Data Processing Agreement
Effective Date: December 13, 2018
Last Updated: February 20, 2026
Website: https://feedbakery.io
This Data Processing Agreement forms part of the Terms and Conditions between Feedbakery and its customers.
1. Introduction
This Data Processing Agreement (“DPA”) is entered into between:
- Customer (“Controller”) — the Tenant who has registered for an account on Feedbakery and uses the Service to collect and manage feedback from their end users; and
- Feedbakery (formerly known as TheBeyond.io) (“Processor”) — operated from Chisinau, Republic of Moldova.
This DPA supplements the Feedbakery Terms and Conditions and Privacy Policy and reflects the parties’ agreement regarding the processing of personal data by the Processor on behalf of the Controller, in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.
By using the Service, the Controller agrees to be bound by this DPA. Where there is any conflict between this DPA and the Terms and Conditions, this DPA shall prevail with respect to data protection matters.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”) as defined in Article 4(1) GDPR.
- Processing: Any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction, as defined in Article 4(2) GDPR.
- Data Subject: An identified or identifiable natural person whose Personal Data is processed under this DPA, primarily End Users of the Controller’s feedback boards.
- Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- Supervisory Authority: An independent public authority responsible for monitoring the application of data protection laws, as defined in Article 4(21) GDPR.
3. Scope and Purpose of Processing
3.1 Subject Matter
The Processor provides a customer feedback management platform that enables the Controller to collect, organize, and manage feedback from their End Users through feedback boards, voting, and commenting.
3.2 Purpose of Processing
The Processor processes Personal Data solely for the purpose of providing the Service to the Controller, as described in the Terms and Conditions. This includes operating feedback boards and projects, facilitating End User authentication (magic links, embedded widget authentication), storing and displaying feedback posts, votes, and comments, sending transactional emails on behalf of the Controller, and providing the Controller with access to feedback data and analytics.
3.3 Duration of Processing
Processing shall continue for the duration of the Controller’s use of the Service. Upon termination of the Controller’s account, the Processor shall handle Personal Data in accordance with Section 11 of this DPA.
4. Categories of Data Subjects and Personal Data
4.1 Data Subjects
- End Users of the Controller’s feedback boards
- Any other individuals whose data the Controller submits to the Service
4.2 Categories of Personal Data
The following categories of Personal Data may be processed:
- Identification data: Email addresses, display names
- Authentication data: Magic link tokens (temporary), session tokens
- Content data: Feedback posts, comments, votes
- Technical data: IP addresses, browser user agent, device information
- Usage data: Timestamps of access, pages visited, features used
4.3 Sensitive Data
The Processor does not intentionally collect or process special categories of Personal Data (as defined in Article 9 GDPR). The Controller shall not submit special category data to the Service unless the Controller has obtained explicit consent from the Data Subjects and has a lawful basis for processing such data.
5. Obligations of the Processor
The Processor shall:
5.1 Lawful Processing
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
5.2 Confidentiality
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security Measures
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These measures include, but are not limited to:
- Encryption of Personal Data in transit using TLS/SSL
- Secure hashing of passwords and authentication tokens (bcrypt)
- Access controls and role-based authentication for administrative functions
- Rate limiting across all endpoints to prevent abuse
- Soft deletion mechanisms to prevent accidental data loss
- Regular security reviews and testing
- Server infrastructure located in the European Union (Amsterdam, Netherlands)
- Logging and monitoring of access to Personal Data
5.4 Sub-processors
Comply with the conditions for engaging Sub-processors as set out in Section 7 of this DPA.
5.5 Data Subject Rights
Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).
If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise instructed by the Controller.
5.6 Assistance with Compliance
Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
5.7 Deletion and Return of Data
Upon termination of the Service, delete or return all Personal Data to the Controller as set out in Section 11, and delete existing copies unless applicable law requires storage of the Personal Data.
5.8 Audit and Inspection
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the conditions in Section 10.
6. Obligations of the Controller
The Controller shall:
- Ensure that the processing of Personal Data through the Service has a lawful basis under applicable data protection law.
- Provide appropriate privacy notices to Data Subjects (End Users) informing them about the processing of their Personal Data through the Service.
- Ensure that any instructions given to the Processor regarding the processing of Personal Data comply with applicable law.
- Respond to Data Subject requests regarding their Personal Data.
- Conduct data protection impact assessments where required by applicable law.
- Not submit special categories of Personal Data to the Service unless appropriate safeguards and legal bases are in place.
7. Sub-processors
7.1 General Authorization
The Controller provides general written authorization for the Processor to engage Sub-processors for the purpose of providing the Service. The current list of Sub-processors is provided in Annex B to this DPA.
7.2 Notification of Changes
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes. The Processor shall provide at least 14 days’ notice before engaging a new Sub-processor by updating the list at https://feedbakery.io/dpa and notifying the Controller via email.
7.3 Right to Object
If the Controller has a reasonable objection to the engagement of a new Sub-processor, the Controller shall notify the Processor in writing within 14 days of receiving notice. The parties shall discuss the objection in good faith. If the parties cannot reach a resolution, the Controller may terminate the affected Service by providing written notice.
7.4 Sub-processor Agreements
The Processor shall impose on each Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.
8. International Data Transfers
8.1 Processor Infrastructure
The Processor’s primary infrastructure is located in the European Union (Amsterdam, Netherlands). Personal Data is stored and processed within the EU.
8.2 Sub-processor Transfers
Some Sub-processors may process Personal Data outside the European Economic Area. Where such transfers occur, the Processor ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR)
- Adequacy decisions by the European Commission (Article 45 GDPR)
- Other appropriate safeguards as permitted under Chapter V of the GDPR
Details of Sub-processor locations and transfer mechanisms are provided in Annex B.
9. Data Breach Notification
9.1 Notification Obligation
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting the Controller’s Personal Data.
9.2 Content of Notification
The notification shall include:
- A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned
- The name and contact details of the Processor’s contact point where more information can be obtained
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects
9.3 Cooperation
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. The Processor shall also assist the Controller in fulfilling the Controller’s obligation to notify the Supervisory Authority (Article 33 GDPR) and, where required, the affected Data Subjects (Article 34 GDPR).
10. Audit Rights
10.1 Information and Audit
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and Article 28 GDPR.
10.2 Audit Conditions
The Controller may conduct audits (or engage a qualified third-party auditor) subject to the following conditions:
- The Controller shall provide at least 30 days’ written notice of an audit request.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor’s operations.
- The Controller (or its auditor) shall be bound by confidentiality obligations.
- The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.
- Audits shall be limited to once per calendar year, unless a Data Breach or regulatory investigation necessitates an additional audit.
10.3 Third-Party Certifications
The Processor may satisfy audit requests by providing relevant third-party certifications, audit reports (e.g., SOC 2), or other evidence of compliance, where available.
11. Data Deletion and Return
11.1 During the Term
The Controller may delete projects, posts, and End User data through the Service at any time. Deleted data is soft-deleted immediately and permanently removed within 30 days.
11.2 Upon Termination
Upon termination of the Controller’s account, the Processor shall:
- Retain the Controller’s data in a deactivated state for 30 days to allow for data export or account reactivation.
- After the 30-day retention period, permanently delete all Personal Data associated with the Controller’s account.
- Upon request made during the 30-day retention period, provide the Controller with an export of their data in a structured, commonly used, machine-readable format (JSON or CSV).
11.3 Exceptions
The Processor may retain Personal Data beyond the periods stated above only where required by applicable law (e.g., transaction records retained for tax and accounting purposes for up to 7 years). Such retained data shall be limited to what is legally required, isolated from active systems, and protected by appropriate security measures.
12. Liability
The parties’ liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions, except that neither party excludes or limits its liability for obligations that cannot be limited under applicable data protection law.
13. Term and Termination
This DPA shall come into effect on the date the Controller begins using the Service and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.
Termination of the Service agreement (whether by the Controller or the Processor) shall automatically trigger the data deletion provisions in Section 11.
The obligations of the Processor regarding confidentiality, data deletion, and cooperation with regard to Data Breaches shall survive termination of this DPA.
14. Amendments
The Processor may update this DPA from time to time to reflect changes in law, regulatory guidance, or the Processor’s data processing practices. Material changes will be communicated to the Controller via email at least 30 days before taking effect. Continued use of the Service after the effective date of the updated DPA constitutes acceptance of the changes.
15. Contact
For any questions regarding this DPA or to exercise rights under this agreement:
- Email: team@feedbakery.io
- Website: https://feedbakery.io
Annex A — Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of a customer feedback management platform |
| Duration | For the duration of the Controller’s use of the Service |
| Nature and purpose | Collection, storage, organization, retrieval, and display of End User feedback data to enable the Controller to manage product feedback |
| Categories of Data Subjects | End Users of the Controller’s products who interact with feedback boards |
| Categories of Personal Data | Email addresses, display names, feedback content (posts, votes, comments), IP addresses, browser user agent, session data, timestamps |
| Special categories of data | None (not intentionally collected) |
Annex B — List of Sub-processors
The following Sub-processors are authorized to process Personal Data on behalf of the Controller:
| Sub-processor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Paddle (Paddle.com Market Limited) | Payment processing and subscription management (Merchant of Record) | Transaction identifiers, subscription status, billing country | United Kingdom / EU | UK adequacy decision |
| Mailgun (Sinch Email) | Transactional email delivery (magic links, notifications) | Email addresses, email content | EU / US | Standard Contractual Clauses |
| Bugsnag (SmartBear) | Error tracking and application monitoring | IP addresses, browser user agent, error context (may include anonymized usage data) | US | Standard Contractual Clauses |
| Hosting provider | Server infrastructure and data storage | All data stored by the Service | EU (Amsterdam, Netherlands) | N/A (within EU) |
This list was last updated on February 20, 2026 (originally published December 13, 2018). Changes to this list will be communicated in accordance with Section 7.2 of this DPA.