Data Processing Addendum

Last updated: 13 July 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between [Legal Entity Name] ("we", "us") and the customer organization ("you"). It governs our processing of personal data that you submit to UseORG.com on behalf of your own users, employees, and customers.

1. Roles of the parties

For the personal data contained in the records you create in the Service — your contacts, companies, deals, employees, tickets, documents, invoices, and meeting invitees — you are the controller and we are the processor. We process that data only to provide the Service, and only on your documented instructions.

For account, authentication, billing, and Service-operation data (who signed in, from where, what they were charged), we act as a controller in our own right. That processing is described in our Privacy Policy and is not governed by this DPA.

2. Your instructions

Your use of the Service — and the configuration choices you make within it — constitute your documented instructions. We will not process customer personal data for any other purpose. In particular, we do not sell it, and we do not use it to train machine-learning models. If we believe an instruction breaches applicable data protection law, we will tell you.

3. Subject matter and details of processing

4. Confidentiality

Personnel authorised to process customer personal data are bound by confidentiality obligations and are granted access only to the extent needed to operate and support the Service.

5. Security measures

We maintain technical and organisational measures appropriate to the risk, including:

We do not currently hold a SOC 2 or ISO 27001 certification. We will not claim one until we do.

6. Subprocessors

You authorise us to engage the subprocessors listed at UseORG.com subprocessors. Each is bound by a written contract imposing data protection obligations no less protective than this DPA, and we remain liable for their performance.

We will update that page before a new subprocessor begins processing customer personal data. You may subscribe to change notifications by emailing [email protected], and you may object on reasonable data-protection grounds within 30 days of notice. If we cannot offer a reasonable alternative, you may terminate the affected part of the Service.

7. Assistance with data subject rights

The Service is built so you can satisfy most requests yourself: administrators can search, correct, export, and delete records directly, and individual users can export and delete their own account data. Where a request cannot be fulfilled through the Service, we will provide reasonable assistance, taking into account the nature of the processing.

8. Personal data breach

We will notify you without undue delay, and in any case within 72 hours, of becoming aware of a personal data breach affecting your data. The notice will describe the nature of the breach, the categories and approximate volume of data and data subjects affected, the likely consequences, and the measures taken or proposed. We will not require you to determine the facts before we tell you.

9. Deletion and return

You can export your data from the Service at any time during the term.

When you delete an organization, its members lose access immediately, and the organization enters a 30-day recovery window during which you can ask us to restore it. That window exists so that an accidental or malicious deletion is not final.

After the window closes, the organization and everything it holds is permanently and irreversibly erased: all records across every application, all uploaded files (including private personnel documents), all notifications and activity history, and the customer record held by our payment processor. Erasure is automated and is not conditional on a request from you.

Backups are retained on a rolling basis and are overwritten in the ordinary course; data in backups is not restored to live systems after erasure.

10. International transfers

We and our subprocessors may process personal data outside the country in which you are located. Where personal data originating in the EEA, the UK, or Switzerland is transferred to a country without an adequacy decision, the transfer is made under the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable), which are incorporated into this DPA by reference.

11. Audits

On reasonable written request, and no more than once per year (or following a personal data breach affecting your data), we will make available the information reasonably necessary to demonstrate compliance with this DPA, and will contribute to audits conducted by you or an independent auditor you mandate, subject to reasonable confidentiality and scheduling terms.

12. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of customer personal data.

13. Contact

Data protection enquiries: [email protected]. Security reports: [email protected].