Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Available ApS ("Processor", "we", "Available") and the customer identified as the workspace owner ("Controller", "you"). It applies whenever you instruct Available to process personal data contained in your workspace.

If this DPA conflicts with the main service terms, this DPA governs for matters relating to personal-data processing.

Subject matter: processing of personal data contained in tickets, requester records, organizations, knowledge-base articles, audit logs, and any other workspace content you submit or allow to be ingested.

Duration: for the life of your subscription, plus the 30-day soft-delete window after workspace deletion, plus any legal retention described in the Privacy Policy. Backups expire on a rolling basis and are fully overwritten within 35 days of deletion.

We process personal data only to provide the helpdesk service: routing and resolving tickets, running the AI features you enable, delivering notifications, generating analytics for you, and meeting billing and audit obligations.

We do not sell your data, and we do not use private workspace content to train AI models.

Data subjects include your end users, your employees using the workspace, and occasionally third parties mentioned in ticket content.

Categories include contact details, communication content, limited workflow and status data, AI classifications, SLA timing, and any personal data your end users voluntarily include in messages to your team.

You agree not to submit special-category data under GDPR Art. 9, such as health data, biometric data, or political opinions, unless you have notified Available in advance and agreed additional safeguards in writing.

Available commits to:

• Process personal data only on your documented instructions.
• Ensure personnel authorized to process personal data are bound by confidentiality.
• Implement appropriate technical and organizational security measures.
• Help you respond to data-subject requests within a reasonable time.
• Notify you without undue delay after becoming aware of a personal-data breach.
• Delete or return personal data at the end of the processing relationship, subject to legal retention duties.
• Provide the information reasonably needed to demonstrate compliance with GDPR Art. 28.

You give Available general authorization to use subprocessors for specific tasks such as infrastructure hosting, email delivery, LLM inference, and payment processing. The current list is maintained at /subprocessors.

We will notify you at least 30 days before adding or replacing a subprocessor. You may object in writing on reasonable grounds. If we cannot accommodate the objection, you may terminate the affected subscription without penalty before the change takes effect.

Available remains fully liable to you for any subprocessor's acts or omissions as if they were our own.

Our technical and organizational measures include:

• Isolation: Postgres row-level security at the database layer, not only in application code.
• Encryption in transit: TLS 1.2+ everywhere and HTTPS-only endpoints.
• Encryption at rest: AWS-managed encryption on primary storage and backups.
• Access controls: least-privilege access, controlled staff access, and strong authentication.
• Audit trail: every mutating action by a human, AI, or system is logged.
• Backups: automated backups with time-limited retention and recovery procedures.
• Monitoring and incident response: alerting plus an internal incident-response process.

Primary processing happens in the EU. Where a subprocessor is outside the EU, as described on the subprocessors list, transfers are covered by EU Standard Contractual Clauses and supplemented by the EU-US Data Privacy Framework where applicable.

Available will, on request and with reasonable notice, provide information needed to demonstrate compliance with GDPR Art. 28. This will usually be security documentation, policies, summaries of external testing, or other evidence we have available.

If you need a deeper audit, it must be coordinated in advance, carried out at your expense, and not disrupt service to other customers. We may require an NDA before sharing sensitive security material.

If a data subject contacts Available directly about workspace data, we will forward the request to you without undue delay. You remain the controller and are responsible for responding within GDPR timelines.

For account data where Available acts as controller, we respond directly ourselves.

If we confirm a personal-data breach affecting your workspace, we will notify the workspace owner without undue delay and include at least:

• The nature of the breach and categories of data affected.
• Likely consequences and the mitigation steps taken.
• A contact point for follow-up questions.

When the service ends, you get a reasonable window to export your data. After that we begin deletion: first a soft-delete period where recovery is still possible, then hard deletion of primary storage. Backups containing your data disappear through normal rotation within a limited retention period.