Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Doodledapp (“we”, “us”) and you (“you”, “your”) for the use of the Doodledapp platform (“the Service”), together with the Terms & Conditions and Privacy Policy.

If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization to this DPA.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Law
  • “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion
  • “Sub-processor” means a third party engaged by Doodledapp to process Personal Data in connection with the Service
  • “Data Protection Law” means all applicable data protection and privacy legislation, including the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA)
  • “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

2. Scope and roles

2.1 How data flows through the Service

Doodledapp is a development tool. You use it to build, compile, test, and deploy smart contracts through a visual editor. We are the data controller for all Personal Data collected through the Service: your account information, your team members’ information, and the contract data you create within the platform.

We do not interact with smart contracts after deployment. We do not process, receive, or store any data from your deployed contracts or their end users. Once a contract leaves our editor and is deployed to a blockchain, we have no further relationship with it or any data it handles on-chain.

2.2 What this DPA covers

This DPA describes how we protect the Personal Data we collect and process to provide the Service to you and your team. It covers:

CategoryData elementsProcessing purpose
Account dataEmail addresses, display namesAuthentication, account management
Team dataTeam member emails, roles, permissionsTeam management, access control
Contract dataSmart contract source created within the editorContract storage, compilation, testing
Project metadataProject names, team assignmentsOrganizing your work
Invitation dataInvitee email addresses, permissionsTeam invitations
AI interaction dataPrompts, contract contextAI-powered contract modification
Payment dataPlan tier, billing status, billing address, tax IDSubscription management

2.3 What this DPA does not cover

This DPA does not cover any data processed by smart contracts you deploy to blockchain networks. Doodledapp has no access to, control over, or responsibility for on-chain data, transaction data, or any personal data that your deployed contracts may process. If your deployed contracts handle personal data, you are solely responsible for compliance with applicable Data Protection Law for that processing.

3. Our data protection commitments

3.1 Purpose limitation

We shall:

  • Process Personal Data only to provide and operate the Service
  • Not process Personal Data for any unrelated purpose, including advertising, profiling, or resale
  • Not sell, rent, or share Personal Data with third parties for their own purposes

3.2 Confidentiality

We shall:

  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who require it to operate the Service

3.3 Security measures

We implement and maintain appropriate technical and organizational security measures, including:

  • Encryption in transit: all data transmitted between your browser, our servers, and our sub-processors is encrypted via TLS
  • Authentication: we do not store user passwords. Authentication is delegated to third-party providers or single-use tokens
  • Access control: role-based permissions enforced server-side
  • Infrastructure: firewalled servers with restricted database access

3.4 Sub-processor management

We shall:

  • Engage sub-processors only as necessary to provide the Service
  • Ensure each sub-processor is bound by data protection obligations consistent with this DPA
  • Remain responsible for the acts and omissions of our sub-processors
  • Maintain the sub-processor list in Section 7 of this DPA
  • Notify you at least 30 days before adding or replacing a sub-processor by updating this page. If you have a reasonable objection, you may notify us in writing and we will work to find a resolution. If no resolution is possible, you may terminate the affected Service

3.5 Your data rights

We shall:

  • Respond to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timelines required by Data Protection Law
  • Provide mechanisms for account deletion and data export
  • Process requests submitted to [email protected]

See the Privacy Policy for full details on your rights and how to exercise them.

3.6 Security incident response

In the event of a Security Incident, we shall:

  • Notify affected users without undue delay and within 72 hours of becoming aware of the incident
  • Provide: the nature of the incident, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to remediate
  • Take reasonable steps to contain and remediate the incident
  • Document the incident and our response

3.7 Data protection impact assessments

We shall provide reasonable assistance where Data Protection Law requires a data protection impact assessment or consultation with a supervisory authority in connection with your use of the Service.

4. Your responsibilities

You shall:

  • Provide accurate account and team information
  • Manage your team’s access and permissions appropriately
  • Notify us promptly if you become aware of any security issue related to your account
  • If you use team features on behalf of an organization, ensure your team members are informed about the data processing described in this DPA and the Privacy Policy
  • Understand that Doodledapp is a development tool and does not audit, secure, or monitor deployed contracts. You are responsible for all data protection obligations related to your deployed smart contracts

5. International data transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions with data transfer restrictions:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms
  • Our sub-processors operate primarily in the United States (see Section 7)
  • Details of specific transfer mechanisms are available upon request at [email protected]

6. Data retention and deletion

DataRetentionDeletion
Account and team dataDuration of accountDeleted immediately upon account deletion
Contract and project dataDuration of accountDeleted immediately upon account deletion
AI interaction logsNot stored persistentlyCleared automatically
Invitation records7 days (token validity)Purged periodically after expiry
Server logs30 daysAutomatically purged
Payment recordsAs required by tax/accounting lawPer legal requirements

Upon written request, we will provide confirmation of deletion.

7. Sub-processors

The following sub-processors are used to provide the Service:

Sub-processorProcessing activityData processedLocation
GoogleAuthenticationDisplay name, emailUnited States
GitHubAuthenticationDisplay name, emailUnited States
StripePayment processingBilling informationUnited States
Third-party AI providersContract modificationContract context, promptsUnited States
Third-party email providersTransactional email deliveryEmail addressesUnited States

8. Audit rights

  • You may request information about our compliance with this DPA by contacting [email protected]
  • For enterprise customers, audits may be conducted subject to at least 30 days written notice, during business hours, no more than once per twelve-month period (unless required by a supervisory authority or following a Security Incident)
  • We will provide reasonable cooperation and access to relevant documentation
  • Where possible, audit requirements may be satisfied through provision of audit reports, certifications, or written responses to questionnaires
  • Audit scope shall be limited to protect other customers’ data and our confidential information

9. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms & Conditions. Nothing in this DPA limits either party’s liability for breaches of Data Protection Law that cannot be limited under applicable law.

10. Relationship with other agreements

This DPA supplements the Terms & Conditions and Privacy Policy. In the event of a conflict between this DPA and the Terms & Conditions regarding data protection matters, this DPA prevails.

11. Term and termination

This DPA takes effect when you begin using the Service and remains in effect for the duration of our processing of your Personal Data. Obligations that by their nature should survive termination (including confidentiality, data deletion, audit rights, and liability) will continue after termination.

12. Governing law

This DPA is governed by the same law that governs the Terms & Conditions, except where Data Protection Law requires otherwise.

13. Contact

For questions about this DPA or to exercise any rights described herein:

Email: [email protected]