Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Available ApS ("Processor", "we", "Available") and the customer identified as the workspace owner ("Controller", "you"). It applies whenever you (the controller) instruct Available (the processor) to process personal data contained in your workspace.

In the event of conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal-data processing.

Subject matter: processing of personal data contained in tickets, end-user records (requesters), organizations, knowledge-base articles, audit logs, and any other workspace content you submit or allow to be ingested.

Duration: for the life of your subscription, plus the 30-day soft-delete window after workspace deletion, plus the legal retention period specified in the Privacy Policy. Backups are overwritten on a rolling basis and fully expire within 35 days of deletion.

We process personal data only to provide the helpdesk service: routing and resolving tickets, running the AI features you enabled, delivering notifications, generating analytics dashboards for you, and fulfilling billing and audit obligations.

We do not use your personal data for our own purposes, we do not sell data, and we do not use your private workspace content to train AI models.

Data subjects: your end users (people emailing your support or chatting with your widget), your employees who use the workspace (agents, admins), and occasionally third parties named in ticket content.

Categories: contact data (name, email, optional phone), communication content (ticket bodies, messages, side-conversation messages), limited behavioral data (ticket status, AI classifications, SLA timing), and any personal data your end users voluntarily include in their messages to your team.

You agree not to submit special-category data (Art. 9 GDPR — health, biometric, political opinions, etc.) without first notifying Available and agreeing additional safeguards in writing.

Available commits to:

• Process personal data only on your documented instructions.
• Ensure personnel authorized to process personal data have committed to confidentiality.
• Implement appropriate technical and organizational security measures (see §7).
• Help you respond to data-subject requests within a reasonable timeframe.
• Notify you without undue delay after becoming aware of a personal-data breach.
• Delete or return all personal data at the end of the processing relationship, subject to legal retention obligations.
• Make available the information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits (see §9).

You grant Available general authorization to engage subprocessors for specific processing tasks (infrastructure hosting, email delivery, LLM inference, payment processing, etc.). The current list is maintained at /subprocessors.

We will notify you at least 30 days before adding or replacing a subprocessor. You may object in writing on reasonable grounds; if we cannot accommodate the objection, you may terminate the affected subscription without penalty by providing written notice before the change takes effect.

Available remains fully liable to you for any subprocessor's acts or omissions as if they were our own.

Our technical + organizational measures include:

• Isolation: Postgres row-level security enforced at the database layer, not only the app layer. The application role cannot bypass RLS.
• Encryption in transit: TLS 1.2+ everywhere, HSTS on all endpoints, DKIM + SPF on outbound email.
• Encryption at rest: AWS-managed encryption on RDS and S3. Secrets in AWS Secrets Manager.
• Access controls: least-privilege IAM; no personal credentials shared; SSO + MFA for Available staff; session timeouts.
• Audit trail: every mutating action (human, AI, or system) is logged with actor, subject, and cause, retained for the life of the workspace.
• Backups: daily automated backups with 30-day point-in-time recovery.
• Monitoring + incident response: 24/7 alerting on error + security events; documented incident-response runbook.

Primary processing happens in the EU (AWS Ireland or Stockholm, at your choice). Where a subprocessor is outside the EU (see the subprocessors list), transfers are covered by EU Standard Contractual Clauses (2021 SCCs, Module Two: Controller-to-Processor), supplemented where applicable by the EU–US Data Privacy Framework.

Available makes available to you, on request and with at least 30 days' written notice, the information needed to demonstrate compliance with GDPR Art. 28. This typically takes the form of our most recent security documentation (policies, pen-test summary, and — where applicable — SOC 2 / ISO 27001 reports when we publish them).

You may conduct an on-site audit no more than once per year, at mutually agreed times, at your expense. We'll require you to sign an NDA and coordinate so the audit doesn't disrupt service to other customers.

When a data subject contacts Available directly about workspace data, we will forward the request to you without delay; you are the controller and responsible for responding within GDPR timelines.

For account data (owners, admins, agents) where Available is the controller, we respond directly to the data subject.

In the event of a confirmed personal-data breach affecting your workspace, Available will notify the workspace owner without undue delay — and in any case within 72 hours of confirming the breach — with:

• The nature of the breach and categories of data affected.
• Likely consequences and steps we've taken to mitigate.
• A contact person for follow-up questions.

On termination, you have 30 days to export your data. After that window we begin deletion: a 30-day soft-delete period where the workspace is recoverable, followed by hard-delete of primary storage. Backups containing your data are purged within 35 days of the hard delete by natural rotation.