AdvDesk

Data Processing Agreement

Effective date: 30 April 2026 · Last updated: 30 April 2026

This Data Processing Agreement ("DPA") supplements our Terms of Service for customers ("Customer") on the Team or Enterprise plan whose use of AdvDesk involves the processing of personal data subject to GDPR or similar laws. By subscribing to a Team or Enterprise plan, Customer accepts this DPA as part of the contract. Enterprise customers may execute a counter-signed copy on request.

Need a signed copy? Email privacy@advcode.net with your company details and we will return a counter-signed PDF, typically within two business days.

Preamble

In the course of providing the AdvDesk service, ADV ("Processor") may process personal data on behalf of Customer ("Controller"). The parties enter into this DPA to ensure that processing complies with the EU General Data Protection Regulation 2016/679 ("GDPR"), the Egyptian Personal Data Protection Law (Law No. 151 of 2020, "PDPL"), and any other applicable data-protection law (collectively, "Data Protection Law").

1. Definitions

Capitalized terms not defined here have the meaning given in GDPR Article 4. "Customer Personal Data" means personal data processed by Processor on behalf of Customer in connection with the AdvDesk service.

2. Subject matter and duration

Subject matter. Processing of Customer Personal Data necessary to provide the AdvDesk service to Customer.

Duration. This DPA applies for the term of Customer's subscription, plus any post-termination period necessary to return or delete data as set out in Section 12.

3. Nature and purpose of processing

The nature of processing consists of providing a hosted remote-desktop relay, account management, billing, and related operational support. The purpose is the performance of the contract between Customer and Processor.

4. Categories of data subjects and personal data

Data subjects include:

  • Customer's employees, contractors, and other authorized end users who connect to or from AdvDesk hosts under Customer's account.
  • Members of Customer's team invited via the team-management feature.

Categories of personal data processed:

  • Identity data: email address, optional display name.
  • Authentication data: bcrypt password hash, 2FA secret (encrypted at rest), session tokens.
  • Connection metadata: AdvDesk peer IDs, session start/end timestamps, total byte counts.
  • Technical data: source IP address, User-Agent string.
  • Billing data: customer ID and last four digits of payment card (no full card numbers; full card data is processed by Stripe directly).

Special categories (GDPR Article 9): Customer agrees not to use AdvDesk to intentionally process special categories of personal data unless agreed in writing in advance.

5. Controller and Processor

With respect to Customer Personal Data processed for the purpose of providing AdvDesk to Customer, Customer is the Controller and Processor acts as Processor (or sub-processor, where Customer is itself a processor acting for its own controller).

Processor processes Customer Personal Data only on documented instructions from Customer, including those set out in the Terms of Service, this DPA, and the AdvDesk dashboard. Processor will inform Customer if, in its opinion, an instruction infringes Data Protection Law.

6. Processor obligations

Processor shall:

  • Confidentiality. Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
  • Security. Implement appropriate technical and organizational measures (TLS 1.2+ in transit, bcrypt cost-12 password hashing, encrypted backups, principle of least privilege, annual access reviews) to ensure a level of security appropriate to the risk, as required by GDPR Article 32.
  • Cooperation. Reasonably assist Customer in responding to data-subject requests (Section 11), conducting Data Protection Impact Assessments where required, and consulting with supervisory authorities where required.
  • Records. Maintain records of processing activities as required by GDPR Article 30(2).

7. Sub-processors

Customer authorizes Processor to engage the sub-processors listed below in connection with the AdvDesk service. Each is bound by a written data processing agreement that imposes obligations no less protective than this DPA.

Sub-processorServiceLocation
Stripe, Inc.Payments and subscription billingUSA / EU
Contabo GmbHServer hosting (production database, relay, web)Frankfurt, Germany
Internet Security Research Group (Let's Encrypt)TLS certificate issuanceUSA
Google LLCOptional Google SSO sign-in (only when end users elect to use it)USA / EU

Processor will notify Customer at least 30 days before adding or replacing a sub-processor. Customer may object to the change for reasonable, documented data-protection reasons; if the parties cannot reach agreement, Customer may terminate the affected service with a pro-rated refund of fees paid for the unused remainder of the term.

8. International transfers

Where Customer Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, the parties rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), which are incorporated by reference into this DPA. The applicable module is Module Two (Controller to Processor). For UK transfers, the UK International Data Transfer Addendum applies.

9. Personal data breach notification

Processor will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Audit rights

Customer (or an independent auditor mandated by Customer) may audit Processor's compliance with this DPA, on at least 30 days' written notice, no more than once per twelve-month period (except where required by a supervisory authority or following a personal data breach). Audits will be conducted during business hours, will not unreasonably interfere with Processor's operations, and will be subject to a mutually acceptable confidentiality agreement. Processor may satisfy audit requests by providing recent third-party audit reports or compliance certifications where reasonably equivalent.

11. Data subject requests

Taking into account the nature of the processing, Processor will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Law (access, rectification, erasure, restriction, objection, portability). Self-service tools available at /account let end users export and delete their own data.

12. Return and deletion of data

On termination or expiry of the subscription, Processor will, at Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by Union or Member State law (e.g. tax / accounting records). Default behaviour is deletion after a 30-day grace period, with permanent purge from production and from backups within 90 days.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law, including direct liability of a controller or processor to a data subject under GDPR Article 82.

Contact

For DPA-related questions or to request a counter-signed copy: privacy@advcode.net.
ADV, Cairo, Egypt.