This Data Processing Agreement (“DPA”) forms part of the agreement between Doodledapp (“we”, “us”) and you (“you”, “your”) for the use of the Doodledapp platform (“the Service”), together with the Terms & Conditions and Privacy Policy.
If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization to this DPA.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Law
- “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion
- “Sub-processor” means a third party engaged by Doodledapp to process Personal Data in connection with the Service
- “Data Protection Law” means all applicable data protection and privacy legislation, including the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA)
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
2. Scope and roles
2.1 How data flows through the Service
Doodledapp is a development tool. You use it to build, compile, test, and deploy smart contracts through a visual editor. We are the data controller for all Personal Data collected through the Service: your account information, your team members’ information, and the contract data you create within the platform.
We do not interact with smart contracts after deployment. We do not process, receive, or store any data from your deployed contracts or their end users. Once a contract leaves our editor and is deployed to a blockchain, we have no further relationship with it or any data it handles on-chain.
2.2 What this DPA covers
This DPA describes how we protect the Personal Data we collect and process to provide the Service to you and your team. It covers:
| Category | Data elements | Processing purpose |
|---|---|---|
| Account data | Email addresses, display names | Authentication, account management |
| Team data | Team member emails, roles, permissions | Team management, access control |
| Contract data | Smart contract source created within the editor | Contract storage, compilation, testing |
| Project metadata | Project names, team assignments | Organizing your work |
| Invitation data | Invitee email addresses, permissions | Team invitations |
| AI interaction data | Prompts, contract context | AI-powered contract modification |
| Payment data | Plan tier, billing status, billing address, tax ID | Subscription management |
2.3 What this DPA does not cover
This DPA does not cover any data processed by smart contracts you deploy to blockchain networks. Doodledapp has no access to, control over, or responsibility for on-chain data, transaction data, or any personal data that your deployed contracts may process. If your deployed contracts handle personal data, you are solely responsible for compliance with applicable Data Protection Law for that processing.
3. Our data protection commitments
3.1 Purpose limitation
We shall:
- Process Personal Data only to provide and operate the Service
- Not process Personal Data for any unrelated purpose, including advertising, profiling, or resale
- Not sell, rent, or share Personal Data with third parties for their own purposes
3.2 Confidentiality
We shall:
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to personnel who require it to operate the Service
3.3 Security measures
We implement and maintain appropriate technical and organizational security measures, including:
- Encryption in transit: all data transmitted between your browser, our servers, and our sub-processors is encrypted via TLS
- Authentication: we do not store user passwords. Authentication is delegated to third-party providers or single-use tokens
- Access control: role-based permissions enforced server-side
- Infrastructure: firewalled servers with restricted database access
3.4 Sub-processor management
We shall:
- Engage sub-processors only as necessary to provide the Service
- Ensure each sub-processor is bound by data protection obligations consistent with this DPA
- Remain responsible for the acts and omissions of our sub-processors
- Maintain the sub-processor list in Section 7 of this DPA
- Notify you at least 30 days before adding or replacing a sub-processor by updating this page. If you have a reasonable objection, you may notify us in writing and we will work to find a resolution. If no resolution is possible, you may terminate the affected Service
3.5 Your data rights
We shall:
- Respond to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timelines required by Data Protection Law
- Provide mechanisms for account deletion and data export
- Process requests submitted to [email protected]
See the Privacy Policy for full details on your rights and how to exercise them.
3.6 Security incident response
In the event of a Security Incident, we shall:
- Notify affected users without undue delay and within 72 hours of becoming aware of the incident
- Provide: the nature of the incident, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to remediate
- Take reasonable steps to contain and remediate the incident
- Document the incident and our response
3.7 Data protection impact assessments
We shall provide reasonable assistance where Data Protection Law requires a data protection impact assessment or consultation with a supervisory authority in connection with your use of the Service.
4. Your responsibilities
You shall:
- Provide accurate account and team information
- Manage your team’s access and permissions appropriately
- Notify us promptly if you become aware of any security issue related to your account
- If you use team features on behalf of an organization, ensure your team members are informed about the data processing described in this DPA and the Privacy Policy
- Understand that Doodledapp is a development tool and does not audit, secure, or monitor deployed contracts. You are responsible for all data protection obligations related to your deployed smart contracts
5. International data transfers
Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions with data transfer restrictions:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms
- Our sub-processors operate primarily in the United States (see Section 7)
- Details of specific transfer mechanisms are available upon request at [email protected]
6. Data retention and deletion
| Data | Retention | Deletion |
|---|---|---|
| Account and team data | Duration of account | Deleted immediately upon account deletion |
| Contract and project data | Duration of account | Deleted immediately upon account deletion |
| AI interaction logs | Not stored persistently | Cleared automatically |
| Invitation records | 7 days (token validity) | Purged periodically after expiry |
| Server logs | 30 days | Automatically purged |
| Payment records | As required by tax/accounting law | Per legal requirements |
Upon written request, we will provide confirmation of deletion.
7. Sub-processors
The following sub-processors are used to provide the Service:
| Sub-processor | Processing activity | Data processed | Location |
|---|---|---|---|
| Authentication | Display name, email | United States | |
| GitHub | Authentication | Display name, email | United States |
| Stripe | Payment processing | Billing information | United States |
| Third-party AI providers | Contract modification | Contract context, prompts | United States |
| Third-party email providers | Transactional email delivery | Email addresses | United States |
8. Audit rights
- You may request information about our compliance with this DPA by contacting [email protected]
- For enterprise customers, audits may be conducted subject to at least 30 days written notice, during business hours, no more than once per twelve-month period (unless required by a supervisory authority or following a Security Incident)
- We will provide reasonable cooperation and access to relevant documentation
- Where possible, audit requirements may be satisfied through provision of audit reports, certifications, or written responses to questionnaires
- Audit scope shall be limited to protect other customers’ data and our confidential information
9. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms & Conditions. Nothing in this DPA limits either party’s liability for breaches of Data Protection Law that cannot be limited under applicable law.
10. Relationship with other agreements
This DPA supplements the Terms & Conditions and Privacy Policy. In the event of a conflict between this DPA and the Terms & Conditions regarding data protection matters, this DPA prevails.
11. Term and termination
This DPA takes effect when you begin using the Service and remains in effect for the duration of our processing of your Personal Data. Obligations that by their nature should survive termination (including confidentiality, data deletion, audit rights, and liability) will continue after termination.
12. Governing law
This DPA is governed by the same law that governs the Terms & Conditions, except where Data Protection Law requires otherwise.
13. Contact
For questions about this DPA or to exercise any rights described herein:
Email: [email protected]