Skip to content
GoDesk
LEGAL · DPA

Data Processing Addendum

This DPA applies between upDevTeam LTD (the 'Processor') and any customer of the GoDesk service who, in using the service, processes personal data of identifiable individuals as a 'Controller' under GDPR. It is incorporated into the Terms of Service by reference.

Last updated: 2026-05-06
TL;DR

If you use GoDesk to support business customers, employees, or any other identifiable people, you are the Controller and we are the Processor. This DPA governs how we handle personal data on your behalf under GDPR Article 28.

By accepting our Terms of Service you also accept this DPA. Enterprise customers who need a counter-signed PDF can request one at info@godeskflow.com.

Contents
  1. 01Definitions
  2. 02Scope and roles
  3. 03Details of processing (Article 28(3) GDPR)
  4. 04Processor obligations
  5. 05Sub-processors
  6. 06Security measures
  7. 07International transfers
  8. 08Data-subject requests
  9. 09Personal-data breaches
  10. 10Audits
  11. 11Return and deletion
  12. 12Liability
  13. 13Term
  14. 14Governing law
  15. 15Contact

01Definitions

Capitalised terms have the meanings given to them in GDPR. The following terms have the meanings below.

Customer Personal Data
Personal data Customer or its end users transmit through, or store in, the GoDesk Service, and which we process on Customer's behalf as Processor.
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation), and any national implementing legislation, including the UK GDPR.
Processor
upDevTeam LTD.
Controller
Customer.
Sub-processor
Any third-party processor engaged by upDevTeam LTD to process Customer Personal Data.
Standard Contractual Clauses
The Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by Commission Implementing Decision (EU) 2021/914 (Module 2 / Module 3 as applicable).

02Scope and roles

This DPA applies to processing of Customer Personal Data carried out by upDevTeam LTD on behalf of Customer in the course of providing the Service.

The parties acknowledge that, with respect to such processing, Customer is the Controller and upDevTeam LTD is the Processor.

upDevTeam LTD also processes data as Controller in respect of its own business operations (account billing, anti-abuse, marketing). The Privacy Policy describes that processing.

03Details of processing (Article 28(3) GDPR)

Subject matter
Provision of the GoDesk remote-desktop service to Customer.
Duration
For as long as Customer uses the Service plus any post-termination retention agreed in section 11.
Nature and purpose
Hosting, transmission, authentication, telemetry, support, and other processing necessary to operate the Service.
Categories of data
Account identifiers (email, peer ID), connection metadata (timestamps, IP), and any personal data Customer chooses to put into device names or session metadata. Session content is end-to-end encrypted and not accessible to us as plaintext.
Categories of data subjects
Customer's end users, employees, contractors, and any individuals whose devices are accessed through the Service by Customer.
Special categories of data
Not collected by upDevTeam LTD as Processor. Customer must not put special-category data into device names or other plaintext metadata.

04Processor obligations

upDevTeam LTD will:

  • process Customer Personal Data only on documented instructions from Customer, including those set out in the Terms and this DPA, except where required by EU or member-state law;
  • ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  • implement and maintain the technical and organisational measures described in section 6;
  • respect the conditions in Article 28(2) and (4) GDPR for engaging Sub-processors (section 5);
  • assist Customer, taking into account the nature of the processing, in fulfilling its obligations under Articles 32 to 36 GDPR;
  • make available all information necessary to demonstrate compliance with Article 28 GDPR.

05Sub-processors

Customer authorises upDevTeam LTD to engage the following Sub-processors:

Supabase, Inc.
Account database, authentication, telemetry storage. Hosted in the EU.
Hetzner Online GmbH
Compute and bandwidth for relays and web infrastructure (Cyprus and Germany).
Cloudflare, Inc.
DNS, CDN, edge security.
Google Ireland Ltd.
Optional analytics, only when Customer end users opt in via the cookie banner.
Stripe Payments Europe Ltd.
Card processing for paid plans.

We will give Customer at least 30 days' notice before adding or replacing a Sub-processor by posting the change at godeskflow.com/dpa or emailing the account contact. If Customer reasonably objects on data-protection grounds, we will work in good faith to find a solution; if none can be agreed, Customer may terminate the affected Service for convenience.

We remain liable to Customer for the acts and omissions of our Sub-processors as if they were our own.

06Security measures

We implement and maintain technical and organisational measures appropriate to the risk, including:

  • TLS 1.3 in transit, AES-256-GCM at rest for backups, X25519 + ED25519 key exchange for end-to-end-encrypted session content;
  • role-based access control with least-privilege defaults and mandatory two-factor authentication for staff;
  • centralised audit logging of administrative actions on production systems;
  • vulnerability management, dependency scanning, and timely security patching;
  • physical security delegated to ISO 27001-certified data-centre operators;
  • documented incident-response procedure with on-call rotation.

07International transfers

Customer Personal Data is hosted in the EEA. Where transfer of Customer Personal Data outside the EEA is necessary (e.g. when a US-headquartered Sub-processor is involved), the parties incorporate the Standard Contractual Clauses by reference, with upDevTeam LTD acting as 'data exporter' for that onward transfer and the Sub-processor as 'data importer'.

Where Customer is established outside the EEA and personal data flows from upDevTeam LTD to Customer, the parties incorporate the SCCs (Module 4) for the corresponding transfer.

We complete a transfer-impact assessment for each non-EEA Sub-processor and apply supplementary measures (encryption, pseudonymisation) where the assessment recommends them.

08Data-subject requests

If we receive a request from a data subject in respect of Customer Personal Data, we will not respond directly except to confirm receipt and direct the data subject to Customer. We will pass the request to Customer without undue delay.

We will provide reasonable assistance to Customer in responding to access, rectification, erasure, restriction, portability, and objection requests, taking into account the nature of the processing and the information available to us. Where the request is excessive or manifestly unfounded, we may charge a reasonable fee.

09Personal-data breaches

We will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a personal-data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) GDPR to the extent known, with updates as the investigation progresses.

We will cooperate with Customer to contain, investigate, and document the breach, and will not make any public statement about it without Customer's prior consent except where required by law.

10Audits

We provide Customer with the information necessary to demonstrate compliance with Article 28 GDPR through (a) this DPA, (b) the security white paper available on request, and (c) the most recent third-party audit reports of relevant Sub-processors (e.g. SOC 2 reports).

If Customer reasonably believes the materials referred to in section 10.1 are insufficient, Customer may, at its cost and on at least 30 days' written notice, audit our compliance with this DPA no more than once per year (except in the event of a material breach), provided the audit (i) is conducted during normal business hours, (ii) does not disrupt our operations, (iii) is performed by an independent auditor bound by appropriate confidentiality obligations, and (iv) does not include access to facilities or data of other customers.

Audit reports are confidential information of upDevTeam LTD and may be shared only with regulators and legal advisers under confidentiality.

11Return and deletion

On termination of the Service, we will, at Customer's choice and within 30 days of the termination date, either return all Customer Personal Data in a structured electronic format or securely delete it, except to the extent retention is required by EU or member-state law.

Backup copies will be deleted in line with our standard rolling-backup retention (currently 35 days). Backups remain protected by the security measures in section 6 until they are overwritten.

12Liability

Liability arising under this DPA is governed by the limitation-of-liability section of the Terms of Service.

Where Article 82 GDPR allocates liability between joint controllers, processors, and sub-processors, the parties agree to follow that statutory allocation.

13Term

This DPA takes effect on the date Customer accepts the Terms of Service and continues for as long as upDevTeam LTD processes Customer Personal Data on Customer's behalf, plus any survival period necessary to discharge obligations under sections 9, 10, and 11.

14Governing law

This DPA is governed by the laws of the Republic of Cyprus, except that, where the SCCs apply, the governing law identified in the SCCs prevails for matters within the SCCs' scope.

15Contact

Notices under this DPA should be sent to info@godeskflow.com (data-processing matters) and to info@godeskflow.com (data-subject and supervisory-authority matters).

If you require a counter-signed copy of this DPA on the upDevTeam LTD letterhead, write to info@godeskflow.com. The English version of this DPA is the controlling version.