Data Processing Agreement
Parties, roles, technical & organizational measures, and how breach notification and data-subject requests work.
Last updated 10 July 2026
Overview
This page summarizes the terms of our Data Processing Agreement (DPA) in plain language. It's written to be readable during a procurement review, not to replace the signed document — see Signed DPA at the bottom if you need an executed copy for your records.
Parties & roles
Controller — your organization, for the personal data it puts into the Hub and directs us to process. Processor— MakerToo, Copenhagen, Denmark, processing that data solely on your organization's instructions, as documented in your service agreement and this DPA.
Subject matter & duration
Processing consists of hosting, storing, and operating the Hub platform on your organization's behalf. It continues for as long as your service agreement is active, and ends when your account is closed and any post-termination data-return or deletion period has passed.
Nature & purpose of processing
We process data to provide the Hub's functionality — CRM, outreach, bookings, analytics, and related modules — exactly as configured and used by your organization. We don't process your data for our own independent purposes.
Categories of data & data subjects
Whatever your organization stores in the Hub: contact and CRM records, communications content, uploaded documents, and account data for your own users. Data subjects are typically your team members, customers, leads, and other contacts you manage in the platform.
Technical & organizational measures
Summarized here; full detail lives on Security.
- Application- and database-level tenant isolation, verified by an automated live probe.
- Two-factor authentication and passkeys available, enforceable org-wide by the customer.
- Durable rate limiting on authentication and other public-facing endpoints.
- Nightly backups across daily/weekly/monthly retention tiers, with quarterly timed restore drills.
- Self-hosted error monitoring — no request data forwarded to third-party error-tracking SaaS.
- No paid third-party data-enrichment vendors.
Subprocessors
The current list, with purpose and location, is maintained on our Security page: Subprocessors. We'll notify customers of material changes to that list.
Breach notification
We'll notify affected customers without undue delay, and in any case within 72 hours of becoming aware of a personal data breach, as required under GDPR Article 33.
Data subject request support
When your organization needs to respond to a data subject access, rectification, or erasure request, we'll help you locate and act on the relevant data within the request's statutory window. Email [email protected] to start one.
Signed DPA
Need a counterparty-executed version of this DPA for your own records? Email [email protected]and we'll send one over.
Contact
Questions about this DPA? Email [email protected].