Supoid

Legal

Data Processing Agreement

Last updated: May 1, 2026

This Data Processing Agreement ("DPA") is part of the Supoid Terms of Service. It governs the processing of personal data we perform on your behalf when you use the Service. It is intended to satisfy GDPR Art. 28 and equivalent provisions of KVKK.

1. Definitions

  • Customer — the workspace owner / organisation using Supoid (the data controller)
  • Supoid — the data processor
  • Personal Data — as defined in GDPR Art. 4
  • Subprocessor — a third-party processor we engage to provide part of the Service

2. Roles

For Personal Data submitted to the Service by you or your end users, you are the controller and Supoid is the processor. For account-level data we collect from you directly (e.g. your sign-up email), Supoid is an independent controller — see our Privacy Policy.

3. Subject matter, duration, nature, purpose

  • Subject matter — provision of customer feedback, public roadmap, and changelog SaaS
  • Duration — for as long as your subscription is active, plus the deletion grace window
  • Nature — hosting, AI clustering, email notifications, public publishing
  • Purpose — to enable you to collect, organise, and publish customer feedback

4. Categories of data subjects + data

Data subjects: your team members; your customers and end users who submit feedback, vote, or comment.

Personal Data: name, email, optional profile data, free-text feedback bodies and comments. We do not process special category data intentionally; you must not knowingly submit it.

5. Subprocessors

Our current subprocessor list is published at /privacyand is updated when we add or remove a subprocessor. We give 14 days' advance notice of new subprocessors via email to workspace owners. You may object in writing to a new subprocessor; if we cannot resolve the objection, you may terminate the Service for cause and we will refund any prepaid amounts for the unused term.

6. Security measures

Technical and organisational measures are described on our Security page. In summary: TLS 1.3 in transit; AES-256-GCM at rest for sensitive fields; Argon2id password hashing; row-level security on every user-data table; principle of least privilege for staff access; daily encrypted backups with point-in-time recovery; comprehensive audit logging.

7. Breach notification

We notify affected workspace owners and the relevant supervisory authority within 72 hours of becoming aware of a Personal Data breach, with the information required by GDPR Art. 33.

8. Audit rights

Once per calendar year (more often after a security incident), Customer may audit Supoid's compliance via documented review of certifications and policies. On-site audits are not available given the scale of the operation; if you require third-party penetration test reports we will share what is available under NDA.

9. International transfers

Where Personal Data is transferred outside the EEA / Türkiye, we rely on Standard Contractual Clauses (SCC) approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.

10. Data return and deletion

On termination you may export all data via Settings → Account → Export my data or via the public REST API. After 30 days from termination, all Personal Data is permanently erased from production systems; backups age out within 7 days of that.

11. Acceptance

By using a paid Supoid plan, the Customer is deemed to accept this DPA. Workspace owners can additionally record explicit acceptance by signing it digitally — email privacy@supoid.com for a countersigned copy.