Deskwoot logoDeskwoot

Data Processing Agreement (DPA)

Versão 1.2.0 · Vigente desde 2026-05-24

Esta página reflete o DPA atual em formato textual. No dashboard você pode aceitar o DPA eletronicamente e baixar uma cópia em PDF assinada. Aceitar no dashboard

Processor (within the meaning of Art. 4(8) GDPR)
Neltacore, LLC
1908 Thomes Avenue, Cheyenne, WY 82001, United States

This Data Processing Agreement ('DPA') details the data-protection obligations of the parties arising from the customer's use of the software-as-a-service platform provided by Neltacore, LLC under the brand name 'Deskwoot' (the 'Main Agreement'). It applies to all activities in which employees of the Processor or third parties commissioned by it come into contact with personal data of the Controller. This DPA fulfills the requirements of Article 28 GDPR.

§ 1 Subject Matter and Duration

(1) The subject matter of the processing arises from the Main Agreement, which is referenced here (provision of the Deskwoot platform for customer-support operations). (2) The duration of this DPA corresponds to the term of the Main Agreement. Upon termination of the Main Agreement, this DPA automatically ends, except where mandatory statutory retention periods apply.

§ 2 Specifics of the Processing

(1) Nature and purpose: processing of personal data to provide customer-support functions including multi-channel inbox, AI-assisted response automation, knowledge base, live-chat widget, reporting, and integration with the Controller's e-commerce systems. (2) Types of personal data: master and contact data (name, email, phone), communication content (messages, tickets), order data (where the Controller uses the e-commerce integration), usage and access data (IP address, user agent, timestamps), and other data voluntarily submitted by data subjects. (3) Aggregate bot-context data: where the Controller uses the AI bot or the AI Copilot feature, the Processor surfaces aggregate commerce statistics for the data subject associated with the conversation inside the AI model's system prompt so bot replies are context-aware without needing additional tool calls. The aggregates surfaced are: number of orders, date of the most recent order, cumulative order value with currency, and a freshness indicator describing whether the underlying integration syncs in real time. Detail-level personal data about specific orders (shipping address, payment method, line items) is only surfaced after the conversation has been verified to Tier 2 via the magic-link workflow. (4) Categories of data subjects: end-customers of the Controller, employees and agents of the Controller (where they use the platform), visitors of websites operated by the Controller (where the live-chat widget is embedded).

§ 3 Technical and Organizational Measures

(1) The Processor shall implement and maintain throughout the term of the Agreement the technical and organizational measures (TOMs) described in Annex A to protect personal data. (2) The Processor reviews the measures regularly and adjusts them to the current state of the art. Material changes will be communicated to the Controller. (3) The measures are designed and implemented to ensure a level of security appropriate to the risk (Art. 32 GDPR).

§ 4 Rectification, Restriction, and Erasure of Data

(1) The Processor will only rectify, erase, or restrict the processing of personal data on instruction of the Controller. This applies in particular to requests by data subjects under Art. 15-22 GDPR. (2) Where a data subject contacts the Processor directly with such a request, the Processor will forward the request to the Controller without undue delay. (3) The Processor provides functions in its platform that allow the Controller to handle data-subject requests itself (e.g., data export, account deletion).

§ 5 Obligations of the Processor

(1) The Processor processes personal data exclusively within the scope of the Controller's instructions and the Main Agreement. (2) The Processor obliges its authorized employees to confidentiality (Art. 28(3)(b) GDPR) or ensures that they are subject to an appropriate statutory duty of confidentiality. (3) The Processor designates a contact person for data-protection matters upon request. Inquiries can be sent to: privacy@deskwoot.com. (4) The Processor assists the Controller, taking into account the nature of the processing and the information available to it, in complying with the obligations under Art. 32-36 GDPR. (5) Records of processing activities under Art. 30(2) GDPR are documented by the Processor and made available to the Controller or supervisory authority on request.

§ 6 Sub-processors

(1) The Controller consents to the engagement of the sub-processors listed in Annex B. (2) The Processor will inform the Controller in advance of any intended addition or replacement of other processors, giving the Controller the opportunity to object to such changes. (3) For sub-processors located in third countries (outside the EEA), the Processor ensures an appropriate level of data protection, in particular through the conclusion of EU Standard Contractual Clauses (SCCs). (4) The Processor selects its sub-processors carefully and regularly reviews their data-protection levels.

§ 7 Audit Rights

(1) The Controller satisfies itself, prior to and during the data processing, of the technical and organizational measures of the Processor. To this end, it may, for example, obtain information, review existing certifications (e.g., ISO 27001, SOC 2), or self-audits. (2) The Processor ensures that the Controller can verify compliance with its obligations. Upon request, the Controller receives all information necessary for this purpose.

§ 8 Notification of Breaches

(1) The Processor notifies the Controller without undue delay, and in any case within 72 hours of becoming aware, of any personal-data breach within the meaning of Art. 33 GDPR. (2) The notification includes at minimum: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed.

§ 9 Authority to Issue Instructions

(1) Verbal instructions of the Controller are confirmed by the Controller without undue delay in writing or by email. (2) The Processor must inform the Controller without undue delay if it is of the opinion that an instruction violates applicable data-protection law. (3) The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or modified by the responsible Controller.

§ 10 Erasure and Return of Personal Data

(1) Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, return or delete all personal data that has come into its possession in a manner compliant with data protection. (2) Statutory retention obligations remain unaffected. (3) The platform provides the Controller with self-service functions for data export and account deletion. On separate written request, the Processor will perform the deletion manually.

§ 11 Final Provisions

(1) The law of the country in which the Controller is established applies, provided that this is mandatory EU law. Otherwise the laws of the State of Wyoming, USA, apply, with concurrent application of the GDPR for processing of personal data of EU/EEA data subjects. (2) Should individual provisions of this DPA be or become invalid, the validity of the DPA in other respects shall not be affected. The parties shall replace the invalid provision with a valid provision that comes closest to the economic purpose of the invalid provision. (3) Amendments and supplements to this DPA require written form; electronic acceptance via the Processor's platform is sufficient pursuant to Art. 28(9) GDPR. (4) In the event of conflicts between this DPA and the Main Agreement, the provisions of this DPA shall take precedence.

Annex A - Technical and Organizational Measures (TOMs) under Art. 32 GDPR

The Processor has implemented the technical and organizational measures described below to protect personal data.

1. Confidentiality (Art. 32(1)(b) GDPR)

  • Logical access control: authentication via email + password (bcrypt-hashed), optional 2FA via TOTP, JWT sessions with configurable expiration, session revocation on logout. Admin API tokens with configurable scopes and immediate revocation.
  • Authorization: role-based access control (Owner / Admin / Agent / Custom Role). Restricted-scope agents see only their own conversations. Audit log over all privileged operations.
  • Separation: multi-tenancy via accountId column on every table; Postgres row-level enforcement at the application layer.
  • Pseudonymization: customer IDs are unpredictable CUID strings. Login tokens are stored as SHA-256 hashes in the database.

2. Integrity (Art. 32(1)(b) GDPR)

  • Transmission control: TLS 1.2+ for all external connections (HTTPS on deskwoot.com, TLS to Postgres proxy, TLS to SMTP).
  • Input control: audit log with user ID, timestamp, IP address, user agent for every privileged action (login, API-token creation, subscription change, conversation deletion, refund/cancel actions).

3. Availability and resilience (Art. 32(1)(b) GDPR)

  • Backups: daily automated Postgres backups by the hosting provider, retained at least 7 days. Manual backup before every schema migration.
  • Disaster recovery: multi-region architecture possible (currently single-region EU). RTO < 4h for full DB recovery, RPO < 24h.
  • Availability control: health checks on all services, automatic restart on crash, CDN-fronted static assets via Cloudflare.

4. Regular review procedure (Art. 32(1)(d) GDPR)

  • Regular review of TOMs by the Processor (at least annually).
  • Data protection impact assessments supported on request from the Controller for its specific use of the platform.
  • Incident response: in the event of a security incident, the Controller is notified within 72 hours (cf. § 8 of this DPA).

5. Order control (Art. 28 GDPR)

  • Written DPA with every Controller (this document).
  • Confidentiality obligations for all employees and sub-processors.
  • Written agreements / DPAs with all sub-processors (see Annex B).
  • EU Standard Contractual Clauses (SCCs) for sub-processors in third countries.

Annex B - List of Approved Sub-processors

The Controller consents to the engagement of the sub-processors listed below. The Processor will inform the Controller in advance of changes (cf. § 6(2)).

Railway Corporation
Finalidade: Application + database hosting
Região: EU (Netherlands)
Categorias de dados: All customer data at rest and in transit
Aviso de privacidade
Anthropic, PBC
Finalidade: AI inference (Claude models) for the AI agent
Região: European Union
Categorias de dados: Conversation content sent to the AI bot for response generation
Mecanismo de transferência: EU Standard Contractual Clauses (SCCs) per Anthropic's published Trust Center; data not used to train Anthropic models
Aviso de privacidade
OpenAI, L.L.C.
Finalidade: AI inference (GPT family) for the AI agent. Engaged only when the bot is configured to route through OpenAI-hosted models; data not used to train OpenAI models
Região: European Union
Categorias de dados: Conversation content sent to the AI bot for response generation
Mecanismo de transferência: EU Standard Contractual Clauses (SCCs) per OpenAI's DPA
Aviso de privacidade
Microsoft Corporation
Finalidade: AI inference for the AI agent when Azure-hosted model endpoints are selected. Engaged only when the bot routes through an Azure-served model
Região: European Union
Categorias de dados: Conversation content sent to the AI bot for response generation
Mecanismo de transferência: EU Standard Contractual Clauses (SCCs) per Microsoft's Online Services DPA
Aviso de privacidade
Google LLC
Finalidade: AI inference (Gemini family) and language translation services. Engaged only when the bot routes through a Google-hosted model or when auto-translation of conversations is enabled
Região: European Union
Categorias de dados: Conversation content sent for inference or translation
Mecanismo de transferência: EU Standard Contractual Clauses (SCCs) per Google Cloud DPA
Aviso de privacidade
Ably Realtime Ltd.
Finalidade: Realtime channel transport for messages between the agent dashboard, the public chat widget and the mobile apps
Região: European Union
Categorias de dados: Encrypted message payloads in transit; no long-term storage on Ably's side
Aviso de privacidade
Stripe, Inc.
Finalidade: Payment processing (subscriptions + connected merchant accounts)
Região: European Economic Area (Ireland) for EU customers; United States for fallback
Categorias de dados: Billing data: name, email, billing address, payment method tokens
Mecanismo de transferência: EU SCCs per Stripe DPA
Aviso de privacidadeDPA
Twilio Inc. (SendGrid)
Finalidade: Transactional email delivery
Região: United States
Categorias de dados: Recipient email addresses, email content
Mecanismo de transferência: EU SCCs per Twilio DPA
Aviso de privacidade
Twilio Inc. (Messaging API)
Finalidade: SMS and voice channel delivery. Engaged only when the customer has enabled the SMS channel or configured a phone number on an inbox; not used otherwise
Região: United States
Categorias de dados: Phone numbers, SMS message content, call metadata
Mecanismo de transferência: EU SCCs per Twilio DPA
Aviso de privacidade
Cloudflare, Inc.
Finalidade: DNS, CDN, DDoS protection
Região: Global edge network
Categorias de dados: IP addresses, request metadata, TLS-terminated request payloads
Mecanismo de transferência: EU SCCs per Cloudflare DPA
Aviso de privacidadeDPA
PostHog Inc.
Finalidade: Product analytics (page views, feature usage)
Região: European Union (Frankfurt)
Categorias de dados: Pseudonymized usage events, feature-flag evaluations
Aviso de privacidade
EasyPost Inc.
Finalidade: Carrier shipment-status lookups (when customer has Carrier tracking enabled)
Região: United States
Categorias de dados: Tracking numbers + carrier identifiers (no end-customer personal data)
Mecanismo de transferência: EU SCCs per EasyPost DPA
Aviso de privacidade

Perguntas frequentes

Artigo 28 do GDPR e o Contrato de Processamento de Dados do Deskwoot, respondidos.

O que é um Contrato de Processamento de Dados?

Um Contrato de Processamento de Dados (DPA) é um contrato exigido pelo Artigo 28 do GDPR entre um controlador de dados (você) e um operador de dados (o Deskwoot). Ele define quais dados pessoais o operador processa, como ele deve proteger esses dados e quais direitos você tem, incluindo auditoria, exclusão e notificação de violação.

Eu preciso de um DPA com o Deskwoot?

Sim, se você processa qualquer dado pessoal de residentes da UE pelo Deskwoot, o que quase sempre se aplica porque todo e-mail, chat e contato de cliente conta. O Artigo 28 do GDPR exige um DPA assinado entre você (controlador) e o Deskwoot (operador) antes desse fluxo de dados começar.

Como assinar o DPA do Deskwoot?

Assine eletronicamente direto no painel do Deskwoot. Abra Configurações > Jurídico > Contrato de Processamento de Dados, preencha os dados da sua empresa, clique em Assinar, e você recebe imediatamente um PDF com contra-assinatura. Todo o fluxo leva menos de um minuto. Sem ciclo de e-mail, sem DocuSign, sem espera de três dias pela contra-assinatura do Deskwoot.

O Deskwoot é compatível com GDPR?

Sim. O Deskwoot processa dados sob o GDPR, armazena dados de clientes exclusivamente em data centers da UE, criptografa dados em trânsito (TLS 1.2+) e em repouso, executa testes de invasão anuais e permite que toda conta resolva sozinha o DPA do Artigo 28, exportação de dados e pedidos de exclusão direto pelo painel.

Onde os dados do Deskwoot são armazenados?

Todos os dados de clientes são armazenados em data centers da UE (região Holanda) desde a migração para a UE em abril de 2026. Isso inclui conversas, mensagens, anexos, contatos, dados da conta e backups. Nenhum dado de cliente sai da região da UE para armazenamento, e o processamento acontece na mesma região.

Quem é a entidade legal por trás do Deskwoot?

O Deskwoot é operado pela Neltacore LLC, uma sociedade de responsabilidade limitada de Wyoming (EUA). Apesar da entidade legal nos EUA, todos os dados de clientes ficam em data centers da UE sob jurisdição da UE para armazenamento e processamento, com o DPA do Artigo 28 do GDPR cobrindo a relação controlador-operador.