Data Processing Agreement

Effective as of February 11, 2025.

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service ("Terms") between Redframe B.V., a company incorporated under Dutch law, registered with the Dutch Chamber of Commerce under number 95695559, with its registered office at Trekvaart 101, 8271 AC IJsselmuiden, the Netherlands, trading as SideIQ ("Processor," "SideIQ," "we," "us," or "our"), and the entity accepting the Terms ("Controller," "Customer," "you," or "your").

This DPA applies to the extent that SideIQ processes Personal Data on behalf of the Customer as a Processor within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch GDPR Implementation Act (Uitvoeringswet AVG), and, where applicable, the UK General Data Protection Regulation ("UK GDPR").

In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to data processing matters.

Index

1. Definitions
2. Scope and roles
3. Processing instructions
4. Details of processing
5. Processor obligations
6. Security measures
7. Sub-processors
8. International data transfers
9. Data subject rights
10. Personal data breach
11. Data protection impact assessment
12. Audit rights
13. Data return and deletion
14. Term and termination
15. Liability
16. Contact
Annex A – Details of processing
Annex B – Technical and organizational measures
Annex C – Sub-processors

1. Definitions

Capitalized terms not defined in this DPA shall have the meanings given to them in the Terms. In addition:

"Applicable Data Protection Law" means the GDPR, the Dutch GDPR Implementation Act (Uitvoeringswet AVG), the UK GDPR, and any other applicable data protection laws and regulations.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 for the transfer of personal data to third countries.

2. Scope and roles

2.1 The Customer acts as the Controller and determines the purposes and means of processing Personal Data through the Service. SideIQ acts as the Processor and processes Personal Data solely on behalf of and in accordance with the documented instructions of the Controller.

2.2 This DPA applies to all processing of Personal Data by the Processor on behalf of the Controller in connection with the Service, as described in Annex A (Details of processing).

2.3 The Controller is responsible for ensuring that it has a lawful basis under Applicable Data Protection Law for the processing of Personal Data through the Service, including obtaining any necessary consents and providing appropriate privacy notices to Data Subjects.

3. Processing instructions

3.1 The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification (Article 28(3)(a) GDPR).

3.2 The Controller's instructions for processing are set out in these Terms and this DPA. The Controller may issue additional written instructions consistent with the Terms. If the Processor considers that an instruction infringes Applicable Data Protection Law, it shall promptly notify the Controller.

3.3 The Controller instructs the Processor to process Personal Data for the following purposes: (a) providing, maintaining, and improving the Service; (b) providing technical support; (c) performing obligations under the Terms; and (d) as further specified in Annex A.

4. Details of processing

The details of Personal Data processing, including the subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects, are described in Annex A.

5. Processor obligations

The Processor shall:

5.1 Confidentiality. Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
5.2 Security. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and as further described in Annex B (Article 28(3)(c) GDPR).
5.3 Sub-processors. Only engage Sub-processors in compliance with Section 7 of this DPA (Article 28(3)(d) GDPR).
5.4 Data Subject rights. Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights (Article 28(3)(e) GDPR).
5.5 Security and breach notification. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor (Article 28(3)(f) GDPR).
5.6 Deletion or return. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless European Union or Member State law requires storage (Article 28(3)(g) GDPR).
5.7 Audit. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR).

6. Security measures

6.1 The Processor shall implement and maintain the technical and organizational security measures described in Annex B. These measures shall be appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

6.2 The Processor may update or modify the security measures from time to time, provided that such modifications do not materially decrease the overall level of protection of Personal Data.

7. Sub-processors

7.1 General authorization. The Controller grants the Processor a general written authorization to engage Sub-processors for the processing of Personal Data, subject to the conditions in this Section.

7.2 Current Sub-processors. A list of Sub-processors currently engaged by the Processor is set out in Annex C.

7.3 Notification of changes. The Processor shall inform the Controller of any intended addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Controller the opportunity to object to such changes.

7.4 Objection right. If the Controller has a reasonable basis to object to the use of a new Sub-processor, it shall notify the Processor in writing within fifteen (15) days of receiving notice. The parties shall discuss the Controller's concerns in good faith. If no resolution can be reached, the Controller may terminate the affected Service by providing written notice to the Processor.

7.5 Sub-processor obligations. The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA, by way of a written contract (Article 28(4) GDPR). The Processor shall remain fully liable to the Controller for the performance of its Sub-processors' obligations.

8. International data transfers

8.1 The Processor shall not transfer Personal Data outside the European Economic Area ("EEA") or the United Kingdom unless appropriate safeguards are in place in accordance with Chapter V of the GDPR.

8.2 Where transfers are made to countries without an adequacy decision by the European Commission, the Processor shall ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) as approved by Commission Implementing Decision (EU) 2021/914, supplemented by additional technical and organizational measures where necessary following a transfer impact assessment;
The EU-U.S. Data Privacy Framework certification of the Sub-processor, where applicable; or
Any other transfer mechanism approved under Applicable Data Protection Law.

8.3 The transfer mechanisms applicable to each Sub-processor are identified in Annex C.

9. Data subject rights

9.1 The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise rights under Applicable Data Protection Law (including rights of access, rectification, erasure, data portability, restriction, or objection).

9.2 The Processor shall not respond to a Data Subject request directly, unless authorized to do so by the Controller or required by Applicable Data Protection Law.

9.3 The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests, taking into account the nature of the processing. Such assistance may include providing the Controller with technical capabilities to retrieve, rectify, or delete Personal Data through the Service.

10. Personal data breach

10.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.

10.2 The notification shall include, to the extent available:

a description of the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned;
the name and contact details of the Processor's contact point for further information;
a description of the likely consequences of the breach; and
a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects.

10.3 The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

11. Data protection impact assessment

The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and, where required, prior consultations with supervisory authorities, in accordance with Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

12. Audit rights

12.1 The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits to verify the Processor's compliance with this DPA. Such audits shall be subject to reasonable prior written notice (at least thirty (30) days), shall be conducted during normal business hours, and shall not unreasonably disrupt the Processor's operations.

12.2 The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.

12.3 The Processor may satisfy the audit obligation by providing the Controller with: (a) relevant certifications or audit reports (such as SOC 2 or ISO 27001 reports) from independent third-party auditors; or (b) other evidence of compliance reasonably acceptable to the Controller.

13. Data return and deletion

13.1 Upon termination or expiration of the Terms, the Processor shall, at the Controller's election, return or delete all Personal Data in its possession or control, including any copies, within thirty (30) days of the Controller's written request.

13.2 If the Controller does not make an election within thirty (30) days of termination, the Processor shall delete the Personal Data within a further thirty (30) days.

13.3 The Processor may retain Personal Data to the extent required by Applicable Data Protection Law, provided that the Processor shall ensure the confidentiality of such data and shall process it only for the purposes required by law.

13.4 This Section is without prejudice to the Processor's right to retain aggregated, de-identified, or anonymized data as described in the Terms.

14. Term and termination

This DPA shall remain in effect for the duration of the Terms and shall automatically terminate upon termination or expiration of the Terms, subject to the Processor's obligations under Section 13 (Data return and deletion), which shall survive termination.

15. Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms, except that such limitations shall not apply to the extent prohibited by Applicable Data Protection Law.

16. Contact

For questions about this DPA or to exercise your rights under it, please contact:

Email: privacy@sideiq.com
Mail: Redframe B.V., Trekvaart 101, 8271 AC IJsselmuiden, the Netherlands

Annex A – Details of processing

A.1 Subject matter and duration

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the SideIQ platform and related services. Processing continues for the duration of the Terms.

A.2 Nature and purpose of processing

Personal Data is processed for the following purposes:

Providing and operating the Service, including CRM, email, calendar, telephony, invoicing, document management, banking integrations, collections, AI-powered features, and training modules;
Storing and organizing Customer Data within the multi-tenant platform;
Processing communications (email, telephone, video meetings) on behalf of the Controller;
Generating documents, quotes, invoices, and contracts;
Providing AI-powered suggestions, summaries, transcriptions, and automations;
Processing payments and banking transactions;
Providing analytics, reporting, and smart views;
Providing the client portal for the Controller's customers;
Technical support and incident resolution.

A.3 Categories of Data Subjects

Data Subjects may include, depending on the Controller's use of the Service:

The Controller's customers, leads, and prospects;
The Controller's employees, contractors, and agents (Authorized Users);
Contact persons at the Controller's business partners, suppliers, and vendors;
Any other individuals whose Personal Data the Controller chooses to process through the Service.

A.4 Types of Personal Data

The types of Personal Data processed may include, depending on the Controller's use of the Service:

Contact data: name, email address, phone number, postal address, job title, company name;
Communication data: email content, call recordings, call transcriptions, meeting transcripts, chat messages, notes;
Transactional data: quotes, invoices, payment information, order history, billing data;
CRM data: pipeline stages, opportunity details, activity history, custom field values, tags, task assignments;
Document data: contracts, proposals, templates, signed documents, and related metadata;
Financial data: bank transaction details, payment statuses, account information (to the extent entered by the Controller);
Location data: addresses associated with contacts, map coordinates for collection records;
Usage data: login history, platform interaction logs, audit trail records;
AI interaction data: AI chat history, generated summaries, suggestions, and training data scoped to the Organization.

A.5 Special categories of data

The Processor does not intentionally process special categories of personal data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). The Controller shall not submit such data through the Service unless it has a lawful basis for doing so and has informed the Processor in advance.

Annex B – Technical and organizational measures

The Processor implements the following technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR:

B.1 Access control

Multi-tenant architecture with strict organization-scoped data isolation – every database query is filtered by organizationId
Role-based access control (RBAC) at user and module level;
Authentication via Clerk with JWT validation;
API key management with limited scopes per environment;
Feature-level access controls and entitlements per Organization.

B.2 Encryption

Encryption in transit: all connections use TLS 1.2 or higher;
Encryption at rest: database encryption provided by Neon PostgreSQL; object storage encryption provided by Cloudflare R2;
Signed URLs for all file access with server-side authorization checks.

B.3 Data integrity and resilience

Transactional writes with optimistic locking and idempotency tokens;
Automatic database failover and redundancy (Neon);
Background workers with self-healing and retry mechanisms;
Keyset-based pagination for consistent query performance.

B.4 Monitoring and audit

Comprehensive audit logging of all write operations;
Activity tracking per user and per entity;
Application performance monitoring and error tracking.

B.5 Data minimization

Module-based architecture: only activated Modules process relevant data;
Blueprint-scoped configurations that limit data processing to relevant workflows;
Caching with appropriate TTLs (Redis) – no persistent storage of cached data.

B.6 Personnel

All personnel with access to Personal Data are bound by confidentiality obligations;
Access to production systems is limited to authorized personnel on a need-to-know basis.

B.7 Incident response

Documented incident response procedures;
Breach notification within 48 hours of detection;
Regular review and testing of security measures.

B.8 Data storage locations

Primary database: Neon PostgreSQL (EU region);
Object storage: Cloudflare R2 (EU endpoint – GDPR compliant);
Application hosting: Vercel (Edge network with EU processing available);
Background processing: VPS within EU.

Annex C – Sub-processors

The following Sub-processors are currently engaged by the Processor. The Controller grants general authorization for the use of these Sub-processors. Updates to this list will be communicated in accordance with Section 7.3.

Sub-processor	Purpose	Location	Transfer mechanism
Neon Inc.	Database hosting (PostgreSQL)	EU region	N/A (EU processing)
Cloudflare, Inc.	Object storage (R2), CDN, and security services	EU endpoint; global CDN	EU-U.S. DPF; SCCs
Vercel Inc.	Application hosting and deployment	United States; global edge	EU-U.S. DPF; SCCs
Clerk Inc.	Authentication and user management	United States	EU-U.S. DPF; SCCs
Nylas Inc.	Email, calendar, and meeting integration	United States	SCCs
Telnyx LLC	VoIP telephony, call routing, WebRTC, and call recording	United States; EU presence	SCCs
OpenAI, L.L.C.	AI language models for suggestions, summaries, transcriptions, and automation	United States	EU-U.S. DPF; SCCs
Stripe, Inc.	Payment processing	United States; EU presence	EU-U.S. DPF; SCCs
Upstash Inc.	Redis caching and background job queues	EU region available	SCCs
Voyage AI (via Vercel)	Embedding generation for knowledge base and search	United States	SCCs

Last updated: February 11, 2025. To receive notifications of changes to this list, contact privacy@sideiq.com.