Data Processing Addendum

Last updated: v1.1 — April 17, 2026

Enterprise Ready: Our Data Processing Addendum (DPA) ensures GDPR compliance for organizations processing personal data through Jamdesk.

Jamdesk is operated by Even Flow Solutions, LLC, 1900 Broadway, New York, NY 10023, USA(the "Processor" or "Jamdesk" throughout this summary and the signed DPA). The Customer acts as the Controller with respect to Customer Personal Data processed through the service.

Automatic incorporation. This DPA is automatically incorporated into and forms part of the Terms of Service (or any Master Services Agreement between Jamdesk and Customer) for any Customer whose processing of personal data through the Service is subject to the EU GDPR, UK GDPR, or Swiss data-protection law. No separate signature is required for this DPA to take effect. A countersigned copy is available on request.

Request a DPA

What is a DPA?

A Data Processing Addendum is a legally binding contract between a data controller (you) and a data processor (Jamdesk) that governs how personal data is handled. It's required under GDPR when you use third-party services to process personal data.

Nature and Purpose of Processing

Jamdesk processes Customer Personal Data solely to host, render, and deliver Customer documentation sites, authenticate end users, and provide related support, analytics, and billing. Where a Customer enables AI-powered documentation search or chat, end-user queries and the relevant documentation context are also processed by our AI inference sub-processor to generate a response; Jamdesk does not train models on Customer content, and our AI sub-processors are contractually prohibited from doing so. Processing continues for the term of the Customer's Jamdesk subscription, followed by a wind-down period described under "Return or Deletion" below.

Documented instructions.The Agreement (these Terms, any Master Services Agreement, this DPA, and the Customer's configuration of features and settings in the dashboard) constitutes Customer's complete and documented instructions to Jamdesk for the processing of Customer Personal Data. Any additional or different instruction must be agreed in writing and may be subject to additional fees.

Independent-controller processing.For processing that is necessary for Jamdesk's own legitimate business purposes — including billing, fraud and abuse prevention, security monitoring, aggregated analytics, and service improvement using data that has been de-identified or aggregated such that it can no longer reasonably be associated with an identified or identifiable natural person — Jamdesk acts as an independent controller, not as Customer's processor, and the provisions of this DPA governing processor obligations do not apply to that processing.

Categories of Data and Data Subjects

Categories of Personal Data processed: account identifiers, email addresses, authentication tokens, documentation content, vector embeddings derived from documentation and chat queries (for AI search and chat features), billing data, support correspondence, and usage/analytics data.

Categories of data subjects:Customer's authorized users (admins and editors), Customer's end users and documentation-site visitors, and Customer's prospects who submit contact or signup forms.

In-life retention periods for each category are described in our Privacy Policy. Post-termination handling is governed by the "Return or Deletion" provision below.

Key Provisions

Our DPA includes:

  • Documented Instructions:Jamdesk processes Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required otherwise by EU or Member State law.
  • Standard Contractual Clauses (SCCs): The 2021 EU SCCs (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum (IDTA) are incorporated by reference for transfers of Customer Personal Data out of the EEA and UK.
  • Security Measures: Technical and organizational measures described on our Security page, which forms Annex II of the DPA.
  • Personnel Confidentiality: All Jamdesk personnel authorized to process Customer Personal Data are bound by written confidentiality obligations.
  • Sub-processor List:Transparency about third-party services we use, with at least 30 days' advance notice of changes. Customer's continued use of the service after notice constitutes authorization. Customer may object in writing by emailing privacy@jamdesk.com before the new sub-processor begins processing, on documented data-protection grounds; if Jamdesk cannot reasonably accommodate the objection, Customer may terminate the affected service in accordance with the termination provisions of the master agreement. Customers can subscribe to change notifications at jamdesk.com/subprocessors.
  • Data Subject Rights (DSAR Assistance): Jamdesk provides tooling and reasonable assistance to help the Customer respond to data subject requests within statutory timelines. Requests should be directed to privacy@jamdesk.com.
  • Breach Notification:Jamdesk will notify the Customer of a personal data breach without undue delay after becoming aware, in a timeframe that enables Customer to meet its own notification obligations to supervisory authorities and data subjects under GDPR Articles 33 and 34. Jamdesk will provide reasonable assistance with Customer's obligations under Articles 32–36 (security, DPIA, prior consultation).
  • Return or Deletion:Upon termination, Jamdesk will delete or, at Customer's option, return all Customer Personal Data within 30 days, subject to backups purged on a rolling schedule and any retention required by law.
  • Audit Rights: Jamdesk will make available to Customer all information necessary to demonstrate compliance with Article 28 obligations, and will permit audits (including via third-party auditor reports or questionnaires) on reasonable notice, no more than once per 12 months absent a breach.
  • Liability:Liability under this DPA, as between the parties, is subject to the limitations and exclusions set out in Jamdesk's Terms of Service. Nothing in this DPA restricts either party's liability to data subjects under GDPR Article 82 (or equivalent UK or Swiss provisions), or any other liability that applicable law does not permit to be limited by contract.
  • Audit Expense & Confidentiality:Audits are at Customer's expense unless they reveal material non-compliance by Jamdesk, in which case Jamdesk will bear the reasonable cost of the audit. All audit information, reports, and findings are Jamdesk Confidential Information and may only be shared with Customer's auditors under a written confidentiality obligation no less protective than the Agreement's.

Prohibited Data Types

Jamdesk is not designed for and must not be used to process:

  • Protected Health Information (PHI) or data subject to HIPAA or comparable health-data regulations
  • Payment card data beyond what our billing processor (Stripe) handles on our behalf
  • Personal data of children under 16 (or the applicable minimum age in the jurisdiction, which ranges from 13 to 16 in the EEA and UK)
  • Special categories of personal data under GDPR Article 9 (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health, or data concerning a person's sex life or sexual orientation)

Customer agrees not to upload or process such data through the service. Jamdesk disclaims liability for any processing of prohibited data contrary to this restriction and may suspend or terminate the service where such use is identified.

Who Needs a DPA?

You should sign our DPA if:

  • Your organization is based in the EU/EEA or UK
  • You process personal data of EU/EEA or UK residents
  • Your enterprise compliance policies require it
  • You're subject to GDPR, UK GDPR, or similar regulations

Request a DPA

To receive a countersigned Data Processing Addendum, email us at privacy@jamdesk.com with the subject "DPA Request". Please include your company name and address, compliance contact, and your Jamdesk account email. We typically respond within 5 business days of receipt.

Request a DPA

Sub-processors

The authoritative, continuously-updated list of sub-processors — including service, purpose, location, and data categories — is maintained at jamdesk.com/subprocessors. Customer data is primarily stored in the United States; EU-region hosting is not currently offered.

We will notify customers of any changes to sub-processors with at least 30 days' advance notice.

Questions

For questions about our DPA or data processing practices, contact privacy@jamdesk.com.

Data subjects located in the EU/EEA/UK may also lodge complaints with their local data protection authority. A list of EU supervisory authorities is maintained at edpb.europa.eu.

View all legal documents

We use cookies for analytics. Learn more