GetSupportX
Legal

Data Processing Addendum

Last updated June 1, 2026

These documents are templates provided for general information and site completeness — they are not legal advice. Please consult your own counsel before relying on them. The definitive terms that apply to your account are those in the agreement you sign with GetSupportX, Inc.

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and GetSupportX, Inc. ("GetSupportX") for the use of the Service, and applies where GetSupportX processes Personal Data on Customer's behalf in connection with the Service.

Where there is a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls. This is a template; a customer-specific, signed DPA may be executed with our team and will govern where applicable.

Definitions

  • "Personal Data", "Controller", "Processor", "Data Subject" and "Processing" have the meanings given in the GDPR.
  • "Customer Data" means the data Customer and its end users submit to the Service.
  • "Subprocessor" means a third party engaged by us to process Personal Data on Customer's behalf.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR and UK GDPR.

Roles of the parties

For Personal Data contained in Customer Data, Customer is the Controller and GetSupportX is the Processor. Where Customer is itself a Processor acting on behalf of a third-party Controller, GetSupportX acts as a sub-processor. GetSupportX will process Personal Data only on documented instructions from Customer, including as set out in the Terms and this DPA.

Scope and duration of processing

The subject matter of processing is the provision of the Service. The duration is the term of the agreement plus any retention period described in the Terms. The nature and purpose is to host and operate a customer support platform. The types of Personal Data and categories of Data Subjects are those Customer chooses to submit, which typically include the contact and support-conversation data of Customer's end users.

Subprocessors

Customer authorizes GetSupportX to engage the Subprocessors listed on our Subprocessors page. We impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance.

We will notify Customer of any intended addition or replacement of a Subprocessor, giving Customer at least thirty (30) days to object on reasonable, data-protection-related grounds before the new Subprocessor begins processing.

Security measures

GetSupportX will implement and maintain the technical and organizational measures set out in the Security Annex below, designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

  • Encryption of Personal Data in transit and at rest.
  • Logical per-workspace isolation of Customer Data.
  • Role-based, least-privilege access controls and authentication for staff.
  • Audit logging and monitoring of access to production systems.
  • Regular vulnerability management, patching and backups.
  • Personnel confidentiality obligations and security awareness training.

Data subject requests

Taking into account the nature of the processing, GetSupportX will provide reasonable assistance, including through appropriate technical and organizational measures and self-service tooling, to help Customer respond to requests from Data Subjects to exercise their rights. If we receive a request directly, we will, where legally permitted, direct the Data Subject to Customer.

Breach notification

GetSupportX will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to help Customer meet its own notification obligations under Data Protection Laws.

Audits

GetSupportX will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor, subject to reasonable confidentiality, scheduling and frequency limits. We may satisfy audit requests by providing relevant third-party certifications and reports where available.

International transfers

Where processing involves a transfer of Personal Data out of the European Economic Area, the United Kingdom or Switzerland to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses (and the UK Addendum, where applicable) are incorporated into this DPA and apply to that transfer.

Deletion and return of data

On termination or expiry of the agreement, GetSupportX will, at Customer's choice, delete or return Customer Data, and delete existing copies, except where retention is required by law. Customer may export Customer Data through the Service before the end of the applicable retention window. Backups are deleted in the ordinary course of business according to our backup cycle.

Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Data Protection Laws.