Data Processing Agreement

Last Updated: June 2026

When your organization uses AssistDesk, your employees' personal data — the content of support tickets, names, and email addresses — passes through our systems. This page summarizes how we handle that data as your processor, and how to put our Data Processing Agreement (DPA) in place.

This is a plain-language summary, not the binding contract. The legally binding DPA — including the clauses that require legal review (liability, indemnities, Standard Contractual Clauses, and governing law) — is the version executed between AssistDesk and your organization. This summary is provided for transparency during procurement and security review. To request the full DPA for signature, email [email protected].

1. Roles: who is the controller and who is the processor

For the personal data of your end users that you put into AssistDesk, your organization is the data controller — you decide why and how it is processed. AssistDesk is the data processor — we process that data only to provide the service to you, and only on your documented instructions. This reflects GDPR Article 28, UK GDPR, and the CCPA/CPRA "service provider" model.

(For the limited personal data we process for our own purposes — for example, your billing and account-admin contacts — we act as a controller, as described in our Privacy Policy.)

2. Scope and purpose of processing

Subject matter: providing AI-assisted IT support (ticket intake, AI responses, escalation, and analytics).
Categories of data subjects: your employees and other end users who contact support.
Categories of personal data: names, email addresses, ticket content and attachments, and usage/audit metadata.
Duration: for the term of your subscription, subject to the retention and deletion terms below.

We do not sell personal data, and we do not use it for advertising or to train third-party models beyond generating responses to your tickets.

3. Our obligations as processor

Process personal data only on your documented instructions (your use of the service and the executed DPA constitute those instructions).
Ensure people authorized to process the data are bound by confidentiality.
Implement appropriate technical and organizational security measures (see below).
Engage sub-processors only as described below.
Assist you with data-subject requests and with your own security and breach obligations.
Delete or return the data at the end of the engagement.

4. Security measures

We maintain technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest, role-based and tenant-isolated access, passwordless authentication, enforced security headers, and continuous dependency and secret scanning. Our current measures and independent assessment are described on our Security & Trust page, which forms part of the DPA's description of security measures.

5. Sub-processors

We use a small set of vetted third parties to deliver the service, and we hold a data-processing agreement with each. Our current list is published on our Sub-processors page. Under the executed DPA, enterprise customers may subscribe to advance notice of new sub-processors and may object to a new sub-processor on reasonable data-protection grounds. A complete list naming every sub-processor, including our AI provider, is available to customers under the DPA on request.

6. Assistance with data-subject requests

The DPA commits us to help you respond to requests from data subjects to exercise their rights (access, correction, deletion, portability, and objection). AssistDesk already supports this operationally: account holders can export their data and request deletion of their personal data from the product, and we will assist you with end-user requests that you cannot fulfil yourself. See our Privacy Policy for how these rights work.

7. Personal-data breach notification

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and provide the information you reasonably need to meet your own notification obligations. The precise timeline and notification details are set out in the executed DPA.

8. Audits and demonstrating compliance

We will make available the information reasonably necessary to demonstrate compliance with our processor obligations — primarily through our published Security & Trust documentation and the third-party security rating referenced there — and will support audits as agreed in the executed DPA.

9. Return or deletion of data on termination

On termination of your subscription, we will delete or return your personal data in line with the executed DPA and our published retention practices, except where we are legally required to retain it. Self-service export and deletion remain available while your account is active.

10. International transfers

Several of our sub-processors operate in the United States. Where personal data is transferred out of the EEA, the UK, or Switzerland, the executed DPA relies on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. See our Privacy Policy and Sub-processors page for more.

11. Liability, term, and governing law

Liability, term, and governing law for data processing are set out in the executed DPA together with our Terms & Conditions. Those provisions are finalized with legal counsel; this summary does not modify them.

Put a DPA in place

If you need a signed Data Processing Agreement for your procurement or security review, we're glad to provide one.

Request our DPA See our security posture

Questions about how we process personal data on your behalf? Contact our privacy team at [email protected].