of data subjects affected, (c) the likely consequences, and (d) the measures taken or proposed to mitigate the incident.
We will provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under applicable Data Protection Laws and to the extent such assessment relates to the processing performed by us.
10.1. Upon the Customer's written request (no more than once per twelve-month period), we will make available reasonably necessary information (such as third-party compliance reports) to demonstrate compliance with this DPA.
10.2. If the information provided under Section 10.1 does not reasonably address the Customer's concern, the Parties may negotiate an audit arrangement in writing, provided that the audit shall be conducted at the Customer's expense and shall not disrupt our normal operations.
11.1. Personal Data is processed in the United States.
11.2. Where the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States is subject to Data Protection Laws requiring appropriate safeguards, the Parties agree that the EU Standard Contractual Clauses (Module Two: Controller to Processor, Commission Implementing Decision (EU) 2021/914) are hereby incorporated by reference and shall apply to such transfers, with the Customer as "data exporter" and us as "data importer."
11.3. To the extent applicable, we also rely on additional transfer mechanisms recognized under applicable Data Protection Laws.
Upon termination of the Service or upon the Customer's written request, we will delete or return all Personal Data in our possession within thirty (30) days, except to the extent we are required by applicable law to retain a copy.
This DPA takes effect on the date the Customer agrees to the Terms of Service and remains in effect for as long as we process Personal Data on the Customer's behalf. Sections that by their nature should survive termination will survive.
Each Party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service.
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.