Data Processing Addendum

This DPA applies to the processing of Personal Data by Dodil on Customer’s behalf. Customer determines the purposes and means of processing; Dodil processes Personal Data only as a processor in accordance with this DPA and Customer’s documented instructions. The subject matter, nature, purpose, duration, data types, and categories of data subjects are described in Annex A.

“Applicable Data Protection Law” means the EU GDPR, the UK GDPR, and Singapore’s Personal Data Protection Act 2012, in each case as applicable. “Personal Data,” “controller,” “processor,” “processing,” “data subject,” and “personal data breach” have the meanings given in Applicable Data Protection Law. “SCCs” means the EU Standard Contractual Clauses; “UK Addendum” means the UK International Data Transfer Addendum to the SCCs.

Dodil will process Personal Data only on Customer’s documented instructions, including as set out in the Terms, this DPA, and Customer’s configuration and use of the Services, unless required by law (in which case Dodil will, where legally permitted, inform Customer first). Dodil will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

Dodil ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and process Personal Data only on a need-to-know basis.

Dodil implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art and the risks of processing. A summary of these measures is set out in Annex B and on our Security page.

Customer provides general authorization for Dodil to engage sub-processors to process Personal Data, listed in Annex C. Dodil imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance.

Dodil will give Customer at least 30 days’ notice of any intended addition or replacement of a sub-processor, during which Customer may object on reasonable data-protection grounds.

Taking into account the nature of the processing, Dodil will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Applicable Data Protection Law. If Dodil receives such a request directly, it will, where permitted, forward it to Customer rather than respond itself.

Dodil will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, and Customer’s obligations regarding the security of processing and breach notification, taking into account the nature of processing and the information available to Dodil.

Dodil will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer’s Personal Data, and will provide information reasonably available to it to help Customer meet its breach-notification obligations.

Where processing involves transfer of Personal Data out of the UK or EEA to a country without an adequacy decision, such transfers are governed by the SCCs (together with the UK Addendum, where applicable), which are incorporated into this DPA by reference, with the relevant modules and options completed by reference to Annex A. For transfers subject to the PDPA, Dodil takes steps to ensure a comparable standard of protection.

On termination of the Services, Customer may export Customer Data for 7 days, after which Dodil will delete or return Personal Data in accordance with Customer’s instructions, unless retention is required by law. Backups are deleted in the ordinary course in line with Dodil’s retention cycle.

Dodil will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates. Dodil may satisfy audit requests by providing certifications or third-party reports (e.g. SOC 2, once available) where these reasonably address Customer’s request.

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

• Subject matter: provision of the Dodil Cloud Services.
• Nature & purpose: hosting, storage, indexing, computation, and transmission of Customer Data as configured by Customer.
• Duration: the term of the Terms, plus the deletion period in Section 11.
• Types of Personal Data: as determined by Customer (e.g. identifiers, contact data, and content submitted to the Services).
• Categories of data subjects: as determined by Customer (e.g. Customer’s users, customers, and contacts).

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
• End-to-end tenant isolation across storage, search, processing, and credentials.
• Least-privilege access controls with strong authentication and logging.
• Network segmentation, monitoring, and auditable deployment pipelines.
• Recovery procedures and incident-response processes; automated backups being rolled out.

The current list of sub-processors is maintained on our subprocessors page and includes providers for hosting/infrastructure, payment processing (Stripe), usage metering (OpenMeter Cloud), and form intake (Formspree).

For questions about this DPA or to raise a data-protection matter, contact legal@dodil.io, or write to Circle Technologies Pte. Ltd., 68 Circular Road, #02-01, Singapore 049422.