Data Processing Agreement

Last Update: 03 Dec, 2025

Data Processing Agreement (DPA)

Download Signed PDF Version.

This Data Processing Agreement (“DPA”) forms part of the contractual relationship between Desku.io (“Desku”) and the entity using the Desku Service (“Customer”) under the applicable Terms of Service or Master Subscription Agreement (the “Agreement”).

The Customer is the Controller of the Customer Data and Desku acts as a Processor when Processing the Customer Data on the Customer’s behalf to provide the Service.

This DPA sets out the parties’ obligations and rights regarding the Processing of Personal Data under the GDPR, CCPA/CPRA (where applicable), and other applicable data protection laws.

Mechanism of Acceptance

1. Click-through Acceptance:

This DPA becomes legally binding when the Customer accepts the Agreement (including by click-through) and accesses or uses the Desku Service on or after the Effective Date.

2. Written / Enterprise Acceptance:

Upon request, Desku may provide this DPA in a countersigned written form. If the parties sign a written version, that signed version will apply between the parties as of the Effective Date (unless the signed version states otherwise).

Definitions

For the purposes of this DPA, the following terms have the meanings set out below.

“Affiliate”

Any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means ownership of more than 50% of the voting interests or the ability to direct management.

“Agreement”

Refers to the Desku Terms of Service or other written Agreement governing the Customer’s use of the Service.

“Backup Data”

Encrypted, immutable system backups maintained for business continuity and disaster recovery, subject to lifecycle-based deletion.

“Controller”

Refers to the meaning given in applicable data protection law (including the GDPR). For purposes of this DPA, the Customer is the Controller of the Customer Data.

“Customer”

The entity that has agreed to the Agreement and uses the Service.

“Customer Data”

Any Personal Data submitted to, stored in, or transmitted through the Service by or on behalf of the Customer (including by the Customer’s End-Users), where Desku Processes such data on the Customer’s behalf.

“Data Subject”

Refers to the meaning given in applicable data protection law (including the GDPR) and refers to an identified or identifiable natural person to whom the Personal Data relates.

“Documentation”

All written or digital instructions, help articles, onboarding guides, product descriptions, and technical materials provided by Desku.

“Effective Date”

The date at which changes related to the Service, or Policies, or Terms & Conditions become effective. Continued usage of the Service after the Effective Date denotes acceptance of said changes.

“End-User”

Any individual who interacts with the Customer by using chat, ticketing, messaging, email, social channels, the Desku Chat Widget, or other communication methods supported by the Service.

“Personal Data”

Refers to the meaning given in the GDPR (and similar definitions under applicable law).

“Personal Data Breach”

Refers to the meaning given in the GDPR (and similar definitions under applicable law).

“Processing”

The meaning given in applicable data protection law (including the GDPR).

“Processor”

Refers to the meaning given in applicable data protection law (including the GDPR). For purposes of this DPA, Desku is the Processor of the Customer Data when Processing on behalf of the Customer.

“PCI Data”

The payment card data regulated by PCI DSS, including full PAN, CVV/CVC, or magnetic stripe / chip data.

“Service”

Refers to the Desku.io software platform and any related support services provided by Desku under the Agreement.

“Special Categories of Personal Data”

The meaning given in GDPR Article 9 (and equivalent concepts under applicable law).

“Subscription”

The paid plan, free plan, trial plan, or any tiered access purchased or activated by the Customer, including all limits, features, and billing terms described in the applicable Order Form or Pricing page.

“Subprocessor”

Any third-party appointed by Desku to Process the Customer Data on behalf of the Customer in connection with the provision of the Service.

“Supervisory Authority”

Refers to the meaning given in the GDPR (and similar terms under applicable law) and refers to the competent data protection authority responsible for oversight and enforcement.

“Standard Contractual Clauses” or “SCCs”

The European Commission standard contractual clauses for international transfers approved under applicable law (including Commission Implementing Decision (EU) 2021/914), as updated or replaced from time to time.

“Swiss Addendum”

The addendum or adaptations required for the EU SCCs to apply to transfers governed by the Swiss data protection law (as updated or replaced from time to time).

“Third-Party Services”

Third-Party products or services that the Customer (or its End-Users) connect to or use with the Service (including via integrations) and which are not operated by Desku.

“UK Addendum”

The UK International Data Transfer Addendum to the EU SCCs (or any successor mechanism recognized under the UK GDPR).

Roles of the Parties

This section describes the parties’ roles and reflects the requirements of GDPR Article 28 (and equivalent obligations under applicable data protection laws) for Processing the Customer Data.

Customer as Controller

The Customer acts as the Controller of the Customer Data and is responsible for:

(a) determining the purposes and means of Processing;

(b) ensuring it has a valid lawful basis for Processing the Customer Data; and

Desku as Processor

Desku acts as the Processor of the Customer Data and will Process the Customer Data only:

(a) to provide, maintain, and secure the Service under the Agreement; and

(b) in accordance with the Customer’s documented instructions, as set out in the Agreement, this DPA, and the Customer’s use and configuration of the Service.

If Desku believes an instruction infringes on applicable data protection law, Desku will notify the Customer unless prohibited by law.

Situations Where Desku Acts as Controller

Desku acts as an independent Controller for the Personal Data that Desku Processes for its own legitimate business operations, where Desku determines the purposes and means of Processing, including for:

billing and account administration;

fraud prevention;

service usage, performance, and security logs;

security monitoring and abuse prevention; and

compliance with applicable law and enforcement of the Agreement.

Subject Matter and Duration of Processing

Subject Matter

The Processing performed under this DPA is limited to the Processing of the Customer Data as necessary to provide, maintain, support, and secure the Service in accordance with the Customer’s documented instructions. This includes hosting, transmitting, and making the Customer Data available to authorized Users of the Service, and performing related support and operational activities required to deliver the Service.

Duration

Desku will Process the Customer Data for the duration of the Agreement (including any renewal term) and for any additional period required to comply with Clause 14 (Return or Deletion of Data) and applicable law.

Expiration / Termination

Upon expiration or termination of the Agreement or this DPA, Desku will return or delete the Customer Data in accordance with Clause 14.

Nature and Purpose of Processing

Nature and Purpose

Desku Processes the Customer Data only to provide, operate, maintain, support, and secure the Service under the Agreement. This includes enabling Customer communications, ticketing, workflow routing, reporting and analytics, system administration, troubleshooting, and enabling integrations and configurations selected by the Customer.

AI-Assisted Processing

Where enabled by the Customer or used as part of the Service, Desku may Process the Customer Data using AI-assisted functionality for limited purposes such as classification, summarization, routing, suggested responses, and analytics, to the extent required to deliver the Service. The Customer may disable AI Features through the Service settings where available.

No Training of Public/Shared Models

Desku does not use the Customer Data to train, improve, or contribute to any public or shared AI models.

Rights in Customer Data and AI Outputs

The Customer retains all rights to the Customer Data. As between the parties, the Customer may use AI outputs generated from the Customer Data through the Service (“AI Outputs”). Desku retains all rights in the Service and its underlying technology, including any Desku-provided models, prompts, and tooling used to generate AI Outputs.

Categories of Data Subjects

The Customer Data Processed under this DPA may relate to the following categories of Data Subjects (as determined by the Customer’s use and configuration of the Service):

Customer authorized Users (e.g. Customer employees, contractors, or agents) who access or use the Service.

Customer End-Users / Customers / prospects who communicate with the Customer via channels supported by the Service (e.g. chat, email, messaging, social).

Visitors to Customer’s websites, apps, or other digital properties who interact with the Customer’s embedded Desku Chat Widget or support experiences.

Individuals who submit information to the Customer through the Customer’s marketing, sales, or support interfaces that are connected to, or routed through, the Service.

Failure to comply with these responsibilities may result in warnings, access restrictions, suspension, or termination of the User’s account at Desku’s discretion.

Categories of Personal Data

The Customer Data Processed by Desku on the Customer’s behalf may include the following categories of Personal Data, as determined by the Customer’s configuration and use of the Service:

Identity and contact information (e.g. name, email address, phone number, username, Customer reference IDs).

Customer account and User details for authorized Users of the Service (e.g. role, team assignment, login and access metadata).

Transaction and order-related information from the Customer’s commerce systems (e.g. order numbers, purchase history, order status).

Shipping and fulfilment details (e.g. delivery address, courier status, tracking details) where routed through the Service via the Customer’s integrations.

Support and communications content (e.g. ticket content, emails, chat transcripts, attachments, conversation history, timestamps).

Chat Widget interaction data (e.g. messages, form fields configured by the Customer, session context).

Integration and third-party system identifiers (e.g. IDs and tokens/connection identifiers associated with systems such as Shopify, WooCommerce, WhatsApp, Slack, or other Third-Party Services configured by the Customer).

Device, browser, and usage metadata (e.g. IP address, device type, browser type, logs, and event metadata) collected for service delivery, reliability, and security monitoring.

This list reflects common data types processed in B2B and B2C support environments and may vary depending on the Customer’s use of the Service.

Processor Obligations (Desku Commitments)

Desku, acting as Processor, will comply with the obligations set out below:

Processing on Instructions

Desku will Process the Customer Data only in accordance with the Customer’s documented instructions, as set out in the Agreement, this DPA, and Customer’s use and configuration of the Service.

Confidentiality

Desku will ensure that personnel authorized to Process the Customer Data are subject to appropriate confidentiality obligations (whether contractual or statutory).

Security Measures

Desku will implement and maintain appropriate technical and organizational measures to protect the Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A summary of these measures is available on the Security Page (and/or in Clause 11).

Data Subject Rights Assistance

Taking into account the nature of the Processing, Desku will provide reasonable assistance to the Customer to support the Customer’s handling of Data Subject requests under applicable data protection laws.

Security Monitoring and Logs

Desku will maintain reasonable audit logs, monitoring systems, and related controls designed to support the security, availability, and integrity of the Service and the Customer Data.

Breach Notification

Desku will notify the Customer of a confirmed Personal Data Breach without undue delay, in accordance with Clause 12.

Subprocessors

Desku will make available a current list of authorized Subprocessors and will provide notice of material changes in accordance with Clause 9. Desku will enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective than those in this DPA, as required by applicable law.

Return or Deletion

At expiration or termination of the Agreement, Desku will delete or return the Customer Data in accordance with Clause 14, subject to Backup Data lifecycle policies and applicable law.

Unlawful Instructions

If Desku believes that a documented instruction infringes on applicable data protection law, Desku will notify the Customer (unless prohibited by law).

DPIAs and Regulatory Cooperation

Taking into account the nature of the Processing and the information available to Desku, Desku will provide reasonable assistance to the Customer with Data Protection Impact Assessments (DPIAs) and, where required, prior consultation with Supervisory Authorities. Desku will also cooperate, as reasonably required, with the Customer or a Supervisory Authority in relation to the Processing under this DPA.

Controller Obligations (Customer Responsibilities)

Lawful Basis and Compliance

The Customer, as Controller, is responsible for ensuring that its Processing of Customer Data through the Service is supported by a valid lawful basis and complies with applicable data protection laws.

Transparency and Notices

The Customer is responsible for providing clear and compliant privacy notices to Data Subjects (including End-Users) describing the Customer’s Processing of Customer Data and the use of service providers/Processors such as Desku.

Customer Configuration and Security

The Customer is responsible for configuring and using the Service in a secure and lawful manner, including the configuration of User access, permissions, integrations, automations, data fields, retention settings (where available), and any AI-related features enabled by the Customer.

Customer Instructions

The Customer will ensure that its documented instructions for Processing are lawful and do not require Desku to Process the Customer Data in a manner that violates applicable law.

Sensitive and Prohibited Data (Critical Clause)

Unless expressly agreed in writing by Desku, the Customer must not upload, submit, or otherwise Process through the Service any of the following:

PCI Data (e.g. credit card numbers, CVV/CVC, full PAN, magnetic stripe or chip data)

Government-issued identification numbers (e.g. national ID numbers, passport numbers, driver’s licence numbers)

Biometric identifiers used for unique identification

Special Categories of Personal Data (e.g. health data, religious or philosophical beliefs, sexual orientation, trade union membership, genetic data)

Financial account access credentials (e.g. bank logins, account passwords, security questions)

Any other high-risk, highly regulated, or sensitive data not reasonably required for the Customer Support communications

The Customer acknowledges that Desku is not required to monitor the content of Customer Data for prohibited data types. To the extent permitted by law, Desku will not be responsible for issues arising from the Customer’s breach of this Clause 8.5.

Subprocessors

Authorization

The Customer authorizes Desku to appoint Subprocessors to Process the Customer Data as necessary to provide the Service.

Subprocessor List

A current list of Desku’s authorized Subprocessors is available at: /subprocessors/ (the “Subprocessor List”).

Notice of Changes

Desku will provide notice of any intended addition, replacement, or material change to its Subprocessors by updating the Subprocessor List and/or providing notice via email or in-product notification at least thirty (30) days in advance (each a “Subprocessor Update”).

Objections and Termination

The Customer may reasonably object to a Subprocessor Update by notifying Desku in writing within fourteen (14) days of the Subprocessor Update, stating the reasonable grounds for objection related to data protection. If Desku cannot reasonably address the Customer’s objection (including by providing an alternative or remediation), the Customer may terminate the affected portion of the Service and receive a pro-rata refund for the unused portion of the then-current Subscription term.

International Data Transfers

Transfer Mechanisms

Where the Processing of the Customer Data involves a transfer of Personal Data outside the jurisdiction in which it was collected (including outside the EEA, the UK, or Switzerland), Desku will implement appropriate transfer mechanisms recognized under applicable data protection laws, including the Standard Contractual Clauses (SCCs), the UK Addendum, and the Swiss Addendum, as applicable.

Supplementary Measures

Desku will implement appropriate technical and organizational measures to support international transfers and address transfer-risk considerations (including those identified in Schrems II where relevant). Such measures may include encryption in transit and at rest, access controls, and other safeguards described in this DPA and Desku’s security Documentation.

Transparency

Upon request, Desku will provide the Customer with information reasonably necessary to describe the transfer mechanism(s) and safeguards applied to relevant international transfers under this DPA.

SCCs (Incorporation by Reference)

Where the GDPR applies and the Customer Data is transferred in a manner requiring a transfer mechanism, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply as follows:

(a) Module Two (Controller to Processor) applies where the Customer is a Controller and Desku is a Processor; and

(b) Module Three (Processor to Processor) applies where relevant to transfers to Subprocessors.

The UK Addendum and Swiss Addendum apply where the UK GDPR or Swiss data protection law governs the transfer.

Security Measures (TOMs)

Desku implements and maintains appropriate technical and organizational measures designed to protect the Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the Processing, risks to Data Subjects, and the state of the art. These measures include, at a minimum:

Encryption of the Customer Data in transit and at rest (where applicable).

Access controls including role-based access, least privilege principles, and authentication mechanisms.

Logical and network security controls, including segmentation and controlled administrative access.

Monitoring and logging to support security oversight, incident detection, and investigation.

Vulnerability management, including regular scanning, patching, and remediation.

Penetration testing performed periodically by qualified parties (as applicable).

Secure development practices, including change management and code review processes.

Business continuity and backup controls, including encrypted backups and disaster recovery processes.

Desku will not materially decrease the overall security of the Service during the term of the Agreement.

Additional details regarding Desku’s security measures are available on the Security Page

Breach Notification

Desku will notify the Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of and confirming a Personal Data Breach involving the Customer Data. Desku will provide such notice to the Customer via the Service, email, and/or other reasonable means.

To the extent information is not available at the time of initial notice, Desku may provide relevant information in phases without undue delay.

The breach notification will include, to the extent reasonably available:

a description of the nature of the Personal Data Breach;

the categories (and, where feasible, approximate number) of Data Subjects and records concerned;

the categories of Personal Data involved;

the measures taken or proposed to address or mitigate the Personal Data Breach; and

recommended steps the Customer can take to reduce potential adverse effects.

Desku will cooperate with the Customer as reasonably necessary to support the Customer’s compliance with applicable breach notification and reporting obligations.

Data Subject Rights Assistance

Taking into account the nature of the Processing, Desku will provide reasonable assistance to the Customer to support the Customer’s response to Data Subject requests under applicable data protection laws, including requests for:

access;

rectification;

erasure;

restriction;

portability; and

objection.

Where available, Desku will provide the Customer with self-service functionality within the Service to access, export, correct, or delete Customer Data.

Submission of Requests

Data Subjects (including End-Users) should submit requests directly to the Customer. Desku is not responsible for responding directly to Data Subject requests unless required by applicable law. If Desku receives a request directly, Desku will, where legally permitted, refer the request to the Customer.

Verification

The Customer is responsible for verifying the identity of the requestor and the validity of the request. Desku may require reasonable information from the Customer to confirm the Customer’s authorization before acting on any request involving Customer Data.

Return or Deletion of Data

Live Data

Upon expiration or termination of the Agreement, Desku will, at the Customer’s option and to the extent available through the Service, return (e.g. via export) or delete Customer Data from Desku’s active systems (“Live Data”) within thirty (30) days, unless retention is required by applicable law.

Backup Data

The Customer Data may continue to exist in Backup Data (encrypted, immutable system backups) that are maintained for business continuity and disaster recovery. Backup Data follows an automated lifecycle deletion process of approximately 30–90 days. During the retention period, Backup Data cannot be modified, selectively accessed for deletion, or altered.

These measures are designed to maintain the integrity and security of backup systems while ensuring the Customer Data is removed from backup media in accordance with established retention cycles.

Audit Rights

Documentation

Upon request, Desku will make available Documentation and information reasonably necessary to demonstrate Desku’s compliance with this DPA, including relevant security and compliance materials.

Third-Party Reports

Where available, the Customer may rely on Desku’s third-party audit reports, certifications, and industry-standard assessments (e.g. security questionnaires and test summaries) as evidence of Desku’s technical and organizational measures.

Information Requests

The Customer may submit additional requests for information, provided such requests are specific, lawful, and submitted with reasonable prior notice. Desku may decline or limit requests that are excessive, repetitive, or would disclose confidential information about other Customers or Desku’s systems.

Audit Process

If the Customer reasonably requires an audit of Desku’s compliance with this DPA and the information provided under Clauses 15.1–15.3 is not sufficient, the Customer may request an audit subject to the following:

the audit will occur no more than once per 12-month period, unless required by applicable law or following a confirmed Personal Data Breach affecting the Customer Data;

the Customer will provide at least thirty (30) days’ prior written notice and propose a scope that is limited to the Processing of the Customer Data under this DPA;

the audit will be conducted during normal business hours and in a manner that does not unreasonably interfere with Desku’s operations; and

the audit will be subject to confidentiality obligations and Desku’s reasonable security requirements.

On-Site / Physical Audits

Physical audits or inspections of Desku’s facilities are restricted and will be permitted only where required by applicable law or by a competent Supervisory Authority, and in each case subject to Desku’s security controls, confidentiality obligations, and operational limitations.

Costs

Unless required by applicable law or a Supervisory Authority, the Customer will bear its own costs and reasonable expenses associated with any requested audit.

AI-Specific Processing

This section sets out the AI Processing Terms governing Desku’s AI Features within the Service.

AI Inputs and AI Outputs

The Customer retains all rights to Customer Data, including any text, prompts, files, or other content submitted to the Service for AI-assisted Processing (“AI Inputs”). As between the parties, the Customer may use any AI-generated results produced through the Service from Customer Data (“AI Outputs”). Desku retains all rights in the Service and its underlying technology, including any Desku-provided models, prompts, workflows, and tooling used to generate AI Outputs.

No Claim Over Customer Content

Desku does not claim ownership of the Customer Data, AI Inputs, or AI Outputs. The Customer is responsible for reviewing AI Outputs for accuracy and suitability before use.

Third-Party AI Providers

Where Desku uses third-party AI infrastructure providers to deliver AI Features, Desku will ensure such providers are engaged as Subprocessors (or otherwise disclosed where they act as independent Controllers) and are contractually required to:

(a) Process the Customer Data only to provide services to Desku for the purpose of delivering the AI Features;

(b) maintain confidentiality and appropriate security measures; and

No High-Impact Automated Decision-Making

AI capabilities within the Service are limited to assistive functions (such as summarization, classification, routing, and suggested responses) and are not intended to make automated decisions that produce legal or similarly significant effects on individuals within the meaning of applicable data protection law.

Customer Controls

The Customer may disable AI Features through the Service settings where available, and may control which channels, workflows, or content types are routed through AI-assisted Processing based on the Customer’s configuration of the Service.

Liability

Liability Cap

To the extent permitted by applicable law, Desku’s total aggregate liability arising out of or relating to this DPA will not exceed the fees paid by the Customer for the Service in the twelve (12) months preceding the event giving rise to the claim.

Excluded Damages

To the extent permitted by applicable law, neither party will be liable to the other for any indirect, incidental, special, consequential, exemplary, or punitive damages arising out of or relating to this DPA.

Relationship to the Agreement

Except as expressly set out in this DPA, the limitations of liability, exclusions, and related liability terms in the Agreement apply to this DPA and are incorporated by reference. If there is a conflict between this Clause 17 and the Agreement regarding liability, the parties’ intent is that the liability framework in the Agreement will apply, unless this DPA expressly states otherwise.

Third-Party Services and Integrations

The Customer may connect Third-Party Services to the Service (including via integrations). Third-Party Services connected by the Customer are not Subprocessors of Desku solely by virtue of the Customer enabling or using an integration. The Customer remains responsible for its use of Third-Party Services and for any data shared with such Third-Party Services, including ensuring it has the necessary rights and lawful basis to share that data.

For clarity, third parties that Desku engages to Process the Customer Data on Desku’s behalf to provide the Service (e.g. hosting, infrastructure, support tooling, or AI providers) may be Subprocessors and will be listed on the Subprocessor List.

Governing Law and Jurisdiction

This DPA is governed by, and will be interpreted in accordance with, the governing law and jurisdiction provisions set out in the Desku Terms of Service.

Changes to This DPA

Desku may update this DPA to reflect legal, regulatory, technical, or operational changes. Desku will provide notice of material changes by updating the DPA on its website and/or notifying the Customer via email or in-product notification.

If the Customer reasonably objects to a material change, the Customer may notify Desku in writing within thirty (30) days of the notice. If the parties cannot resolve the objection within a reasonable period, the Customer may terminate the affected portion of the Service and receive a pro-rata refund for the unused portion of the then-current Subscription term.

Order of Precedence

If there is any conflict between this DPA and the Agreement regarding the Processing of the Customer Data or the parties’ data protection obligations, the terms of this DPA will prevail to the extent of the conflict. For all other matters, the Agreement will control.

Contact Information

Desku.io

Registered Address: 4023 Kennett Pike #50230
Wilmington Delaware 19807
United States

Email: support@desku.io

Data Processing Agreement