Legal
Data Processing Agreement
GDPR-compliant terms for the processing of personal data.
Last updated · 2026-05-19
1. Subject matter
This DPA forms part of the Terms of Service between you (the "Controller") and polimorf (the "Processor"). It governs the processing of personal data by us on your behalf.
2. Nature and purpose
We process personal data to provide the Service: hosting, transmission, backup, support, and operational analytics. Processing is limited to what is necessary to deliver the Service.
3. Data categories
- Identification data (name, email).
- Account credentials (password hash, MFA secrets).
- Workspace content provided by you or your end users.
- Technical logs (IP, user-agent, timestamps).
4. Sub-processors
A current list of sub-processors is maintained at polimorf.com/trust. We will provide at least 30 days' notice before engaging a new sub-processor.
5. Security measures
We maintain technical and organizational measures including: encryption in transit and at rest, role-based access control, MFA on admin systems, audit logging, regular vulnerability scanning, and incident-response runbooks. See our Security overview.
6. International transfers
Personal data may be transferred outside the EEA or UK only where adequate safeguards apply, including Standard Contractual Clauses.
7. Data subject rights
We assist the Controller in responding to data subject requests via built-in export, deletion, and access tooling and via direct support.
8. Breach notification
We notify the Controller of any personal data breach without undue delay and within 72 hours where required by law.
9. Return and deletion
Upon termination, Customer Content is available for export for 30 days, after which it is deleted. Backups roll off within a further 30 days.
10. Audits
The Controller may request, no more than once per year, documentation demonstrating our compliance. Independent audit reports are made available on request under NDA.
Questions?
Reach the team at legal@polimorf.com or through the contact form.