Data Processing Addendum

GDPR · UK GDPR · DPDP · LGPD aligned · Effective April 1, 2026 · Version 4.0

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Controller") and Ideadunes / Niket Gupta ("Processor"). This DPA applies whenever the Processor processes personal data on behalf of the Controller.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR, UK GDPR, DPDP Act 2023, or applicable law. "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.

2. Roles

The Controller determines the purposes and means of processing. The Processor processes Personal Data only on documented instructions from the Controller, including with regard to international transfers.

3. Subject matter and duration

Subject matter: processing of Personal Data necessary to provide the Ideadunes scheduling platform.

Duration: for the term of the Terms of Service plus any data retention period.

Nature and purpose: hosting, storing, processing, and transmitting Personal Data to provide scheduling, communication, payment, and analytics functionality.

Categories of data subjects: Controller's employees, customers, contacts, and end-users of Controller's services.

Categories of Personal Data: name, contact info, scheduling data, communication content, location, payment info (limited), and any data Controller chooses to upload.

4. Processor obligations

The Processor will:

  • Process Personal Data only on documented instructions
  • Ensure persons authorized to process are bound by confidentiality
  • Implement appropriate technical and organizational measures (Annex II)
  • Engage subprocessors only with prior written authorization (general or specific) and impose same obligations
  • Assist the Controller in responding to data subject requests
  • Assist the Controller with data protection impact assessments
  • Notify the Controller of personal data breaches within 24 hours
  • Make available all information necessary to demonstrate compliance
  • Allow audits by the Controller (or independent auditor) once per year, with 30 days notice
  • Delete or return all Personal Data at end of services

5. International transfers

Where Personal Data is transferred outside the EU/UK/India to a country without an adequacy decision, transfers are governed by:

  • EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor)
  • UK International Data Transfer Addendum to the EU SCCs
  • India: contractual measures plus encryption-at-rest and pseudonymization

Transfer Impact Assessments are documented and available on request.

6. Subprocessors

The Controller authorizes the use of subprocessors listed at our trust center. We will notify Controllers of any new subprocessor with 30 days advance notice via email and our changelog. Controllers may object on reasonable grounds related to data protection.

7. Security measures (Annex II)

Detailed in our security page, including:

  • AES-256 encryption at rest, TLS 1.3 in transit
  • Role-based access control with MFA
  • Quarterly access reviews and penetration tests
  • Audit logging with 7-year retention
  • Multi-region active-active resilience (RTO 1h, RPO 5min)
  • Vendor risk management with annual reviews
  • Incident response with documented playbooks
  • SOC 2 Type II (in audit), ISO 27001 (in progress), HIPAA (available)

8. Data subject requests

The Processor provides self-service tools allowing the Controller to fulfill data subject requests for access, rectification, erasure, and portability. Where the Processor receives a request directly, it forwards the request to the Controller without responding.

9. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service, except for liability arising from breaches of GDPR Article 82 or DPDP Act § 33, which is governed by applicable law.

10. How to execute

For Free, Solo, Starter, Business, and Scale plans, this DPA is automatically incorporated into your subscription. No signature required.

For Enterprise plans, request a counter-signed PDF version: legal@ideadunes.com.