LEGAL

Data Processing Addendum

Last updated

Plain-language note. This DPA covers the situation where Customer Content includes personal data. drobek is the processor; the Customer (you) is the controller. Where this DPA conflicts with the Terms of Service, this DPA controls only for personal-data processing matters — the Terms control everything else, including the liability cap.

This Data Processing Addendum ("DPA") forms an appendix to the Terms of Service when the Customer uses drobek to process personal data subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR. It documents the controller-processor arrangement under GDPR Article 28.

Annex A — Subject matter

TopicDetail
Subject matterDrobek processes Customer's personal data as part of providing the planner + knowledge graph service.
DurationFor the lifetime of the Customer's Organisation.
Nature & purposeStorage, retrieval, indexing, embedding generation, and routing of Customer-supplied content as triggered by the Customer's Agents or users.
Types of personal dataAccount: name, email, avatar. Organisation: members' names, emails, roles. Customer Content: whatever the Customer stores via tasks, knowledge entries, comments.
Categories of data subjectsCustomer's users; people the Customer chooses to reference inside their workspace.
Special categories (Art. 9)Not permitted unless the Customer has separately notified the Operator and obtained written agreement.

Annex B — Sub-processors

The live sub-processor list is in the Privacy Policy. The Operator will give the Customer 30 days notice (via email and in-app banner) before adding or replacing a sub-processor.

Customer objection. The Customer may object to a new sub-processor on reasonable grounds within the 30-day notice period by terminating its use of the Service. Continued use after the 30-day period constitutes consent. The Operator is not obliged to provide the Service without a sub-processor to which the Customer has objected; the Customer's sole remedy is termination as described.

Annex C — Technical and organisational measures (TOMs)

  • Encryption at rest — Postgres data files on encrypted volumes.
  • Encryption in transit — TLS 1.2+ on every public endpoint.
  • Access control — sign-in via email magic link or OAuth (Google, GitHub). The superadmin portal is gated to a single verified Account and returns 404 to everyone else.
  • Tenant isolation — every tenant-scoped table carries org_id from its first migration. Every query enforces the scope at the data-access layer.
  • Secret management — Agent tokens are stored as Argon2 hashes; plaintext is shown to the user exactly once and never logged.
  • Backups — daily encrypted Postgres snapshots retained 30 days off-host.
  • Logging — structured JSON logs with a PII redaction list applied at the logger layer. Customer Content bodies are excluded.
  • Operator access — admin tooling never reads Customer Content (descriptions, knowledge bodies, comments, attachments). Operator access to infrastructure is limited to the natural person operating the Service, authenticated via hardware-bound credentials.
  • Vendor review — every sub-processor must have a published DPA and either EU residence or a DPF/SCC-based transfer mechanism.

Article 28 obligations

The Operator, as processor, will:

  1. Process only on documented instructions from the Customer (instructions are: these Terms, the DPA, the in-product UI and APIs you choose to call). If a legal obligation requires processing beyond these instructions, the Operator will inform the Customer unless prohibited from doing so.
  2. Confidentiality — ensure that any person authorised to process personal data is bound by a duty of confidentiality.
  3. Security — implement and maintain the TOMs in Annex C; review and update them as the threat landscape evolves.
  4. Sub-processors — use sub-processors only as set out in Annex B and impose data-protection obligations on each.
  5. Data-subject rights — assist the Customer (so far as technically possible) in fulfilling its obligations to respond to data-subject requests, taking into account the nature of the processing.
  6. Personal-data breach — notify the Customer without undue delay and in any case within 72 hours of the Operator's confirmation of a breach affecting Customer personal data, with the information the Operator has at the time.
  7. DPIA assistance — provide the Customer reasonable assistance for any data-protection impact assessment that concerns the Service.
  8. Return or deletion — at the end of the Service, delete or return all Customer Content as Customer chooses; once deleted, no obligation to retain (subject to the 30-day backup-rotation caveat in the Privacy Policy).
  9. Audits — make available all information necessary to demonstrate compliance with Article 28. Audits are limited to one (1) per calendar year, must be carried out at the Customer's cost, on at least 30 days written notice, by a mutually agreed independent auditor bound by an NDA, must not disrupt the Service, and may be satisfied by the Operator providing a recent third-party audit report under NDA where one is available.

International transfers

Any transfer of personal data to a third country is made under (i) an adequacy decision (EU-US DPF where the recipient is certified) or (ii) Standard Contractual Clauses (EU Commission Decision 2021/914), which are incorporated by reference and considered executed between the parties as part of this DPA.

Liability

The liability cap and exclusions in Section 12 of the Terms of Service apply to this DPA and to claims arising out of personal-data processing, to the maximum extent permitted by GDPR and other applicable law.

Acceptance

This DPA is automatically accepted by the Customer when the Customer creates an Organisation. A counter-signed PDF version, where required by a Customer's procurement process, is available on request via the contact channels at tomasgrasl.cz.