Djeed · Legal & policy
Data Processing Agreement
GDPR Article 28 terms covering personal data that customer organisations upload into DjeedX workspaces. The customer is the controller, Djeed is the processor. This addendum supplements the Terms of Service.
- Effective
- 2026-04-28
- Version
- 0.1 (private beta)
- Status
- Draft pending counsel review
On this page
Chapter 01
Roles#
In plain languageFor data you upload into a DjeedX workspace, you (the customer organisation) are the controller and Djeed is the processor.
For data Customer uploads into a DjeedX workspace, Customer is the data controller and Djeed is the data processor.
Chapter 02
Scope and duration#
In plain languageThe DPA covers as long as Djeed processes personal data for you. Subject matter, nature, purpose, and types of data are defined by your subscription and how you configure your workspace.
This DPA applies for as long as Djeed processes personal data on behalf of Customer. Subject matter, nature, purpose, and types of data processed are described in the Terms of Service and the workspace configuration set up by Customer.
Chapter 03
Customer instructions#
In plain languageDjeed processes personal data only on your documented instructions, including for any international transfer — unless EU or Member State law requires us to do otherwise.
Djeed will process personal data only on documented instructions from Customer, including with regard to international transfers, unless required by EU or Member State law.
Chapter 04
Confidentiality#
In plain languageDjeed staff who can see your data are bound by written confidentiality obligations.
Djeed personnel authorised to process personal data are bound by written confidentiality obligations.
Chapter 05
Security measures#
In plain languageThe Article 32 'appropriate technical and organisational measures' we have in place, in seven concrete commitments.
Djeed implements appropriate technical and organisational measures, including:
- TLS 1.3 in transit; AES-256 (or equivalent) at rest
- Tenant isolation between customer workspaces
- Role-based access control inside DjeedX
- Audit log of every record write
- Encrypted, rotating backups (30-day window) stored in the EEA / Switzerland
- Per-IP rate limits and bot protection on public endpoints
- Regular dependency and vulnerability scanning
Chapter 06
Sub-processors#
In plain languageThe list of sub-processors is in Privacy §05. We give you 14 days' notice before adding or replacing one; you can object on reasonable grounds and, if we can't accommodate, terminate the affected services.
Customer authorises Djeed to engage the sub-processors listed in the Privacy Policy §05. Djeed will notify Customer at least 14 days before adding or replacing a sub-processor; Customer may object on reasonable grounds and, if Djeed cannot accommodate the objection, terminate the affected services.
Chapter 07
International transfers#
In plain languageAll processing is in the EEA + Switzerland. Switzerland is covered by the 2024 EU Adequacy Decision so it's the same regulatory zone for transfer purposes. We don't go outside that zone.
Personal data is processed in the EEA and Switzerland. Switzerland is covered by the EU Adequacy Decision (renewed 2024). Djeed will not transfer personal data outside this scope without a lawful transfer mechanism (e.g. EU Standard Contractual Clauses).
Chapter 08
Data subject requests#
In plain languageIf a data subject contacts Djeed directly, we redirect them to you (the controller). We help you respond using the export and erasure endpoints DjeedX exposes.
Djeed will assist Customer in responding to requests from data subjects exercising their GDPR rights, including via the export and erasure endpoints exposed by DjeedX. Where a data subject contacts Djeed directly, Djeed will redirect them to Customer unless required by law to act on the request itself.
Chapter 09
Personal data breach#
In plain languageWe notify you without undue delay — and in any event within 72 hours of becoming aware — with the Article 33(3) information to the extent it's available.
Djeed will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting Customer's data, with the information required under Article 33(3) GDPR to the extent available.
Chapter 10
Audits#
In plain languageOn reasonable advance notice, once per year max (excluding actual-breach investigations), we share what's needed to demonstrate Article 28 compliance — including third-party security attestations where they exist.
Djeed will make available to Customer the information necessary to demonstrate compliance with Article 28 GDPR, including third-party security attestations where available, and contribute to audits, on reasonable advance notice and not more than once per year (excluding investigations triggered by an actual breach).
Chapter 11
Return or deletion#
In plain languageOn termination you have 30 days to export. After 30 days we delete or anonymise everything, unless retention is required by law.
On termination, Customer may export workspace content for 30 days. After 30 days, Djeed will delete or anonymise all personal data, save where retention is required by law.
Chapter 12
Liability#
In plain languageDPA liability sits under the Terms' liability cap. Nothing here limits your rights as controller under the GDPR.
Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service. Nothing in this DPA limits Customer's rights as data controller under the GDPR.
Questions
Talk to a person, not a form.
For data-protection questions, exporting or deleting your data, or exercising any GDPR right, write to privacy@djeed.com. For contractual or commercial questions, write to legal@djeed.com. We respond within 30 days; usually much sooner.