Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”, the controller) and AnkleBreaker Consulting (the processor), and applies where AnkleBreaker processes personal data contained in your workspace content (“Customer Personal Data”) on your behalf under the GDPR.

For account and billing data, AnkleBreaker remains an independent controller, governed by the Privacy Policy. In case of conflict on the subject matter of this DPA, this DPA prevails over the Terms.

AnkleBreaker shall:

• process Customer Personal Data only on the Customer’s documented instructions, including those given through the Service, unless required otherwise by law (in which case we will inform you unless legally prohibited);
• ensure that personnel authorised to process the data are bound by confidentiality;
• implement appropriate technical and organisational security measures (see our Security page);
• assist the Customer, taking into account the nature of the processing, in responding to data-subject requests and in meeting its obligations regarding security, breach notification and data protection impact assessments (Articles 32–36);
• notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data;
• make available the information necessary to demonstrate compliance with Article 28.

The Customer grants AnkleBreaker general authorisation to engage the sub-processors listed in our Privacy Policy (currently Amazon Web Services, including Amazon Bedrock and Amazon SES, and Stripe). AnkleBreaker imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for their performance. We will give reasonable notice of any intended addition or replacement of a sub-processor, and you may object on reasonable data-protection grounds.

Where Customer Personal Data is transferred outside the European Economic Area, the transfer is made under an appropriate safeguard recognised by the GDPR, in particular the European Commission’s Standard Contractual Clauses, together with supplementary technical measures including encryption in transit and at rest.

Taking into account the nature of the processing, AnkleBreaker will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights. The Service provides self-service tools (export, deletion, member management) that allow the Customer to fulfil most such requests directly.

On reasonable prior written request, and no more than once per year unless required by a supervisory authority, AnkleBreaker will make available information reasonably necessary to demonstrate compliance with this DPA, which may include up-to-date third-party certifications and audit reports of our infrastructure providers.

On termination of the Service, and at the Customer’s choice, AnkleBreaker will delete or return Customer Personal Data, and delete existing copies, unless retention is required by law. The Customer can export content at any time while the account is active. Residual copies in routine backups are deleted on the normal backup cycle (typically up to 30 days).

Requests under this DPA, including a counter-signed copy, can be sent to francois@anklebreaker-studio.com.