Data Processing Addendum

§1Roles and scope

Customer is the controller of personal data included in Customer Data. Concordex (the Provider) is the processor. Where Customer acts as a processor for an end-customer of theirs, Concordex acts as sub-processor; the same obligations apply.

The categories of personal data, the categories of data subjects, the duration, and the purposes of processing are described in the Privacy Policy. That description is incorporated here by reference and serves as the GDPR Art. 28(3) particulars.

§2Instructions and lawfulness

Concordex processes personal data only on documented instructions from Customer. The Terms of Service and the configuration choices Customer makes in the dashboard constitute documented instructions. If we believe an instruction infringes applicable data-protection law, we will tell Customer and may decline that instruction.

§3Confidentiality

Personnel with access to Customer personal data are bound by written confidentiality obligations. Access is restricted to what is necessary to operate the Service.

§4Security measures

Concordex implements appropriate technical and organisational measures including: TLS 1.2+ for data in transit; encryption at rest in our storage providers; SSO with hardware-key MFA for production access; principle-of-least-privilege role assignment; tamper-evident audit ledgers for billing, key-issuance, and rate-card changes; documented incident response procedures.

The current controls posture, including SOC 2 status, is published at /security and incorporated here by reference.

§5Sub-processors

Customer grants Concordex general authorization to engage sub-processors, subject to the obligations in this section. Concordex maintains the sub-processor list below. We give Customer at least 30 days' notice before adding or replacing a sub-processor; Customer may object on reasonable data-protection grounds, and if we cannot accommodate the objection, Customer may terminate the affected services.

§6International transfers

Personal data is processed in the United States. For data originating in the EEA, UK, or Switzerland, the EU Standard Contractual Clauses ("SCCs") apply as set out in §11. We perform transfer impact assessments and implement supplementary technical measures (encryption, access controls) where required by local law.

§7Data-subject requests

Concordex provides Customer with the technical means to respond to data-subject requests within its workspace via the dashboard (export, deletion, rectification). Where Concordex receives a request directly from a data subject whose controller is Customer, we route the request to Customer's tenant_admin without acting on it.

§8Personal-data breach notification

Concordex notifies Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer's personal data. The notification includes the nature of the breach, the categories and approximate number of affected data subjects and records, and the measures taken or proposed to address it.

§9Audits

Concordex makes available to Customer the information necessary to demonstrate compliance with GDPR Art. 28, including the current SOC 2 report once available and the platform audit ledgers covering controlled records. Customer may conduct audits no more than once per twelve-month period on reasonable notice and at Customer's expense; we will accommodate audits required by Customer's supervisory authority on shorter notice.

§10Return or deletion

Upon termination of the Service, Customer may export personal data via the dashboard for at least 30 days. After the export window closes, Concordex deletes personal data from production systems within 30 days and from backups in accordance with our backup-retention schedule (90 days maximum). Operational metadata and audit logs are retained as described in the Privacy Policy.

§11Standard Contractual Clauses

Where Customer is established in the EEA, UK, or Switzerland, or otherwise transfers personal data to Concordex from those jurisdictions, the Module Two ("Controller to Processor") SCCs adopted by the European Commission on 4 June 2021 apply and are incorporated by reference. Module Three ("Processor to Processor") applies where Customer acts as a processor on behalf of a third-party controller.

• Clause 7 (Docking) does not apply.
• Clause 9 (Use of sub-processors) — Option 2 (General written authorization), with 30 days' notice.
• Clause 11 (Redress) — Optional sub-clause does not apply.
• Clause 17 — Governing law: Republic of Ireland.
• Clause 18 — Forum: courts of the Republic of Ireland.
• Annex I.A (Parties) — Customer is the data exporter; Concordex is the data importer.
• Annex I.B (Description of transfer) — see the Privacy Policy.
• Annex II (Technical and organisational measures) — see §4 and /security.
• Annex III (Sub-processors) — below.

For UK transfers, the UK International Data Transfer Addendum to the SCCs (version B1.0, in force 21 March 2022) applies. For Swiss transfers, the SCCs apply as adapted by the Swiss Federal Data Protection and Information Commissioner.

§12Sub-processor list

Current sub-processors used to operate the Service. Updated as listed in §5.

The sub-processor list as published on this page is authoritative. Future additions will be announced with at least 30 days' notice via the changelog and via direct email to the tenant_admin of each workspace.