Data Processing Agreement

This Data Processing Agreement ("DPA") governs the processing of personal data by IdeaDunes on behalf of its customers in accordance with applicable data protection laws.

Effective Date: January 1, 2026
Last Updated: March 1, 2026

1. Definitions

"Controller" means the Customer who determines the purposes and means of processing personal data through the IdeaDunes platform.

"Processor" means IdeaDunes, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person as defined by GDPR Article 4(1).

"Sub-processor" means any third party engaged by IdeaDunes to process personal data on behalf of the Controller.

"Data Subject" means the identified or identifiable natural person to whom the personal data relates.

2. Scope and Purpose of Processing

IdeaDunes processes personal data solely for the purpose of providing the services described in the customer's subscription agreement. This includes:

  • Storing and managing customer relationship management (CRM) data
  • Processing project management, task, and collaboration data
  • Generating reports and analytics based on customer data
  • Sending notifications, reminders, and system communications
  • Providing technical support and platform maintenance

IdeaDunes will not process personal data for any purpose other than those specified by the Controller or required by applicable law.

3. Obligations of the Processor

IdeaDunes agrees to:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure data security (see Section 5)
  • Assist the Controller in responding to data subject requests
  • Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach
  • Delete or return all personal data upon termination of the agreement, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits

4. Data Subject Rights

IdeaDunes will assist the Controller in fulfilling obligations to respond to data subject requests, including:

  • Right of Access: Providing data exports upon request
  • Right to Rectification: Enabling data correction through the platform
  • Right to Erasure: Supporting data deletion workflows and account removal
  • Right to Data Portability: Providing data in structured, machine-readable formats (CSV, JSON)
  • Right to Restriction: Supporting processing restrictions on specific records
  • Right to Object: Honoring objections forwarded by the Controller

5. Security Measures

IdeaDunes implements the following technical and organizational measures:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Role-based access, two-factor authentication, and session management
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Data Backup: Automated daily backups with geographic redundancy
  • Monitoring: 24/7 infrastructure monitoring and alerting
  • Employee Training: Regular data protection and security awareness training
  • Incident Response: Documented breach response procedures with assigned roles
  • Penetration Testing: Annual third-party penetration testing and vulnerability assessment

6. Sub-Processors

IdeaDunes may engage sub-processors to assist in providing the services. The Controller will be notified of any changes to sub-processors with at least 30 days' advance notice.

Current sub-processors include:

  • Cloud Infrastructure: Hosting and compute services (data center location disclosed per customer region)
  • Email Delivery: Transactional email sending
  • Payment Processing: Subscription billing and payment handling
  • Monitoring: Application performance monitoring and error tracking

IdeaDunes ensures all sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), IdeaDunes ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Data processing within jurisdictions with an EU adequacy decision
  • Supplementary measures as recommended by the EDPB where necessary

8. Data Retention and Deletion

IdeaDunes retains personal data only for the duration necessary to fulfill the purposes outlined in the service agreement. Upon termination:

  • Customer data is available for export for 30 days after account closure
  • After the 30-day export period, all personal data is permanently deleted from active systems
  • Backup copies are purged within 90 days of account closure

9. Contact

For questions about this Data Processing Agreement, contact:

IdeaDunes Data Protection Team
Email: privacy@ideadunes.com
Web: Contact Form

For our full privacy practices, see our Privacy Policy and GDPR Compliance page.