This Data Processing Addendum ("DPA") forms part of the agreement between ⟦COMPANY LEGAL NAME⟧ ("Processor", "we") and the customer identified in the signature block ("Controller", "Customer") covering the Customer's use of the service (the "Agreement").
| Subject matter | Detection and explanation of Salesforce errors; creation of tickets in Customer-elected tools |
|---|---|
| Duration | Term of the Agreement + the 30-day deletion window |
| Nature and purpose | Reading Salesforce configuration metadata (read-only; the sole write is the opt-in Case destination in the Customer's own org); processing error text and UI step labels; transient handling of client-side-masked screenshots (≤ 24 h); delivery of ticket content to Customer-elected destinations |
| Data subjects | Customer's users of Salesforce (employees/contractors); Customer's admins |
| Personal data | User email, name, role; UI action labels and templated paths; error message text as displayed by Salesforce (may incidentally echo entered values); masked screenshots in transit; audit records of admin actions |
| Special categories | None intended or solicited; the Service is not designed to process them |
Persons authorized to process Customer Personal Data are bound by confidentiality obligations and access is limited to what their role requires.
We implement and maintain the technical and organizational measures described in the Security Overview (incorporated by reference), including: per-tenant row-level security enforced in the database; encryption of OAuth tokens at rest and TLS 1.2+ in transit; client-side screenshot masking; audit logging of administrative actions; and automated release-blocking privacy tests. We will not materially decrease the overall security of the Service during the term.
Where processing involves a transfer of EU/EEA or UK personal data to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: controller → processor) and the UK Addendum. ⟦SCCs — to be completed and attached by counsel: module selection, Annexes, supervisory authority⟧
On termination, we delete Customer Personal Data from production systems within 30 days (backups expire on their normal cycle, at most ⟦backup window⟧ days later), and before deletion provide an export in a machine-readable format on request. Customer admins can also delete synced Salesforce data at any time from within the product.
Once per 12 months and on reasonable notice, we make available the information reasonably necessary to demonstrate compliance with this DPA (documentation, security overview, completed questionnaires, and — when available — third-party audit reports), and permit audits required of the Customer by law or a supervisory authority under confidentiality.
This DPA prevails over the Agreement in case of conflict about data protection. It remains in force as long as we process Customer Personal Data.