Skip to content
AskVault Docs
Try Free →

Data Processing Agreement (DPA) at AskVault

Written by , Founder, AskVault · Reviewed by Aashiq
Last updated: · 5 min read

What the DPA covers

A Data Processing Agreement is the contract between you (the Data Controller) and AskVault (the Data Processor) governing how we handle personal data on your behalf. Required for GDPR compliance and increasingly for similar laws (UK DPA, California CCPA, India DPDP Act).

AskVault's DPA covers:

  • Controller-processor relationship. Roles, responsibilities, and limitations.
  • Categories of personal data processed. What types of data AskVault holds.
  • Purposes of processing. Why we hold it.
  • Sub-processors. The third parties AskVault uses, with notification process for changes.
  • Security measures. Encryption, access controls, audit logs.
  • Breach notification. 24-hour notification to affected customers.
  • International transfers. Standard Contractual Clauses (SCCs) for EU-to-non-EU transfers.
  • Audit rights. Customer's right to audit AskVault's compliance.
  • Termination and deletion. What happens to your data after contract end.

The DPA is a standard form. Most customers sign as-is; Enterprise customers can negotiate specific provisions.

When you need a DPA

Three triggers:

  1. You process EU resident data. GDPR Article 28 requires a DPA between Controller and Processor.
  2. You're a B2B SaaS with enterprise customers. Your customers' procurement teams require a DPA in your vendor agreement.
  3. You operate in a jurisdiction with similar laws. UK, California, Brazil, India, Singapore all have processor-controller requirements.

For workspaces processing only your own internal data with no third-party data subjects, a DPA is less critical but still recommended.

Plan availability

The DPA is available on Growth and Business. On Enterprise, the DPA is part of the contract by default and can be customized with addendums.

PlanDPA available
FreeNo
StarterOn request, no negotiation
GrowthYes, standard form
BusinessYes, standard form
EnterpriseYes, customizable with addendums

For Free and Starter customers handling personal data, we recommend upgrading to Growth at minimum so the DPA is contractually binding. Growth+

How to request the DPA

  1. From the dashboard. Settings > Legal > Download DPA. PDF download.
  2. Sign with DocuSign. Most customers sign electronically via the embedded DocuSign flow.
  3. Counter-sign by AskVault. Within 3 business days, AskVault counter-signs and you receive the executed PDF.

For Enterprise contracts, the DPA is bundled with the master agreement. Your AskVault Account Manager handles the signing flow.

What's in the standard DPA

Six sections:

Section 1: Definitions and roles

Defines Controller (you) and Processor (AskVault). Defines personal data, processing, sub-processor, data subject. Standard GDPR-aligned definitions.

Section 2: Scope of processing

Specifies that AskVault processes data only on your documented instructions. Lists the types of personal data we hold (customer emails, names, phone numbers, chat content) and the purposes (delivering the AskVault service).

Section 3: Sub-processors

Lists the categories of sub-processors AskVault uses. Specifies the 30-day advance notice requirement for changes. Specifies your right to object to sub-processor changes.

Section 4: Security measures

Specifies the technical and organizational measures AskVault uses: encryption, access controls, audit logging, vulnerability management. References our SOC 2 Type II posture.

Section 5: Breach notification

24-hour notification to your designated security contact when AskVault confirms a personal-data breach. Specifies what information the notification contains.

Section 6: International transfers

For EU-to-non-EU transfers (the AskVault primary region is in Asia-Pacific), the DPA incorporates Standard Contractual Clauses (Module Two: Controller to Processor) by reference.

What you provide as Controller

Three things you, as Controller, are responsible for:

  • Lawful basis. You determine the legal basis for processing personal data through AskVault (consent, legitimate interest, contractual necessity, etc.).
  • Data subject rights. You handle requests from your customers to access, correct, or delete their data. AskVault provides the infrastructure to fulfill those requests.
  • Documented instructions. Your use of AskVault is the documented instruction. If you want AskVault to process data in a specific non-standard way, an addendum is needed.

For most customers, the standard DPA captures the standard usage. No addendums needed.

Sub-processor change notification

Per the DPA, AskVault notifies customers 30 days in advance when:

  • A sub-processor is added.
  • A sub-processor is removed.
  • A sub-processor's scope materially changes.

Notification methods:

  • Email to the workspace owner's account email.
  • In-product notification in the dashboard.
  • Public changelog at the sub-processors page.

Customers can object to a change. If we cannot resolve the objection within 30 days, you can terminate the affected workspace with data export.

Audit rights

Customers have the right to audit AskVault's compliance with the DPA. Three options:

  • Standard. Review AskVault's SOC 2 Type II attestation letter (most enterprise auditors accept this).
  • Questionnaire-based. Send a vendor security questionnaire; AskVault responds within 15 business days.
  • On-site audit. Available on Enterprise contracts with 60-day notice. Scope and cost negotiated.

For most teams, the SOC 2 letter satisfies audit requirements.

Termination and deletion

When your AskVault subscription ends:

  • 30-day grace period. Workspace stays in read-only mode. You can export your data.
  • Day 31 to 60. Workspace deleted. Active database rows removed within seconds.
  • Day 31 to 90. Backups purged per the standard retention policy.
  • After day 90. Data is permanently unrecoverable.

For Enterprise customers, the post-termination data-handling can be customized in the contract (extended grace period, encrypted export, etc.).

Customer-specific DPA versions

Some customers require specific provisions:

  • California CCPA addendum. For US-California-resident data subjects.
  • UK DPA addendum. Post-Brexit UK-specific provisions.
  • HIPAA Business Associate Agreement. For US healthcare data. Enterprise only.
  • Country-specific addendums. Brazil LGPD, India DPDP Act, Singapore PDPA, etc.

Most addendums are available on Enterprise contracts. Reach out to legal@askvault.co.

Common pitfalls

Customer doesn't request a DPA. Then they're processing personal data through AskVault without a contractually-binding agreement. Risk for both parties. Always sign a DPA when handling third-party personal data.

Customer signs DPA but doesn't review. Then later questions arise about provisions they never read. Read it before signing. Reach out to legal@askvault.co with questions; we respond within 3 business days.

DPA conflicts with master agreement. Standard DPA has narrow scope. If your master AskVault contract has conflicting clauses, we sort it out during contract review.

Sub-processor change objection. Customer objects to a new sub-processor. We work through the objection; in rare cases the customer terminates. Plan for sub-processor stability in your usage.

FAQ

Is the DPA available for Free plan?

No. Free tier users can read the DPA for reference but it isn't contractually binding. Upgrade to Growth for a signed DPA.

Can I download the DPA before signing up?

Yes. Public version of the standard DPA at askvault.co/legal/dpa. Helps procurement teams evaluate AskVault before account creation.

Does AskVault sign customer-provided DPA templates?

Sometimes. Standard customer DPAs that align with our security posture get signed quickly. Heavily customized DPAs require legal review. Reach out to legal@askvault.co with your template.

What's the difference between the DPA and the Terms of Service?

Terms of Service govern the commercial relationship. DPA governs data processing specifically. Both apply to paid plans; ToS alone applies to Free.

Can I extend the data retention period?

Yes on Enterprise contracts. Standard retention is 365 days; HIPAA-required 6 years is supported; longer terms are negotiated case by case.

Was this page helpful?