Legal

Data Processing Agreement

Last updated: 15 March 2026

This Data Processing Agreement ("DPA") is entered into between Disqua ("Processor") and the Customer ("Controller") and forms an integral part of the Disqua Terms of Service. This DPA applies where Disqua processes Personal Data on behalf of the Customer in the course of providing the Service. By using the Service, the Customer agrees to the terms of this DPA.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

  • Controller — the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In this DPA, the Customer acts as the Controller.
  • Processor — a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. In this DPA, Disqua acts as the Processor.
  • Personal Data — any information relating to an identified or identifiable natural person ("data subject"), as defined in Article 4(1) GDPR.
  • Processing — any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) GDPR.
  • Sub-processor — any third party appointed by Disqua to process Personal Data on behalf of the Controller.
  • GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
  • Service — the Disqua team communication platform and related services as described in the Terms of Service.
  • Standard Contractual Clauses (SCCs) — the standard contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR for transfers of Personal Data to third countries.

2. Scope and Purpose

Disqua processes Personal Data as a Processor solely on behalf of, and under the instructions of, the Controller for the purpose of providing the Service. The subject matter, nature, and purpose of the processing are described as follows:

  • Subject matter: Personal Data of the Controller's users (employees, team members, and contacts) as submitted to the Service.
  • Nature of processing: Storage, retrieval, transmission, display, and deletion of Personal Data in the course of operating the Service.
  • Purpose: Provision of team communication, messaging, file sharing, and related features as described in the Terms of Service.
  • Categories of data subjects: The Controller's employees, contractors, customers, and any other individuals whose Personal Data the Controller submits to the Service.
  • Types of Personal Data: Name, email address, profile information, message content, uploaded files, IP addresses, device identifiers, and any other data submitted by the Controller or its users.

3. Duration

This DPA is effective from the date the Customer first accepts the Terms of Service and remains in force for the duration of the Customer's subscription agreement with Disqua. Upon termination or expiry of the subscription, this DPA shall terminate, subject to the obligations set out in Section 11 (Return and Deletion of Data).

4. Instructions for Processing

Disqua shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Member State law to which Disqua is subject; in such a case, Disqua shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's instructions to Disqua are set out in this DPA and the Terms of Service. The Controller may issue further instructions in writing at any time. Disqua shall promptly notify the Controller if, in its reasonable opinion, any instruction infringes applicable data protection law.

For questions regarding processing instructions, contact: privacy@disqua.com

5. Confidentiality

Disqua shall ensure that persons authorised to process Personal Data on behalf of the Controller are subject to a binding obligation of confidentiality, whether by contract or by statutory obligation. Disqua shall ensure that access to Personal Data is limited to those personnel who need access for the purposes of providing the Service. Disqua will not disclose Personal Data to any third party except as permitted under this DPA.

6. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Disqua shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption at rest: All Personal Data stored in the Disqua database is encrypted using AES-256.
  • Encryption in transit: All data transmitted between clients and Disqua servers is encrypted using TLS 1.3.
  • Access controls: Role-based access controls restrict access to Personal Data to authorised personnel only. Multi-factor authentication is enforced for administrative access.
  • Regular security audits: Disqua conducts periodic internal and external security reviews and vulnerability assessments.
  • Incident response: Disqua maintains a documented incident response procedure to detect, contain, and remediate security incidents affecting Personal Data.
  • Data minimisation: Disqua collects and retains only the Personal Data necessary for the purposes described in this DPA.
  • Backup and recovery: Regular encrypted backups of Personal Data are maintained to ensure availability and resilience.

7. Sub-processors

The Controller hereby grants Disqua general authorisation to engage Sub-processors for the processing of Personal Data. Disqua shall ensure that Sub-processors are bound by data protection obligations at least equivalent to those set out in this DPA.

The currently approved Sub-processors are:

  • Stripe, Inc. — Payment processing. Registered in the United States. Transfer mechanism: Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c).
  • Postmark (Wildbit LLC) — Transactional email delivery. Registered in the United States. Transfer mechanism: Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c).
  • PostHog, Inc. — Product analytics (EU-hosted instance). Data is processed and stored within the European Union. No cross-border transfer applies.

Disqua shall notify the Controller at least 30 days in advance before adding any new Sub-processor or making material changes to existing Sub-processor arrangements. The Controller may object to such changes within 14 days of receiving the notification. If the Controller raises a reasonable objection, the parties will work in good faith to resolve the issue.

8. Data Subject Rights

Taking into account the nature of the processing, Disqua shall assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

Where a data subject makes a request directly to Disqua, Disqua will promptly forward the request to the Controller and will not independently respond to the request unless instructed to do so by the Controller or required by law. Disqua will respond to such forwarded requests within 30 days.

9. Data Breach Notification

Disqua shall notify the Controller without undue delay, and no later than 72 hours after becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons. The notification shall include, to the extent available at the time:

  • A description of the nature of the Personal Data breach, including the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;
  • The name and contact details of the data protection contact point where more information can be obtained;
  • A description of the likely consequences of the Personal Data breach;
  • A description of the measures taken or proposed to be taken to address the Personal Data breach, including measures to mitigate its possible adverse effects.

Breach notifications shall be sent to the email address registered as the primary contact for the Customer's account. It is the Controller's responsibility to maintain accurate contact details with Disqua.

10. Data Transfers

Personal Data processed by Disqua is stored on servers located within the European Union. Disqua does not transfer Personal Data outside the EEA as part of its core data processing activities, except where Sub-processors located outside the EEA are used (see Section 7). In all such cases, Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Article 46(2)(c) are in place to ensure an adequate level of protection for the transferred Personal Data.

Disqua will not transfer Personal Data to any jurisdiction without an adequate transfer mechanism in place, and will ensure compliance with applicable GDPR transfer requirements at all times.

11. Return and Deletion of Data

Upon termination or expiry of the subscription agreement for any reason, Disqua shall, at the choice of the Controller:

  • Return all Personal Data to the Controller in a machine-readable format (JSON export), within 30 days of the date of termination; and/or
  • Securely delete all Personal Data and existing copies thereof within 30 days of the date of termination, unless EU or Member State law requires storage of the Personal Data.

Disqua shall provide the Controller with written confirmation of deletion upon request. Anonymised or aggregated data that cannot be linked to any individual may be retained for analytical purposes after termination.

12. Audit Rights

Disqua shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller shall give Disqua at least 30 days written notice before conducting an audit. Audits shall be conducted during normal business hours, no more than once per year, and shall not unreasonably disrupt Disqua's business operations. The Controller shall bear the cost of any audit. Disqua may require the auditor to sign a reasonable confidentiality agreement before proceeding.

Disqua may satisfy audit requests by providing third-party audit reports (e.g., SOC 2 Type II) or certifications, where applicable.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Disqua Terms of Service. Nothing in this DPA limits either party's liability for fraud, gross negligence, or wilful misconduct, or for any liability that cannot be excluded under applicable law.

14. Contact

For all matters relating to this DPA and data protection, please contact:

Data Protection Contact
Disqua
Czech Republic
privacy@disqua.com

Terms of Service Privacy Policy SLA Cookie Policy Acceptable Use