Data Processing Agreement (DPA)

Last Updated: February 24, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service (or other applicable agreement) between Produktly ("Processor") and the customer using Produktly's services ("Controller"), collectively referred to as the "Parties."

1. Definitions

  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Personal Data" means any information related to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, deletion, or disclosure.
  • "Sub-Processor" means any third party engaged by the Processor to assist in processing Personal Data.

2. Scope and Responsibilities

  • The Controller determines the purpose and means of processing Personal Data, while the Processor processes Personal Data solely on behalf of the Controller in accordance with this DPA.
  • The Processor shall process Personal Data solely for the purpose of delivering, maintaining, and improving Produktly’s services, including providing customer support, analytics, and security enhancements.
  • The Controller shall ensure that it has a lawful basis for collecting and processing Personal Data.

3. Processor Obligations

  • The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers outside the EU/EEA.
  • The Processor shall ensure that employees or authorized personnel processing Personal Data are bound by confidentiality obligations.
  • The Processor shall implement appropriate technical and organizational measures to ensure data security, including protection against unauthorized access, loss, or destruction.
  • The Processor shall assist the Controller in responding to data subject requests, including access, rectification, deletion, and portability requests, where possible, but only to the extent that such assistance is technically feasible and does not require disproportionate effort.

4. Data Subject Rights

  • The Controller is responsible for handling data subject requests.
  • The Processor shall provide reasonable assistance to the Controller in fulfilling GDPR obligations related to data subject rights, upon request and where technically feasible.
  • The Processor shall, to the extent legally permitted, promptly notify the Controller if a data subject directly contacts the Processor regarding their Personal Data.

5. Sub-Processors

  • The Controller provides general authorization for the Processor to engage Sub-Processors, provided that:
  • The Processor ensures Sub-Processors comply with GDPR requirements.
  • The Processor remains liable for Sub-Processors' actions.
  • See the below the list of sub-processors that Produktly uses:
    • Render - Cloud service provider
    • New Relic - Infrastructure monitoring
    • Bugsnag - Application monitoring and error tracking
    • Stripe - Payment processing
    • Sendgrid - Email sending
    • Tawk.to - Customer support system
    • Microsoft, Azure OpenAI Service - Large Language Model provider (optional, only used if you choose to use AI-powered features)

6. Data Collected

  • The personal data collected by Produktly depends on which services you use, and how your end-users interact with them. It may include:
    • Produktly user id
    • Email address (if provided by the user)
    • Name (if provided by the user)
    • IP Address
    • Browser information (browser vendor, version, preferred language etc.)
    • Device information (device type, operatin system, screen resolution, etc.)
    • User provided feedback (ratings, NPS, comments, etc.)
    • User interactions (clicks, page views, etc.)
    • Produktly usage analytics (feature usage, feature progress, feature completions etc.)
    • Other user generated content (feature requests, comments, etc.)
    • Other user attributes you choose to share with us through the identifyUser feature

7. Data Transfers

  • The Processor shall not transfer Personal Data outside the EU/EEA unless adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an EU-approved data transfer mechanism.

8. Security & Data Breach Notification

  • The Processor shall implement appropriate security measures to prevent unauthorized access, disclosure, or loss of Personal Data.
  • In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and provide sufficient details to enable compliance with GDPR obligations.

9. Data Retention & Deletion

  • The Processor shall retain Personal Data only for as long as necessary to fulfill the agreed services or as required by law.
  • Upon termination of the services, the Processor shall delete or return all Personal Data, unless legal obligations require further retention.

10. Compliance & Documentation

  • The Processor shall provide reasonable documentation or certifications, upon request, to demonstrate compliance with GDPR.

11. Miscellaneous

  • This DPA remains in effect as long as the Processor processes Personal Data on behalf of the Controller.
  • If any provision of this DPA is deemed invalid or unenforceable, the remaining provisions remain in full effect.