Deskwoot logoDeskwoot

Data Processing Agreement (DPA)

Version 1.2.0 · Effective 2026-05-24

This page reflects the current DPA in text form. From your dashboard you can electronically accept the DPA and download a signed PDF copy. Accept in dashboard

Processor (within the meaning of Art. 4(8) GDPR)
Neltacore, LLC
1908 Thomes Avenue, Cheyenne, WY 82001, United States

This Data Processing Agreement ('DPA') details the data-protection obligations of the parties arising from the customer's use of the software-as-a-service platform provided by Neltacore, LLC under the brand name 'Deskwoot' (the 'Main Agreement'). It applies to all activities in which employees of the Processor or third parties commissioned by it come into contact with personal data of the Controller. This DPA fulfills the requirements of Article 28 GDPR.

§ 1 Subject Matter and Duration

(1) The subject matter of the processing arises from the Main Agreement, which is referenced here (provision of the Deskwoot platform for customer-support operations). (2) The duration of this DPA corresponds to the term of the Main Agreement. Upon termination of the Main Agreement, this DPA automatically ends, except where mandatory statutory retention periods apply.

§ 2 Specifics of the Processing

(1) Nature and purpose: processing of personal data to provide customer-support functions including multi-channel inbox, AI-assisted response automation, knowledge base, live-chat widget, reporting, and integration with the Controller's e-commerce systems. (2) Types of personal data: master and contact data (name, email, phone), communication content (messages, tickets), order data (where the Controller uses the e-commerce integration), usage and access data (IP address, user agent, timestamps), and other data voluntarily submitted by data subjects. (3) Aggregate bot-context data: where the Controller uses the AI bot or the AI Copilot feature, the Processor surfaces aggregate commerce statistics for the data subject associated with the conversation inside the AI model's system prompt so bot replies are context-aware without needing additional tool calls. The aggregates surfaced are: number of orders, date of the most recent order, cumulative order value with currency, and a freshness indicator describing whether the underlying integration syncs in real time. Detail-level personal data about specific orders (shipping address, payment method, line items) is only surfaced after the conversation has been verified to Tier 2 via the magic-link workflow. (4) Categories of data subjects: end-customers of the Controller, employees and agents of the Controller (where they use the platform), visitors of websites operated by the Controller (where the live-chat widget is embedded).

§ 3 Technical and Organizational Measures

(1) The Processor shall implement and maintain throughout the term of the Agreement the technical and organizational measures (TOMs) described in Annex A to protect personal data. (2) The Processor reviews the measures regularly and adjusts them to the current state of the art. Material changes will be communicated to the Controller. (3) The measures are designed and implemented to ensure a level of security appropriate to the risk (Art. 32 GDPR).

§ 4 Rectification, Restriction, and Erasure of Data

(1) The Processor will only rectify, erase, or restrict the processing of personal data on instruction of the Controller. This applies in particular to requests by data subjects under Art. 15-22 GDPR. (2) Where a data subject contacts the Processor directly with such a request, the Processor will forward the request to the Controller without undue delay. (3) The Processor provides functions in its platform that allow the Controller to handle data-subject requests itself (e.g., data export, account deletion).

§ 5 Obligations of the Processor

(1) The Processor processes personal data exclusively within the scope of the Controller's instructions and the Main Agreement. (2) The Processor obliges its authorized employees to confidentiality (Art. 28(3)(b) GDPR) or ensures that they are subject to an appropriate statutory duty of confidentiality. (3) The Processor designates a contact person for data-protection matters upon request. Inquiries can be sent to: privacy@deskwoot.com. (4) The Processor assists the Controller, taking into account the nature of the processing and the information available to it, in complying with the obligations under Art. 32-36 GDPR. (5) Records of processing activities under Art. 30(2) GDPR are documented by the Processor and made available to the Controller or supervisory authority on request.

§ 6 Sub-processors

(1) The Controller consents to the engagement of the sub-processors listed in Annex B. (2) The Processor will inform the Controller in advance of any intended addition or replacement of other processors, giving the Controller the opportunity to object to such changes. (3) For sub-processors located in third countries (outside the EEA), the Processor ensures an appropriate level of data protection, in particular through the conclusion of EU Standard Contractual Clauses (SCCs). (4) The Processor selects its sub-processors carefully and regularly reviews their data-protection levels.

§ 7 Audit Rights

(1) The Controller satisfies itself, prior to and during the data processing, of the technical and organizational measures of the Processor. To this end, it may, for example, obtain information, review existing certifications (e.g., ISO 27001, SOC 2), or self-audits. (2) The Processor ensures that the Controller can verify compliance with its obligations. Upon request, the Controller receives all information necessary for this purpose.

§ 8 Notification of Breaches

(1) The Processor notifies the Controller without undue delay, and in any case within 72 hours of becoming aware, of any personal-data breach within the meaning of Art. 33 GDPR. (2) The notification includes at minimum: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed.

§ 9 Authority to Issue Instructions

(1) Verbal instructions of the Controller are confirmed by the Controller without undue delay in writing or by email. (2) The Processor must inform the Controller without undue delay if it is of the opinion that an instruction violates applicable data-protection law. (3) The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or modified by the responsible Controller.

§ 10 Erasure and Return of Personal Data

(1) Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, return or delete all personal data that has come into its possession in a manner compliant with data protection. (2) Statutory retention obligations remain unaffected. (3) The platform provides the Controller with self-service functions for data export and account deletion. On separate written request, the Processor will perform the deletion manually.

§ 11 Final Provisions

(1) The law of the country in which the Controller is established applies, provided that this is mandatory EU law. Otherwise the laws of the State of Wyoming, USA, apply, with concurrent application of the GDPR for processing of personal data of EU/EEA data subjects. (2) Should individual provisions of this DPA be or become invalid, the validity of the DPA in other respects shall not be affected. The parties shall replace the invalid provision with a valid provision that comes closest to the economic purpose of the invalid provision. (3) Amendments and supplements to this DPA require written form; electronic acceptance via the Processor's platform is sufficient pursuant to Art. 28(9) GDPR. (4) In the event of conflicts between this DPA and the Main Agreement, the provisions of this DPA shall take precedence.

Annex A - Technical and Organizational Measures (TOMs) under Art. 32 GDPR

The Processor has implemented the technical and organizational measures described below to protect personal data.

1. Confidentiality (Art. 32(1)(b) GDPR)

  • Logical access control: authentication via email + password (bcrypt-hashed), optional 2FA via TOTP, JWT sessions with configurable expiration, session revocation on logout. Admin API tokens with configurable scopes and immediate revocation.
  • Authorization: role-based access control (Owner / Admin / Agent / Custom Role). Restricted-scope agents see only their own conversations. Audit log over all privileged operations.
  • Separation: multi-tenancy via accountId column on every table; Postgres row-level enforcement at the application layer.
  • Pseudonymization: customer IDs are unpredictable CUID strings. Login tokens are stored as SHA-256 hashes in the database.

2. Integrity (Art. 32(1)(b) GDPR)

  • Transmission control: TLS 1.2+ for all external connections (HTTPS on deskwoot.com, TLS to Postgres proxy, TLS to SMTP).
  • Input control: audit log with user ID, timestamp, IP address, user agent for every privileged action (login, API-token creation, subscription change, conversation deletion, refund/cancel actions).

3. Availability and resilience (Art. 32(1)(b) GDPR)

  • Backups: daily automated Postgres backups by the hosting provider, retained at least 7 days. Manual backup before every schema migration.
  • Disaster recovery: multi-region architecture possible (currently single-region EU). RTO < 4h for full DB recovery, RPO < 24h.
  • Availability control: health checks on all services, automatic restart on crash, CDN-fronted static assets via Cloudflare.

4. Regular review procedure (Art. 32(1)(d) GDPR)

  • Regular review of TOMs by the Processor (at least annually).
  • Data protection impact assessments supported on request from the Controller for its specific use of the platform.
  • Incident response: in the event of a security incident, the Controller is notified within 72 hours (cf. § 8 of this DPA).

5. Order control (Art. 28 GDPR)

  • Written DPA with every Controller (this document).
  • Confidentiality obligations for all employees and sub-processors.
  • Written agreements / DPAs with all sub-processors (see Annex B).
  • EU Standard Contractual Clauses (SCCs) for sub-processors in third countries.

Annex B - List of Approved Sub-processors

The Controller consents to the engagement of the sub-processors listed below. The Processor will inform the Controller in advance of changes (cf. § 6(2)).

Railway Corporation
Purpose: Application + database hosting
Region: EU (Netherlands)
Data categories: All customer data at rest and in transit
Privacy notice
Anthropic, PBC
Purpose: AI inference (Claude models) for the AI agent
Region: European Union
Data categories: Conversation content sent to the AI bot for response generation
Transfer mechanism: EU Standard Contractual Clauses (SCCs) per Anthropic's published Trust Center; data not used to train Anthropic models
Privacy notice
OpenAI, L.L.C.
Purpose: AI inference (GPT family) for the AI agent. Engaged only when the bot is configured to route through OpenAI-hosted models; data not used to train OpenAI models
Region: European Union
Data categories: Conversation content sent to the AI bot for response generation
Transfer mechanism: EU Standard Contractual Clauses (SCCs) per OpenAI's DPA
Privacy notice
Microsoft Corporation
Purpose: AI inference for the AI agent when Azure-hosted model endpoints are selected. Engaged only when the bot routes through an Azure-served model
Region: European Union
Data categories: Conversation content sent to the AI bot for response generation
Transfer mechanism: EU Standard Contractual Clauses (SCCs) per Microsoft's Online Services DPA
Privacy notice
Google LLC
Purpose: AI inference (Gemini family) and language translation services. Engaged only when the bot routes through a Google-hosted model or when auto-translation of conversations is enabled
Region: European Union
Data categories: Conversation content sent for inference or translation
Transfer mechanism: EU Standard Contractual Clauses (SCCs) per Google Cloud DPA
Privacy notice
Ably Realtime Ltd.
Purpose: Realtime channel transport for messages between the agent dashboard, the public chat widget and the mobile apps
Region: European Union
Data categories: Encrypted message payloads in transit; no long-term storage on Ably's side
Privacy notice
Stripe, Inc.
Purpose: Payment processing (subscriptions + connected merchant accounts)
Region: European Economic Area (Ireland) for EU customers; United States for fallback
Data categories: Billing data: name, email, billing address, payment method tokens
Transfer mechanism: EU SCCs per Stripe DPA
Privacy noticeDPA
Twilio Inc. (SendGrid)
Purpose: Transactional email delivery
Region: United States
Data categories: Recipient email addresses, email content
Transfer mechanism: EU SCCs per Twilio DPA
Privacy notice
Twilio Inc. (Messaging API)
Purpose: SMS and voice channel delivery. Engaged only when the customer has enabled the SMS channel or configured a phone number on an inbox; not used otherwise
Region: United States
Data categories: Phone numbers, SMS message content, call metadata
Transfer mechanism: EU SCCs per Twilio DPA
Privacy notice
Cloudflare, Inc.
Purpose: DNS, CDN, DDoS protection
Region: Global edge network
Data categories: IP addresses, request metadata, TLS-terminated request payloads
Transfer mechanism: EU SCCs per Cloudflare DPA
Privacy noticeDPA
PostHog Inc.
Purpose: Product analytics (page views, feature usage)
Region: European Union (Frankfurt)
Data categories: Pseudonymized usage events, feature-flag evaluations
Privacy notice
EasyPost Inc.
Purpose: Carrier shipment-status lookups (when customer has Carrier tracking enabled)
Region: United States
Data categories: Tracking numbers + carrier identifiers (no end-customer personal data)
Transfer mechanism: EU SCCs per EasyPost DPA
Privacy notice

Frequently asked questions

GDPR Article 28 and Deskwoot's Data Processing Agreement, answered.

What is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legal contract required under Article 28 of the GDPR between a data controller (you) and a data processor (Deskwoot). It defines what personal data the processor handles, how it must protect that data, and what rights you have, including audit, deletion, and breach notification.

Do I need a DPA with Deskwoot?

Yes, if you process any personal data of EU residents through Deskwoot, which almost certainly applies because every customer email, chat, and contact record qualifies. GDPR Article 28 requires a signed DPA between you (controller) and Deskwoot (processor) before that data flow begins.

How do I sign Deskwoot's DPA?

Sign electronically directly in your Deskwoot dashboard. Open Settings > Legal > Data Processing Agreement, fill in your company details, click Sign, and you immediately receive a countersigned PDF. The whole flow takes under a minute. No email loop, no DocuSign, no three-day wait for the Deskwoot side to counter-sign.

Is Deskwoot GDPR compliant?

Yes. Deskwoot processes data under GDPR, hosts customer data exclusively in EU data centers, encrypts data in transit (TLS 1.2+) and at rest, runs annual penetration tests, and lets every account self-serve their Article 28 DPA, data export, and erasure requests directly from the dashboard.

Where is Deskwoot data stored?

All customer data is stored in EU data centers (Netherlands region) since the April 2026 EU migration. This includes conversations, messages, attachments, contacts, account data, and backups. No customer data leaves the EU region for storage, and processing happens in the same region.

Who is the legal entity behind Deskwoot?

Deskwoot is operated by Neltacore LLC, a Wyoming (USA) limited liability company. Despite the US legal entity, all customer data sits in EU data centers under EU jurisdiction for storage and processing, with the GDPR Article 28 DPA covering the controller-processor relationship.