Privacy isn't a checkbox.
It's the default.

Frequently asked

Procurement & GDPR questions

Most of what buyers ask before they sign. If something here isn't covered, the answer is almost certainly inside the DPA.

Is Deskwoot GDPR-compliant?

Yes. Deskwoot is built from the ground up for GDPR. We host customer data exclusively in the EU, sign a Data Processing Agreement under Art. 28 with every account at signup, keep Art. 30 records of processing activities on file, and pass through Data Subject Access Requests (DSAR) to a self-serve flow your customers control without your involvement.

Where is my customer data stored?

Everything is hosted in the EU, on every plan including the free tier. We do not replicate to US data centers. Backups stay in the EU as well. The full sub-processor list with regions sits inside the DPA.

How do I sign the Data Processing Agreement (DPA)?

You don't need to email anyone. Open the DPA page, click accept, and you receive a counter-signed PDF instantly. The same DPA enumerates our technical and organisational security measures (TOMs) under Art. 32, so procurement can tick that box without a separate questionnaire.

Can my customers request data deletion themselves?

Yes. Every transactional email Deskwoot sends on your behalf carries a one-click deletion link at the bottom. Your end-customer clicks it, confirms once, and their conversation history with you is purged. No support ticket, no human in the loop. This satisfies GDPR Art. 17 (right to erasure) by default.

Does Deskwoot use my data to train AI models?

No. Never. Customer data is not used to train any AI model, ours or a third-party model. This is confirmed in writing inside the DPA. The AI bot (Fynn) runs on your help center articles and your past tickets as private context only, scoped to your account.

Who are Deskwoot's sub-processors?

Every sub-processor is named publicly in Annex B of the DPA, with the country and the purpose. We notify customers in writing before adding a new sub-processor, so you can object before any data flows. Every US sub-processor has a risk assessment on file under the post-Schrems II framework.

What happens to my data if I close my Deskwoot account?

A 30-day grace period kicks in the moment you close the account, in case you change your mind or need to export. After 30 days, every row tied to your account is hard-deleted, including conversations, messages, attachments, and contacts. Backups roll off the retention window inside 90 days.

How does Deskwoot handle a Data Subject Access Request (DSAR)?

End-customers can self-serve via the email deletion link described above. For full data exports, every account owner can request a copy of their account data from inside the dashboard. The export ships as a structured JSON archive with every conversation, message, contact, and attachment.

Is Deskwoot Schrems II compliant for EU customers?

Yes. EU customer data stays in the EU and is never transferred to US data centers by Deskwoot. For US sub-processors that may incidentally process metadata (e.g. payment processors), we maintain Standard Contractual Clauses (SCCs) and a risk assessment per processor, attached to the DPA.

Is my data encrypted at rest and in transit?

Yes. TLS 1.2 or higher is enforced on every connection, including agent dashboard, public widget, REST API, and webhook delivery. At rest, every database row and every uploaded attachment is encrypted with AES-256. Customer-side credentials we store (SMTP passwords, third-party tokens) are encrypted at the column level with a separate key.