Data Processing Agreement.

Terms not defined here have the meaning given in our Terms of Service or in applicable data-protection law (such as the GDPR).

We will process personal data only to provide and support the Service, and only on your documented instructions — which include your use of the Service’s features and the Terms — unless required to act otherwise by law (in which case we’ll inform you where legally permitted).

We will not use, sell, or disclose personal data for our own purposes, for advertising, or to train external machine-learning models.

For transparency, the processing under this DPA is described as follows:

As processor, we will:

• Process personal data only as described in Section 2.
• Ensure people authorized to process the data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Section 6).
• Assist you, taking into account the nature of processing, with data-subject requests and your own security, breach, and impact-assessment obligations.
• Make available information reasonably necessary to demonstrate compliance with this DPA.

You authorize us to engage sub-processors to help deliver the Service — for example, cloud hosting and a PCI-DSS compliant payment processor. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance.

We maintain a current list of sub-processors and will provide it on request via contact. We’ll give you reasonable notice of any intended change so you can object on reasonable data-protection grounds.

We maintain appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS), hashed credentials, secure session cookies, access controls on production systems, and regular backups. A fuller description is on our Security page.

If an individual contacts us directly to exercise a right (access, correction, deletion, portability, etc.) regarding data we process on your behalf, we will, where legally permitted, refer them to you. Taking into account the nature of processing, we will provide reasonable assistance to help you respond to such requests — including through the Service’s report exports (e.g. PDF) and account-deletion features.

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay. Our notice will describe, to the extent known, the nature of the breach, likely consequences, and the measures taken or proposed to address it — so you can meet your own notification obligations.

On termination of the Service, or on your written request, we will delete or return personal data we process on your behalf, and delete existing copies, except to the extent we’re required to retain it by law. Routine retention timelines are described in our Privacy Policy.

Where personal data is transferred across borders in the course of providing the Service, we will ensure an appropriate safeguard or transfer mechanism is in place as required by applicable law. If you have specific transfer requirements, contact us to discuss.

For most customers, this DPA is incorporated into the Terms and takes effect automatically when you accept the Terms and use the Service — no signature required.

This DPA forms part of and is governed by the Terms of Service. In case of conflict between this DPA and the Terms regarding processing of personal data, this DPA prevails.