Data Processing Agreement (DPA)

Last updated: 9/17/2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ADIX, a Belgian company registered under VAT number BE0774.308.339, with registered office at Vaderlandstraat 76, 9000 Ghent, Belgium ("Processor" or "DemoDesk"), and the customer using the DemoDesk Services ("Controller" or "Customer").
Together referred to as the "Parties".

1. Subject Matter

This DPA governs the processing of personal data by DemoDesk on behalf of the Customer in the course of providing the DemoDesk SaaS platform and related services (the "Services").

2. Roles of the Parties

  • • The Customer acts as the Data Controller.
  • • DemoDesk (ADIX) acts as the Data Processor.
  • • DemoDesk shall process personal data only in accordance with the documented instructions of the Customer, as set out in this DPA, the Terms of Service, and the Customer's use of the Services.

3. Categories of Data

DemoDesk may process the following categories of personal data:

  • • Identification data (name, email address).
  • • Organization/Label information (label name, role).
  • • Account information (subscription plan, settings).
  • • Usage data (uploads, signings, reviews, activity logs).
  • • Communication data (transactional emails, support).

Payment details are processed directly by Stripe as an independent controller. DemoDesk does not store credit card details.

4. Purpose of Processing

DemoDesk processes personal data solely for the following purposes:

  • • Provision of the Services (account setup, demo review workflows, metadata management, analytics, etc.).
  • • Customer account administration.
  • • Security, monitoring, and troubleshooting.
  • • Legal compliance (e.g. accounting, tax).

5. Subprocessors

DemoDesk engages the following subprocessors to deliver the Services:

  • Supabase (EU/Global) – authentication and database hosting.
  • Cloudflare R2 (EU/US regions) – file and audio storage.
  • Netlify (Global) – frontend hosting.
  • Stripe (Global) – payment processing (separate controller).
  • Google Workspace (EU/US) – email and communication (SMTP).

DemoDesk shall ensure subprocessors provide sufficient guarantees of GDPR compliance, including appropriate safeguards for international transfers (e.g. Standard Contractual Clauses).

6. Security Measures

DemoDesk implements appropriate technical and organizational measures, including:

  • • Encryption in transit (TLS) and at rest.
  • • Role-based access control (RLS) in databases.
  • • Signed URLs for secure file access.
  • • Regular monitoring for vulnerabilities.
  • • Backups and disaster recovery procedures.

7. Confidentiality

All DemoDesk employees and subcontractors authorized to process personal data are bound by confidentiality obligations.

8. Data Retention and Deletion

  • • Personal data is retained for the duration of the Customer's subscription.
  • • Upon termination, all personal data will be deleted within 30 days, unless required by law to retain data longer.
  • • During this 30-day period, the Customer may request restoration or export of data.

9. Data Subject Rights

DemoDesk shall assist the Customer, to the extent possible, in fulfilling obligations regarding:

  • • Right of access, rectification, and erasure.
  • • Right to restriction of processing.
  • • Right to data portability.
  • • Right to object.

Requests from data subjects received by DemoDesk shall be forwarded to the Customer without undue delay.

10. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), DemoDesk ensures such transfers are subject to appropriate safeguards, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

11. Audit and Compliance

  • • DemoDesk shall make available information necessary to demonstrate compliance with this DPA.
  • • Upon reasonable written request, the Customer may conduct audits (or appoint a qualified third party) limited to verifying DemoDesk's compliance with this DPA.
  • • Audits shall not interfere unreasonably with DemoDesk's operations and may occur no more than once per year.

12. Liability

DemoDesk's liability under this DPA is subject to the limitations set out in the Terms of Service.

13. Term and Termination

This DPA remains in effect for as long as DemoDesk processes personal data on behalf of the Customer. Upon termination of the Services and expiration of the retention period, DemoDesk shall delete or anonymize all personal data.

14. Governing Law

This DPA is governed by the laws of Belgium. Any disputes shall be submitted to the competent courts of Ghent, Belgium.

Signed electronically by acceptance of the Terms of Service.

← Back to Terms of Service