Data Processing Agreement (DPA)
Version 1.0.0 · Effective 2026-04-25
This page reflects the current DPA in text form. From your dashboard you can electronically accept the DPA and download a signed PDF copy. Accept in dashboard
This Data Processing Agreement ('DPA') details the data-protection obligations of the parties arising from the customer's use of the software-as-a-service platform provided by Neltacore, LLC under the brand name 'Deskwoot' (the 'Main Agreement'). It applies to all activities in which employees of the Processor or third parties commissioned by it come into contact with personal data of the Controller. This DPA fulfills the requirements of Article 28 GDPR.
§ 1 Subject Matter and Duration
(1) The subject matter of the processing arises from the Main Agreement, which is referenced here (provision of the Deskwoot platform for customer-support operations). (2) The duration of this DPA corresponds to the term of the Main Agreement. Upon termination of the Main Agreement, this DPA automatically ends, except where mandatory statutory retention periods apply.
§ 2 Specifics of the Processing
(1) Nature and purpose: processing of personal data to provide customer-support functions including multi-channel inbox, AI-assisted response automation, knowledge base, live-chat widget, reporting, and integration with the Controller's e-commerce systems. (2) Types of personal data: master and contact data (name, email, phone), communication content (messages, tickets), order data (where the Controller uses the e-commerce integration), usage and access data (IP address, user agent, timestamps), and other data voluntarily submitted by data subjects. (3) Categories of data subjects: end-customers of the Controller, employees and agents of the Controller (where they use the platform), visitors of websites operated by the Controller (where the live-chat widget is embedded).
§ 3 Technical and Organizational Measures
(1) The Processor shall implement and maintain throughout the term of the Agreement the technical and organizational measures (TOMs) described in Annex A to protect personal data. (2) The Processor reviews the measures regularly and adjusts them to the current state of the art. Material changes will be communicated to the Controller. (3) The measures are designed and implemented to ensure a level of security appropriate to the risk (Art. 32 GDPR).
§ 4 Rectification, Restriction, and Erasure of Data
(1) The Processor will only rectify, erase, or restrict the processing of personal data on instruction of the Controller. This applies in particular to requests by data subjects under Art. 15-22 GDPR. (2) Where a data subject contacts the Processor directly with such a request, the Processor will forward the request to the Controller without undue delay. (3) The Processor provides functions in its platform that allow the Controller to handle data-subject requests itself (e.g., data export, account deletion).
§ 5 Obligations of the Processor
(1) The Processor processes personal data exclusively within the scope of the Controller's instructions and the Main Agreement. (2) The Processor obliges its authorized employees to confidentiality (Art. 28(3)(b) GDPR) or ensures that they are subject to an appropriate statutory duty of confidentiality. (3) The Processor designates a contact person for data-protection matters upon request. Inquiries can be sent to: privacy@deskwoot.com. (4) The Processor assists the Controller, taking into account the nature of the processing and the information available to it, in complying with the obligations under Art. 32-36 GDPR. (5) Records of processing activities under Art. 30(2) GDPR are documented by the Processor and made available to the Controller or supervisory authority on request.
§ 6 Sub-processors
(1) The Controller consents to the engagement of the sub-processors listed in Annex B. (2) The Processor will inform the Controller in advance of any intended addition or replacement of other processors, giving the Controller the opportunity to object to such changes. (3) For sub-processors located in third countries (outside the EEA), the Processor ensures an appropriate level of data protection, in particular through the conclusion of EU Standard Contractual Clauses (SCCs). (4) The Processor selects its sub-processors carefully and regularly reviews their data-protection levels.
§ 7 Audit Rights
(1) The Controller satisfies itself, prior to and during the data processing, of the technical and organizational measures of the Processor. To this end, it may, for example, obtain information, review existing certifications (e.g., ISO 27001, SOC 2), or self-audits. (2) The Processor ensures that the Controller can verify compliance with its obligations. Upon request, the Controller receives all information necessary for this purpose.
§ 8 Notification of Breaches
(1) The Processor notifies the Controller without undue delay, and in any case within 72 hours of becoming aware, of any personal-data breach within the meaning of Art. 33 GDPR. (2) The notification includes at minimum: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed.
§ 9 Authority to Issue Instructions
(1) Verbal instructions of the Controller are confirmed by the Controller without undue delay in writing or by email. (2) The Processor must inform the Controller without undue delay if it is of the opinion that an instruction violates applicable data-protection law. (3) The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or modified by the responsible Controller.
§ 10 Erasure and Return of Personal Data
(1) Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, return or delete all personal data that has come into its possession in a manner compliant with data protection. (2) Statutory retention obligations remain unaffected. (3) The platform provides the Controller with self-service functions for data export and account deletion. On separate written request, the Processor will perform the deletion manually.
§ 11 Final Provisions
(1) The law of the country in which the Controller is established applies, provided that this is mandatory EU law. Otherwise the laws of the State of Wyoming, USA, apply, with concurrent application of the GDPR for processing of personal data of EU/EEA data subjects. (2) Should individual provisions of this DPA be or become invalid, the validity of the DPA in other respects shall not be affected. The parties shall replace the invalid provision with a valid provision that comes closest to the economic purpose of the invalid provision. (3) Amendments and supplements to this DPA require written form; electronic acceptance via the Processor's platform is sufficient pursuant to Art. 28(9) GDPR. (4) In the event of conflicts between this DPA and the Main Agreement, the provisions of this DPA shall take precedence.
Annex A — Technical and Organizational Measures (TOMs) under Art. 32 GDPR
The Processor has implemented the technical and organizational measures described below to protect personal data.
1. Confidentiality (Art. 32(1)(b) GDPR)
- Physical access control: hosting in certified data centers (Railway / GCP, EU region Netherlands). Physical access only for authorized hosting-provider personnel.
- Logical access control: authentication via email + password (bcrypt-hashed), optional 2FA via TOTP, JWT sessions with configurable expiration, session revocation on logout. Admin API tokens with configurable scopes and immediate revocation.
- Authorization: role-based access control (Owner / Admin / Agent / Custom Role). Restricted-scope agents see only their own conversations. Audit log over all privileged operations.
- Separation: multi-tenancy via accountId column on every table; Postgres row-level enforcement at the application layer.
- Pseudonymization: customer IDs are unpredictable CUID strings. Login tokens are stored as SHA-256 hashes in the database.
2. Integrity (Art. 32(1)(b) GDPR)
- Transmission control: TLS 1.2+ for all external connections (HTTPS on deskwoot.com, TLS to Postgres proxy, TLS to SMTP).
- Input control: audit log with user ID, timestamp, IP address, user agent for every privileged action (login, API-token creation, subscription change, conversation deletion, refund/cancel actions).
3. Availability and resilience (Art. 32(1)(b) GDPR)
- Backups: daily automated Postgres backups by the hosting provider (Railway), retained at least 7 days. Manual backup before every schema migration.
- Disaster recovery: multi-region architecture possible (currently single-region europe-west4). RTO < 4h for full DB recovery, RPO < 24h.
- Availability control: health checks on all services, automatic restart on crash (Railway restart policy), CDN-fronted static assets via Cloudflare.
4. Regular review procedure (Art. 32(1)(d) GDPR)
- Regular review of TOMs by the Processor (at least annually).
- Data protection impact assessments supported on request from the Controller for its specific use of the platform.
- Incident response: in the event of a security incident, the Controller is notified within 72 hours (cf. § 8 of this DPA).
5. Order control (Art. 28 GDPR)
- Written DPA with every Controller (this document).
- Confidentiality obligations for all employees and sub-processors.
- Written agreements / DPAs with all sub-processors (see Annex B).
- EU Standard Contractual Clauses (SCCs) for sub-processors in third countries.
Annex B — List of Approved Sub-processors
The Controller consents to the engagement of the sub-processors listed below. The Processor will inform the Controller in advance of changes (cf. § 6(2)).