Data Processing Agreement

This DPA scaffold describes how Beamdesk expects to process personal data on behalf of business customers and how the final document will support GDPR procurement review.

Controller, processor, personal data, processing, subprocessor, data subject, and supervisory authority have the meanings given by GDPR and applicable privacy law.

For customer workspace data, Beamdesk acts as processor and the customer acts as controller. Beamdesk follows documented customer instructions unless law requires otherwise.

Processing covers operation of the Beamdesk helpdesk platform for the term of the customer subscription and any post-termination export, deletion, or retention period.

Processing includes storage, retrieval, routing, analysis, AI assistance, email delivery, billing support, security monitoring, audit logging, and customer-requested integrations.

Data may include identifiers, contact details, ticket messages, attachments, metadata, account activity, billing metadata, knowledge content, integration payloads, and support diagnostics.

Data subjects may include customer employees, agents, administrators, end users, prospects, vendors, and other people who contact or are referenced in support conversations.

Security measures include encryption in transit and at rest, role-based access controls, tenant isolation, authentication safeguards, least-privilege operations, and audit logging shipped in issue #196.

Current subprocessors are listed on the Subprocessors page, including purpose, region, data categories, retention, certifications, and provider DPA links.

Where personal data is transferred outside the EEA or UK, the final DPA will rely on appropriate safeguards such as Standard Contractual Clauses and supplementary controls.

Beamdesk assists customers with access, deletion, correction, portability, restriction, and objection requests by providing export, deletion, and support workflows where available.

Beamdesk will notify affected customers without undue delay and targets a 72-hour notification window after confirming a personal data breach affecting customer data.

Audit rights are expected to be satisfied through security summaries, subprocessors documentation, relevant logs, and reasonable written questionnaires under confidentiality obligations.

At termination, customers may request export or deletion of workspace data, subject to legal retention, backups, fraud prevention, billing records, and security logs.

The final DPA will map processor commitments to Article 28 requirements, including instructions, confidentiality, security, subprocessors, assistance, deletion/return, and audit support.

Annex 1 will enumerate processing subject matter, duration, purpose, personal data categories, data subject categories, and competent supervisory authority assumptions.

Annex 2 will list technical and organizational measures, including encryption, access controls, audit logging, incident response, availability, backups, and vendor governance.