Data Processing Addendum
This DPA supplements the IndexDock Terms of Service and governs how we process personal data when we act as a processor on behalf of customers.
We process personal data only on the controller’s documented instructions.
Subprocessors are vetted, within the EU/EEA or under adequate safeguards.
Encryption in transit and at rest, with role-based access and MFA.
Purpose
This Data Processing Addendum supplements the IndexDock Terms of Service. It governs the processing of personal data that occurs when we act as a processor on behalf of customers who use IndexDock Analyzer or related deliverables.
Parties
- Data processor: AIR SCULPT LLC (ТОВ «АІР СКУЛЬПТ»), registry code 40911978, Honty Ivana St 2, office 1, 07400 Brovary, Kyiv region, Ukraine.
- Data controller: the customer specified in the order form, contract, or written request.
Subject matter & duration
We process personal data solely to deliver the contracted IndexDock services. Processing lasts for the term of the underlying agreement plus any retention periods required by law or documented instructions.
Nature of processing
Typical activities include ingesting URLs to audit, capturing technical metrics, storing analyser outputs, collaboration on remediation roadmaps, and providing customer support.
Categories of data & data subjects
- Contact information for customer personnel (name, work email, role).
- Website telemetry necessary to produce audits (URL, crawl diagnostics, performance timing).
- Optional notes supplied by the customer in tickets or documents.
- End-users of the customer’s website may be indirectly referenced in logs and analytics.
Processor obligations
- Process data only on documented instructions from the controller.
- Ensure personnel authorised to process data are subject to confidentiality undertakings.
- Implement the technical and organisational measures listed in Section 7.
- Keep a record of processing activities performed on behalf of the controller.
- Assist the controller with data subject requests and DPIAs where reasonably required.
Security measures
- Segregated production environments with role-based access control and MFA.
- Encryption in transit (TLS 1.2+) and at rest for databases and backups.
- Continuous monitoring, logging, and automated alerting for anomalies.
- Vendor due diligence and contractual controls for approved subprocessors.
- Regular vulnerability management, including penetration testing and patching.
Subprocessors
We rely on vetted infrastructure providers (cloud hosting, error monitoring, analytics) within the EU/EEA or with adequate safeguards. A current list is available upon request at privacy@indexdock.com. We will notify customers before adding or replacing subprocessors and provide the opportunity to object on reasonable grounds.
Data subject rights
If we receive a request directly from a data subject connected to the customer, we will promptly forward it to the controller and provide reasonable assistance so the controller can comply with GDPR obligations.
Data breaches
In the event of a personal data breach, we will notify the controller without undue delay after becoming aware of the incident, share relevant information, and cooperate on remediation.
Return or deletion of data
Upon termination of the services, we will delete or return personal data in accordance with the controller’s instructions unless retention is required by EU or member state law.
Governing law
This DPA is governed by Ukrainian law and the competent courts of Ukraine have exclusive jurisdiction.
Contact for data processing matters
AIR SCULPT LLC (ТОВ «АІР СКУЛЬПТ») — support@indexdock.com — Honty Ivana St 2, office 1, 07400 Brovary, Kyiv region, Ukraine
Data processing matters?
For subprocessor lists, DPA signature, or any processing question, contact our team.