Data Processing Addendum (DPA)

Version 1.0 • Last updated 7 October 2025

1. Purpose

This Data Processing Addendum supplements the IndexDock Terms of Service. It governs the processing of personal data that occurs when we act as a processor on behalf of customers who use IndexDock Analyzer or related deliverables.

2. Parties

  • Data processor: OÜ b2bspace, registry code 16957970, Veskiposti tn 2-1002, 10138 Tallinn, Estonia.
  • Data controller: the customer specified in the order form, contract, or written request.

3. Subject matter & duration

We process personal data solely to deliver the contracted IndexDock services. Processing lasts for the term of the underlying agreement plus any retention periods required by law or documented instructions.

4. Nature of processing

Typical activities include ingesting URLs to audit, capturing technical metrics, storing analyser outputs, collaboration on remediation roadmaps, and providing customer support.

5. Categories of data & data subjects

  • Contact information for customer personnel (name, work email, role).
  • Website telemetry necessary to produce audits (URL, crawl diagnostics, performance timing).
  • Optional notes supplied by the customer in tickets or documents.
  • End-users of the customer’s website may be indirectly referenced in logs and analytics.

6. Processor obligations

  • Process data only on documented instructions from the controller.
  • Ensure personnel authorised to process data are subject to confidentiality undertakings.
  • Implement the technical and organisational measures listed in Section 7.
  • Keep a record of processing activities performed on behalf of the controller.
  • Assist the controller with data subject requests and DPIAs where reasonably required.

7. Security measures

  • Segregated production environments with role-based access control and MFA.
  • Encryption in transit (TLS 1.2+) and at rest for databases and backups.
  • Continuous monitoring, logging, and automated alerting for anomalies.
  • Vendor due diligence and contractual controls for approved subprocessors.
  • Regular vulnerability management, including penetration testing and patching.

8. Subprocessors

We rely on vetted infrastructure providers (cloud hosting, error monitoring, analytics) within the EU/EEA or with adequate safeguards. A current list is available upon request at privacy@indexdock.com. We will notify customers before adding or replacing subprocessors and provide the opportunity to object on reasonable grounds.

9. Data subject rights

If we receive a request directly from a data subject connected to the customer, we will promptly forward it to the controller and provide reasonable assistance so the controller can comply with GDPR obligations.

10. Data breaches

In the event of a personal data breach, we will notify the controller without undue delay after becoming aware of the incident, share relevant information, and cooperate on remediation.

11. Return or deletion of data

Upon termination of the services, we will delete or return personal data in accordance with the controller’s instructions unless retention is required by EU or member state law.

12. Governing law

This DPA is governed by Estonian law and the competent courts of Estonia have exclusive jurisdiction.

Contact for data processing matters

OÜ b2bspace — support@indexdock.com — Veskiposti tn 2-1002, 10138 Tallinn, Estonia