This Data Processing Addendum ("DPA") forms part of the Terms of Service between Subido and the customer ("Customer") and applies where Subido processes personal data on the Customer's behalf in providing the service. It reflects the requirements of the UK GDPR and EU GDPR.
"Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data within Customer Data that Subido processes as Processor on the Customer's behalf — primarily voter identities, posts, votes, comments, attachments, and email preferences.
For Customer Personal Data, the Customer is the Controller and Subido is the Processor. Where Subido determines the purposes and means of processing for its own purposes (account administration, billing, security, product analytics), Subido acts as an independent Controller and that processing is governed by the Privacy Policy rather than this DPA.
This allocation is based on who determines the purpose of the processing and applies regardless of whether the portal is white-labelled, served on a custom domain, or sends through the Customer's own email provider.
Subido processes Customer Personal Data only on the Customer's documented instructions, including as set out in the Terms, this DPA, and the Customer's configuration of the service, unless required to act otherwise by law (in which case Subido will inform the Customer unless legally prohibited). Subido will inform the Customer if, in its opinion, an instruction infringes the GDPR.
The Customer warrants that it has a lawful basis to collect and process its voters' Personal Data, that it has provided all required notices and obtained any required consents, and that its instructions to Subido comply with applicable law. The Customer is responsible for the accuracy, content, and legality of Customer Personal Data and the means by which it acquired it.
Subido provides configurable consent controls for voter notification email. The Customer determines which mode to use, subject to the constraints in the Terms (opt-in is the default; opt-out is available only on the Customer's own connected email provider; the shared-email path is opt-in only).
The Customer, as Controller, is solely responsible for ensuring its chosen mode and sending practices are lawful for its recipients — including the explicit-opt-in requirements that apply in the EU, UK, Canada, and other jurisdictions, as opposed to the opt-out position generally available for US recipients under CAN-SPAM. Subido provides the mechanism; it does not determine the lawful basis for the Customer's communications and gives no warranty that any mode is lawful for a given set of recipients.
Subido ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and process the data only as necessary to provide the service.
Subido implements appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art and the risk, including: encryption of data in transit; access controls and least-privilege access; rate-limited passwordless authentication; workspace-scoped API keys; HMAC-signed webhooks; network-hardened infrastructure; logging and monitoring; and regular review of these measures. A fuller description is available on request.
The Customer authorises Subido to engage Sub-processors to provide the service. Each Sub-processor is bound by data-protection terms no less protective than this DPA. Current Sub-processors include those listed in the Privacy Policy (for example, Postmark for email on the shared-email path, and our hosting, file-storage, payment, and monitoring providers). Subido will give the Customer notice of any intended addition or replacement of a Sub-processor with a reasonable opportunity to object on reasonable data-protection grounds.
Where the Customer connects its own email provider, that provider is engaged by the Customer, not by Subido, and is not a Subido Sub-processor.
Taking into account the nature of the processing, Subido will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights. Where a voter contacts Subido directly, Subido will, unless legally required to act, refer them to the Customer as Controller and assist the Customer in responding.
Subido will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide information reasonably available to assist the Customer in meeting its own breach-notification obligations.
Where processing involves transferring Customer Personal Data outside the UK or EEA, the parties rely on an appropriate transfer mechanism, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated by reference where applicable, together with supplementary measures as needed.
On termination of the service, or on the Customer's earlier request, Subido will delete or return Customer Personal Data as described in the Terms and Privacy Policy. Deleting a workspace removes its voter data from the live system; residual copies in backups are overwritten in the ordinary backup cycle. Subido may retain data where required by law.
Subido will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and security conditions and reasonable notice. Subido may satisfy audit requests by providing existing reports or documentation where these reasonably address the request.
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms. Nothing in this DPA limits either party's obligations or liability to Data Subjects or Supervisory Authorities under the GDPR.
| Subject matter | Provision of the Subido feedback, roadmap, and changelog platform |
| Duration | For the term of the Customer's use of the service, plus the deletion period |
| Nature & purpose | Hosting, storing, displaying, and transmitting voter content; sending configured notifications; exposing data to the Customer via dashboard, API, and export |
| Types of data | Voter email address, display name; posts, comments, votes; attachments; email/consent preferences; activity metadata |
| Categories of data subject | The Customer's voters and portal visitors; the Customer's team members |
| Special-category data | Not intended; the service is not designed to process special-category data |