Data processing addendum (DPA)

The Customer is the controller (or processor on behalf of its own customers). Informly is the processor (or sub-processor where the Customer is itself a processor). Each party will comply with its respective obligations under applicable data protection law.

Subject matter: provision of the Informly service. Duration: the contract term plus deletion/return periods. Nature + purpose: hosting, transmitting, and analyzing personal data submitted by the Customer to deliver the service. Data subjects: end-customers of the Customer. Categories of data: contact identifiers, survey responses, transactional and behavioral data, and ticket content.

Informly processes personal data only on documented Customer instructions, including transfers to third countries, unless required by law (in which case Informly will inform the Customer beforehand unless prohibited).

Personnel authorized to process personal data are bound by confidentiality. Access is restricted to those with a need-to-know basis.

Informly implements appropriate technical and organizational measures, including those described on our Security page. Customer may request our current security documentation under NDA.

Customer authorizes Informly to engage sub-processors listed at /legal/sub-processors. We notify Customer at least 30 days before adding a sub-processor; Customer may object on reasonable data-protection grounds.

Informly provides tools to help Customer respond to data subject requests. Where requests come to Informly directly, we forward them to Customer without responding, unless legally required.

Informly notifies Customer of a personal data breach affecting Customer data without undue delay (and in any case within 72 hours of becoming aware), providing the information required for Customer to fulfill its own notification obligations.

Where personal data is transferred outside the EEA/UK to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (EU SCCs) and UK International Data Transfer Addendum (UK IDTA), incorporated by reference, with supplementary measures as described in our transfer impact assessment.

Customer may, no more than once per year and on reasonable prior notice, audit Informly's compliance through (a) review of independent audit reports (SOC 2 once available), or (b) a written questionnaire. On-site audits are available for enterprise customers on reasonable notice.

On termination, Informly deletes or returns all personal data within 30 days, unless law requires longer retention.

In case of conflict, this DPA prevails over other terms with respect to processing of personal data. Standard Contractual Clauses prevail over this DPA for transfers they cover.