Data Processing Addendum (DPA), Sub-processors, and EU Data Transfers

Summary: Adalo's Terms of Use include a Data Processing Addendum (DPA) that covers GDPR Article 28 obligations, EU-to-US transfer mechanisms via Standard Contractual Clauses (SCCs), and a current list of sub-processors. No separate signature is required. This article explains each component and where to find the full documents.

Who this is for: Adalo customers who process personal data of users in the EU, EEA, UK, or other regulated jurisdictions and need documentation for their own compliance records.

Does Adalo have a Data Processing Addendum (DPA)?

Yes. Adalo's Terms of Use include a Data Processing Addendum (DPA) that forms part of the Terms you accepted upon account creation. No separate signature is required, and the DPA applies automatically to every Adalo customer.

The DPA may also be referred to as a Data Processing Agreement. Both terms refer to the same document.

Who is the Data Controller and who is the Data Processor?

Under Adalo's DPA and GDPR Article 28:

• You (the Adalo customer) are the Data Controller of personal data processed through your app. You decide what data is collected and why.

• Adalo is the Data Processor, processing that data on your behalf and only on your documented instructions.

• End users of your app are the Data Subjects.

What does Adalo's DPA cover?

The DPA sets out Adalo's commitments as a Data Processor, including:

• Processing data only on your documented instructions

• Technical and organizational security measures (detailed in Schedule 3 of the DPA)

• Engagement and management of sub-processors, with notification of new sub-processors

• Assistance with data subject rights requests, including access, correction, and deletion

• Personal data breach notification without undue delay

• Assistance with Data Protection Impact Assessments (DPIAs)

• Deletion or return of customer personal data within 20 days of service cessation

• Audit rights to verify compliance

How are EU-to-US data transfers handled?

Transfers of personal data from the EU, EEA, or UK to the United States are governed by the Standard Contractual Clauses (SCCs), specifically the Controller-to-Processor module. The SCCs are attached as Schedule 4 of Adalo's DPA and apply automatically. You do not need to execute or sign them separately.

The SCCs are the European Commission-approved mechanism for lawful transfer of personal data outside the EU/EEA.

Who are Adalo's sub-processors?

A sub-processor is a third-party service that processes personal data on Adalo's behalf in order to deliver the Adalo service. The current sub-processors, as listed in Schedule 2 of the DPA, are:

• Amazon Web Services

• Heroku

• Imgix

• SendGrid

• Stripe

• Sentry

• OpenAI

• Mixpanel

• Google Analytics

• Userflow

• Google Workspace

• Slack

How will I be notified if Adalo adds a new sub-processor?

If Adalo engages a new sub-processor, you will be notified by email. The notification window and objection process are set out in the DPA.

To ensure you receive these notifications, keep your account email up to date in your account settings.

Where can I review the full DPA, SCCs, and sub-processor list?

The full text of the DPA, the SCCs (Schedule 4), the security measures (Schedule 3), and the current sub-processor list (Schedule 2) are available in Adalo's Terms of Use.