Data Processing Agreement

Last Updated: Feb 2, 2026

This Data Processing Agreement ("DPA") is an addendum to and forms part of the Terms and Conditions between Entalas, Inc. ("Entalas", "We", "Us", or the "Data Processor") and you, the customer ("You", "Customer", or the "Controller").

By accessing or using our Services, you agree to be bound by this DPA. This agreement details how we process Personal Data on your behalf in connection with the Entalas software platform.

1. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable individual as defined in applicable data protection laws.

  • "Data Subject" means an individual identified or identifiable from Personal Data.

  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

  • "Personal Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

  • "Subprocessor" means any entity appointed by or on behalf of Entalas to process Personal Data on behalf of the Controller.

2. Scope and Details of Processing

We process Personal Data to provide the SaaS platform services described in our Terms and Conditions. Activities include collection, storage, retrieval, transmission, and deletion as required for the service.

Duration: Processing will continue for the term of your subscription or as otherwise required by law.

Categories of Data Subjects

The Personal Data concerns your employees, contractors, and other personnel who access the services.

Types of Personal Data

We process the following types of data:

  • Identity Data: Full name, department.

  • Contact Information: Business email address.

  • Account Data: Account preferences and settings.

  • Usage Data: Login timestamps, session duration, feature utilization metrics, and IP addresses for security purposes.

  • Communication Data: Messages, comments, and other content created within the platform.

  • Technical Data: Device information, browser type, operating system.

  • Audit Data: Access logs, modification history, and security event logs.

Prohibited Data

You acknowledge that the Service is not designed for certain sensitive data. You shall not use the Service to collect, process, or store:

  • Special categories of personal data as defined in GDPR Article 9;

  • Personal data of individuals under 16 years of age;

  • Financial account information;

  • Government-issued identification numbers;

  • Any personal data not expressly listed above.

3. Roles and Responsibilities

Our Obligations (Processor)

We will only process Personal Data on your documented instructions, unless required to do so by law. We ensure that all personnel authorized to process Personal Data are committed to confidentiality. Access to data is limited to personnel who require it for the delivery of services.

Security of Processing

We implement appropriate technical and organizational measures to protect Personal Data as required by Article 32 of GDPR. These measures include, where appropriate: encryption, access controls, secure backup, regular testing, and the ability to restore data availability in a timely manner.

Assistance

We will assist you, as far as possible, in responding to requests from Data Subjects regarding their rights (access, rectification, erasure, portability, etc.). If we receive a request directly from a Data Subject, we will promptly inform you and will not respond except on your instructions or where legally required.

4. Sub-Processors

You agree that we may use third-party Subprocessors to support our infrastructure and deliver the Service. We ensure that Subprocessors are bound by equivalent data protection obligations, and we remain liable for their performance.

We will inform you of any changes to Subprocessors, giving you the opportunity to object on reasonable grounds relating to the protection of Personal Data within 30 days of notification.

Current Authorized Sub-Processors

  • Google LLC (United States): Cloud hosting, infrastructure, identity and authentication management.

  • Nutshell CRM LLC (United States): Customer relationship management and contact data processing.

  • Plausible Analytics (European Union): Basic user analytics (Usage Data).

  • Rollbar, Inc. (United States): Application error monitoring and performance tracking.

5. Data Breaches

We will notify you without undue delay upon becoming aware of a Personal Data Breach involving your data. This notification will include sufficient information to assist you in complying with your reporting obligations. We will cooperate with you in investigating and mitigating the breach.

6. Audit and Compliance

Upon reasonable request, we will provide information necessary to demonstrate compliance with this DPA and GDPR Article 28. We allow for audits or inspections conducted by you or a mandated auditor at reasonable intervals, with reasonable notice, provided they do not unduly disrupt our business operations.

7. Return or Deletion of Data

Upon termination or expiration of the Agreement, we will, at your written choice, return or securely delete all Personal Data, unless retention is required by applicable law. We will ensure deletion of all copies, except for legitimate backup purposes which will be erased according to routine cycles.

8. General Provisions

Conflict: In the event of a conflict between this DPA and the Terms and Conditions, this DPA takes precedence regarding data protection.

Governing Law: This DPA is governed by the laws of the State of Delaware. Any disputes shall be resolved in the courts of the State of Delaware.

Notices: For notices under this DPA, Entalas may be reached at privacy@entalas.com or PO Box 17, Oswego, IL 60543.