Data Processing Addendum

Last Updated:

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Desking Oy ("Processor", "we", "us", or "our") and the customer ("Controller", "you", or "your") for the use of Inbind ("Service").

This DPA applies where and only to the extent that we process Personal Data on your behalf in the course of providing the Service, and such processing is subject to Data Protection Laws.

1. Definitions

"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and any successor or replacement legislation.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Service.

"Processing" has the meaning given in applicable Data Protection Laws and includes any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, restriction, erasure, or destruction.

"Sub-processor" means any third party appointed by us to process Personal Data on your behalf.

"Data Subject" means the individual to whom Personal Data relates.

"Connected Platform" means any third-party content management system or platform that you connect to the Service, including but not limited to website CMS platforms, through which Personal Data may be accessed, synchronized, or processed by the Service.

2. Scope and Roles

2.1 Role of the Parties

Under this DPA, you act as the Controller (or Processor if you are processing Personal Data on behalf of your own clients), and we act as the Processor. We will process Personal Data only on your documented instructions and in accordance with this DPA.

2.2 Processing Activities

We process Personal Data to provide the Service, which includes:

  • Storing and managing content data from your Connected Platform

  • Synchronizing data between Inbind and your Connected Platform

  • Providing content editing, publishing, and management functionality

  • Enabling collaboration features within your team

2.3 Types of Personal Data

The Personal Data processed may include, but is not limited to:

  • Content author names and user information

  • Contact details contained in CMS content (names, email addresses, phone numbers)

  • User profile information stored in Connected Platform collections

  • Blog post author details and biographical information

  • Form submission data stored in Connected Platform

  • Any other personal information contained in the content you manage through the Service

2.4 Data Subjects

Data Subjects may include:

  • Your end users and website visitors

  • Content authors and contributors

  • Employees and contractors of your organization

  • Customers and clients of your business

  • Any other individuals whose Personal Data appears in your Connected Platform content

3. Your Instructions and Compliance

3.1 Your Instructions

We will process Personal Data only in accordance with your documented instructions. Your instructions are to process Personal Data as necessary to:

  • Provide the Service in accordance with the Terms of Service

  • Comply with your reasonable instructions communicated through the Service interface or in writing

  • Comply with applicable laws

3.2 Your Responsibilities

You represent and warrant that:

  • You have the legal right to collect and process the Personal Data and to instruct us to process it

  • You have provided all necessary notices and obtained all necessary consents required under Data Protection Laws

  • Your instructions comply with Data Protection Laws

  • You are responsible for ensuring the accuracy and legality of the Personal Data you provide

3.3 Unlawful Instructions

If we believe that your instructions violate Data Protection Laws, we will inform you and may refuse to carry out the instruction until you confirm or modify it.

4. Our Obligations

4.1 Confidentiality

We will ensure that persons authorized to process Personal Data are subject to confidentiality obligations, whether by contract or statutory duty.

4.2 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest

  • Regular security assessments and vulnerability testing

  • Access controls and authentication mechanisms

  • Logging and monitoring of access to Personal Data

  • Incident response and data breach procedures

  • Employee training on data protection and security

4.3 Security Standards

While we do not currently hold specific security certifications, we continuously review and update our security practices to align with industry standards and Data Protection Laws.

5. Sub-processors

5.1 Authorization

You authorize us to engage Sub-processors to process Personal Data on your behalf. We will ensure that Sub-processors are bound by written agreements requiring them to provide at least the same level of data protection as set out in this DPA.

5.2 Current Sub-processors

We currently use the following Sub-processors:

Sub-processor

Purpose

Location

Heroku (Salesforce)

Application hosting and infrastructure

EU

Cloudflare, Inc.

Content delivery network, security, and performance

EU

PostHog, Inc.

Analytics and product usage monitoring

EU

5.3 New Sub-processors

We will inform you of any intended changes concerning the addition or replacement of Sub-processors. You may object to the appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying us within 30 days of being informed of the change.

If you object to a new Sub-processor and we cannot reasonably accommodate your objection, you may terminate the affected portion of the Service by providing written notice within 30 days, and we will refund any prepaid fees for the terminated portion covering the period after termination.

6. Data Subject Rights

6.1 Assistance with Requests

We will assist you, to the extent reasonably possible, in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restriction of processing

  • Right to data portability

  • Right to object

6.2 Data Subject Requests to Us

If we receive a Data Subject request directly, we will promptly inform you and will not respond to the request without your prior written authorization, except where required by law.

6.3 Your Tools

The Service provides you with technical and organizational measures to access, correct, export, and delete Personal Data, enabling you to respond to Data Subject requests directly.

7. Data Breach Notification

7.1 Notification Obligation

We will notify you without undue delay after becoming aware of a Personal Data breach affecting your data. The notification will include, to the extent possible:

  • Description of the nature of the breach

  • Categories and approximate number of Data Subjects and records affected

  • Likely consequences of the breach

  • Measures taken or proposed to address the breach and mitigate its effects

7.2 Cooperation

We will reasonably cooperate with you in investigating and remediating the breach and will provide information necessary for you to fulfill any data breach reporting obligations under Data Protection Laws.

7.3 No Acknowledgment of Fault

Our notification of or response to a data breach will not constitute an acknowledgment of fault or liability.

8. Data Deletion and Retention

8.1 Return or Deletion

Upon termination of the Service or at your written request, we will promptly delete or return all Personal Data in our possession or control, unless applicable law requires continued storage.

8.2 Deletion Timeframe

We will complete deletion of Personal Data promptly following termination, typically within a reasonable timeframe necessary to ensure complete removal from all systems, including backups.

8.3 Certification

Upon your written request, we will provide written certification that we have complied with our deletion obligations.

8.4 Exceptions

We may retain Personal Data to the extent and for the period required by applicable law, provided that we ensure the confidentiality of such Personal Data and process it only as necessary for the purpose specified in the applicable law.

9. Audits and Compliance

9.1 Audit Rights

We will make available to you all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable notice and confidentiality obligations.

9.2 Audit Procedure

Audit requests must be:

  • Made in writing with at least 30 days' advance notice

  • Conducted during regular business hours

  • Conducted in a manner that does not unreasonably interfere with our operations

  • Limited to once per year, unless required by Data Protection Laws or following a data breach

9.3 Audit Costs

You will bear the costs of any audit unless it reveals material non-compliance with this DPA.

10. Data Transfers

10.1 Data Location

All Personal Data is processed and stored within the European Union. We do not transfer Personal Data outside the EU/EEA.

10.2 Future Transfers

Should we need to transfer Personal Data outside the EU/EEA in the future, we will:

  • Notify you in advance

  • Ensure appropriate safeguards are in place in accordance with Data Protection Laws (such as Standard Contractual Clauses approved by the European Commission)

  • Obtain your prior written consent where required

11. Assistance with Data Protection Impact Assessments

We will provide reasonable assistance to you in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent such assistance is required under Data Protection Laws and relates to the processing of Personal Data by us.

12. Liability and Indemnification

12.1 Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitation of liability provisions in the Terms of Service.

12.2 Processor Liability

We shall be liable under Data Protection Laws for damages caused by processing only where we have not complied with obligations specifically directed to processors under Data Protection Laws, or where we have acted outside or contrary to your lawful instructions.

12.3 Chain of Liability

Where we engage Sub-processors, we shall remain fully liable to you for the performance of the Sub-processor's obligations.

13. Term and Termination

13.1 Duration

This DPA will commence on the date you first use the Service and will continue until the termination or expiration of the Terms of Service.

13.2 Survival

The provisions of this DPA that by their nature should survive termination will survive, including obligations relating to data deletion, confidentiality, and liability.

14. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data.

15. Governing Law and Jurisdiction

This DPA shall be governed by the same law and jurisdiction provisions as set forth in the Terms of Service.

16. Amendments

We may update this DPA from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you in accordance with the Terms of Service.

17. Contact

For any questions or concerns regarding this DPA or our processing of Personal Data, please contact us at [email protected]