Data Processing Agreement
Version 1.0 — February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (configly.app/terms) between:
Controller: The customer entity identified in the subscription agreement ("Controller")
Processor: Configly ("Processor")
Together referred to as the "Parties" and each a "Party".
1. Definitions
In this DPA, the following terms have the meanings set out below:
- "UK GDPR" means the General Data Protection Regulation as it forms part of domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018, read with the Data Protection Act 2018.
- "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given to them in the UK GDPR.
- "Sub-processor" means a third-party data processor engaged by the Processor to process Personal Data on behalf of the Controller.
- "Services" means the Configly platform and related services as described in the Terms of Service.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Processing Scope
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so.
The nature, purpose, duration, and scope of processing, the categories of Personal Data, and the categories of Data Subjects are described in Annex I.
Processing is carried out for the purpose of providing the Services as described in the Terms of Service.
3. Processor Personnel
The Processor ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Access to Personal Data is limited to personnel who require it for their role in providing the Services.
4. Security Measures
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II.
These measures include, but are not limited to, encryption of data at rest and in transit, access controls, and tenant isolation. The Processor shall regularly test, assess, and evaluate the effectiveness of these measures.
5. Sub-processing
The Controller provides general written authorisation for the Processor to engage the sub-processors listed in Annex I.
The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, providing details of the processing to be carried out and the identity of the sub-processor.
The Controller may object to a new sub-processor within 14 days of notification. If the Controller objects on reasonable grounds related to data protection, the Parties shall discuss the concern in good faith. If the Parties cannot reach a resolution, the Controller may terminate the affected Services without penalty.
Where the Processor engages a sub-processor, it shall impose data protection obligations no less protective than those set out in this DPA by way of a written contract.
6. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the UK GDPR, including rights of access, rectification, erasure, data portability, restriction of processing, and objection.
The Processor shall notify the Controller promptly (and in any event within 5 business days) upon receiving a request from a Data Subject relating to the Controller's Personal Data.
The Processor shall not respond directly to Data Subjects without the Controller's prior written instruction, unless required by applicable law.
7. Breach Notification
The Processor shall notify the Controller without undue delay, and where feasible within 72 hours of becoming aware, of any Personal Data Breach, in accordance with Article 33 of the UK GDPR.
The notification shall include:
- The nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records affected
- The name and contact details of the Processor's point of contact for further information
- The likely consequences of the Personal Data Breach
- The measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects
8. Data Protection Impact Assessment
The Processor shall assist the Controller with Data Protection Impact Assessments (DPIAs) where the processing is likely to result in a high risk to the rights and freedoms of Data Subjects.
The Processor shall provide the Controller with all information reasonably necessary for such assessments and for any subsequent consultation with the supervisory authority.
9. Deletion and Return of Data
Upon termination of the Services, the Processor shall, at the Controller's election:
- Return all Personal Data to the Controller in a commonly used, machine-readable format; or
- Delete all Personal Data within 10 business days
The Controller may request return of data before deletion. The Processor shall confirm deletion in writing upon request.
The Processor shall delete all copies of Personal Data, including from backups, within 30 days of termination, unless retention is required by applicable law.
10. Audit Rights
The Controller may audit the Processor's compliance with this DPA. Audits require 30 days' written notice and may be conducted once annually.
The Processor shall make available all information necessary to demonstrate compliance with the obligations laid down in this DPA and the UK GDPR.
Audits shall be conducted during normal business hours with minimal disruption to the Processor's operations. The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA.
11. International Data Transfers
Processing is carried out exclusively within the United Kingdom. Infrastructure is hosted in Digital Ocean's London (LON1) region.
No international transfers of Personal Data are required for the provision of the Services.
If international transfers become necessary in the future, the Processor shall implement appropriate safeguards in accordance with UK GDPR, including the UK International Data Transfer Agreement or equivalent mechanism, and shall obtain the Controller's prior written consent.
12. Confidentiality
Both Parties shall maintain the confidentiality of Personal Data processed under this DPA and the terms of this DPA itself.
This obligation survives termination of this DPA and the underlying agreement.
13. Governing Law and Jurisdiction
This DPA is governed by and construed in accordance with the laws of England and Wales.
The courts of England and Wales shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA.
The supervisory authority for the purposes of this DPA is the Information Commissioner's Office (ICO).
Annex I — Processing Details
Nature and Purpose of Processing
| Item | Detail |
|---|---|
| Nature of processing | Retrieval and storage of Zendesk configuration metadata for version control, comparison, dependency mapping, and impact simulation |
| Purpose | To provide the Configly platform services as described in the Terms of Service |
| Duration | For the duration of the Controller's active subscription, plus the deletion period specified in Section 9 |
Categories of Data Subjects
- Controller's Zendesk administrators and agents (names and email addresses appearing in configuration object metadata)
- Any individuals whose personal data may be incidentally embedded in Zendesk configuration metadata by the Controller
Categories of Personal Data
- Zendesk administrator and agent names and email addresses (as they appear in
created_byandupdated_bymetadata fields) - Organisation names, group names, and brand names as they appear in trigger conditions, automation rules, and view filters
- Tags and custom field values that may incidentally contain personally identifiable or business-sensitive information
- SLA policy names that may reference specific clients or service tiers
- Macro titles and content that may include business-specific templated information
- Any other personal data that may be embedded within Zendesk configuration objects by the Controller
All stored configuration data is treated with the same level of protection (encryption at rest via AES-256, encryption in transit via TLS 1.2+, tenant isolation) regardless of whether specific fields contain incidental personal data.
Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Digital Ocean | Infrastructure hosting (servers, databases) | London, UK (LON1) |
| Google Workspace | Email services (configly.app domain) | EU/UK data centres |
Annex II — Security Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections |
| Encryption at rest | AES-256 for all stored data |
| Token storage | OAuth tokens encrypted with AES-256-GCM |
| Database security | PostgreSQL with encrypted connections |
| Tenant isolation | Logical isolation at database level; API endpoints enforce tenant-scoped queries |
| SSL/TLS termination | Nginx reverse proxy with automated Let's Encrypt certificates |
| Session management | JWT-based sessions with configurable expiry |
| Access controls | Role-based access; minimum required OAuth scopes |
| Infrastructure | UK-hosted Digital Ocean droplet; Nginx reverse proxy |
Signatures
SIGNED by the Controller:
Name: ________________________________
Title: ________________________________
Date: ________________________________
Signature: ____________________________
SIGNED by the Processor:
Name: ________________________________
Title: ________________________________
Date: ________________________________
Signature: ____________________________
For and on behalf of Configly