Documentation Index
Fetch the complete documentation index at: https://help.heydenada.com/llms.txt
Use this file to discover all available pages before exploring further.
Effective date: June 20, 2024 · Version: 1.0
1. Definitions
Capitalized terms used but not defined here have the meanings given in the GDPR, the UK GDPR, or the CCPA, as applicable. For purposes of this DPA:- “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom GDPR and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and any other applicable privacy law.
- “Personal Data” means information relating to an identified or identifiable natural person processed by Denada on behalf of the Customer in the course of providing the Services.
- “Sub-processor” means a third party engaged by Denada to Process Personal Data in connection with the Services.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
- “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, version B1.0.
2. Roles of the parties
The Customer is the Controller of Personal Data. Denada is the Processor and will Process Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries, unless required to do so by law. Where Denada is required by law to Process Personal Data otherwise, it will inform the Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.3. Scope of processing
Annex 1 of this DPA describes the subject matter, duration, nature and purpose of the Processing, the types of Personal Data, the categories of data subjects, and any retention period.4. Denada’s obligations as processor
Denada will:- Process Personal Data only on the documented instructions of the Customer, including for transfers, except where required by applicable law.
- Ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Annex 2 and as further described in our SOC 2 Type 2 report, available under NDA.
- Provide reasonable assistance to the Customer in responding to data-subject requests under the Data Protection Laws.
- Provide reasonable assistance to the Customer in meeting its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation) taking into account the nature of the Processing and the information available to Denada.
- Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to the conditions in Section 9.
- Notify the Customer of a Personal Data Breach without undue delay and in any event within 72 hours of confirmed discovery, including the information described in Article 33(3) of the GDPR to the extent then known, and provide reasonable assistance with the Customer’s own breach-notification obligations.
- At the Customer’s choice, delete or return all Personal Data to the Customer at the end of the Services, and delete existing copies unless applicable law requires storage of the Personal Data.
5. Sub-processors
The Customer provides general authorization for Denada to engage sub-processors, subject to the following:- The current list of sub-processors is published at Sub-processors.
- Denada will notify the Customer of any intended changes — additions or replacements — at least 30 days in advance via the sub-processors page and by email to account administrators. The Customer may object to the change on reasonable data-protection grounds during the notice period; the parties will work together in good faith to resolve the objection, and if no resolution is reached, the Customer may terminate the affected portion of the Services without penalty for the remaining notice period.
- Denada will impose on each sub-processor data-protection obligations that are no less protective than those in this DPA.
- Denada remains liable to the Customer for the performance of each sub-processor’s obligations.
6. International data transfers
Where Denada transfers Personal Data of data subjects located in the European Economic Area, the United Kingdom, or Switzerland to a country outside those jurisdictions that has not received an adequacy decision, the transfer is governed as follows:- EEA transfers: The Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated into this DPA by reference and apply to such transfers, with the Customer as the data exporter and Denada as the data importer. The election and population details are set out in Annex 3.
- UK transfers: The UK Addendum is incorporated into this DPA by reference and modifies the SCCs as required for transfers of UK personal data, with the elections set out in Annex 3.
- Swiss transfers: The SCCs apply with the adaptations published by the Swiss Federal Data Protection and Information Commissioner.
7. Government access requests
If Denada receives a legally binding request from a public authority for disclosure of Personal Data, Denada will:- Notify the Customer of the request before disclosure, unless prohibited by law.
- Challenge the request where there are reasonable grounds to do so under applicable law.
- Disclose only the minimum amount of Personal Data necessary to comply.
- Maintain records of such requests and make them available to the Customer to the extent permitted by law.
8. CCPA terms
Where the CCPA applies, Denada acts as a Service Provider (and not a Third Party) with respect to Personal Information Processed on behalf of the Customer. Denada will not:- Sell or share the Personal Information.
- Retain, use, or disclose the Personal Information for any purpose other than the specific purpose of performing the Services or as otherwise permitted under the CCPA.
- Retain, use, or disclose the Personal Information outside of the direct business relationship between Denada and the Customer.
- Combine the Personal Information with information received from another source, except as permitted by the CCPA.
9. Audits
The Customer may request, no more than once per twelve-month period (except where required by a competent supervisory authority or following a Personal Data Breach), an audit of Denada’s compliance with this DPA. The audit will be conducted as follows:- Denada will provide the Customer’s auditor with a copy of its most recent SOC 2 Type 2 report and reasonable additional documentation, which the parties agree will satisfy audit obligations where the report covers the relevant controls and time period.
- If the SOC 2 report does not satisfy the audit requirement, the parties will agree on the scope, methodology, timing, and confidentiality of any further audit. On-site audits require 30 days’ written notice and must not unreasonably interfere with Denada’s operations.
- The auditor must execute a confidentiality agreement reasonably acceptable to Denada and must not be a competitor of Denada.
- The Customer will bear the cost of the audit unless the audit reveals a material breach of this DPA, in which case Denada will bear reasonable costs.
10. Liability
Each party’s liability under this DPA is subject to the limitations of liability set forth in the Master Subscription Agreement or Terms of Service between the parties.11. Term and termination
This DPA is effective on acceptance and remains in effect for the duration of the Services. The obligations herein continue to the extent Denada continues to Process Personal Data after termination.12. Order of precedence
In the event of any conflict between this DPA and the Master Subscription Agreement or Terms of Service, this DPA prevails with respect to Processing of Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.13. Governing law
This DPA is governed by the law of the State of Oregon, United States, except that the SCCs and the UK Addendum are governed by the laws specified within those instruments.Annex 1 — Description of Processing
Subject matter. Provision of the Denada platform, including AI-assisted generation of marketing creative. Duration. The duration of the Services as specified in the Master Subscription Agreement, plus any retention period required by law. Nature and purpose of Processing. Hosting, storage, transmission, retrieval, organization, and adaptation of Personal Data to enable the Customer to use the Services, including AI-assisted generation, collaboration, and export. Categories of data subjects.- The Customer’s authorized users (employees, contractors, consultants)
- End-recipients identified within Customer Content (e.g., names in email templates), to the extent the Customer chooses to include such data
- Identifiers (name, email address, account ID)
- Profile information (job title, profile picture, locale)
- Authentication information (hashed credentials, SSO identifiers)
- Usage and device data (IP address, browser, interaction telemetry)
- Customer Content submitted by users, which may incidentally contain Personal Data
- Billing contact information
Annex 2 — Technical and Organizational Measures
Denada implements the following technical and organizational security measures, which are audited under SOC 2 Type 2 by Prescient Assurance. Access control.- Role-based access control on all production systems
- Multi-factor authentication required for all personnel accessing production
- Least-privilege provisioning; access reviews conducted at least annually
- 24-hour deprovisioning of access on personnel termination
- Unused accounts removed within 30 days
- TLS for all data in transit between users and the Services
- Encryption at rest for all Customer Personal Data in production databases and object storage
- Encryption key management by the underlying cloud provider (Google Cloud Platform)
- Production infrastructure operated on Google Cloud Platform and Cloudflare
- Logical network segmentation between production, staging, and development
- Web Application Firewall and DDoS protection via Cloudflare
- Monthly vulnerability scans on production systems
- Annual third-party penetration testing
- Mandatory peer code review for all changes to production
- Automated dependency vulnerability scanning
- Static analysis on push
- Segregation of development and production environments
- Audit logging of authentication, authorization, and administrative actions
- Continuous monitoring of production systems with alerting on anomalous behavior
- Log retention as specified in the Privacy Policy
- Background checks on hire (where legally permitted)
- Security and privacy training on hire and annually
- Confidentiality and acceptable-use obligations contractually imposed on all personnel
- Documented incident response, change management, vendor management, business continuity, and disaster recovery policies
- Annual review of all policies
- Daily encrypted backups of production data with tested restore procedures
- Recovery time and recovery point objectives documented per system tier
- Encryption at rest and in transit, as above
- Strict access controls preventing unauthorized access by Denada personnel
- Procedure for handling government access requests as set out in Section 7 of this DPA
- Pseudonymization where feasible without impairing the Services
Annex 3 — Standard Contractual Clauses and UK Addendum Elections
The Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA by reference. The parties agree on the following elections. Module in use: Module Two (Controller to Processor). Clause 7 — Docking clause: Applies. Other parties may accede on the conditions set out in the SCCs. Clause 9(a) — Sub-processor authorization: Option 2 (general written authorization). Notification period: 30 days before the change takes effect. See Section 5 of this DPA. Clause 11(a) — Independent dispute resolution body: The optional language allowing data subjects to lodge complaints with an independent dispute resolution body is not included. Clause 13(a) — Competent supervisory authority: The supervisory authority of the Member State in which the data exporter is established, or, where the data exporter is not established in the EEA but its representative is, the supervisory authority of that Member State. Where neither applies, the competent supervisory authority will be the Irish Data Protection Commission. Clause 17 — Governing law: The law of the Republic of Ireland. Clause 18(b) — Choice of forum: The courts of the Republic of Ireland. Annex I.A — List of parties:- Data exporter: The Customer identified in the Master Subscription Agreement.
- Data importer: Denada Inc., 111 SW 5th Ave, 5th Floor, Portland, OR 97204, United States. Contact: privacy@heydenada.com.
- Table 1: as set out in Annex I.A above
- Table 2: the EU SCCs incorporated as above, version “Module Two, dated June 20, 2024”
- Table 3: Annexes 1, 2, and 3 above
- Table 4: Either party may end this Addendum as set out in Section 19