Data Processing Addendum
Effective: July 16, 2026 · Last updated: July 16, 2026
This Data Processing Addendum (“DPA”) forms part of the ConductLoop Terms of Use and applies to the extent ConductLoop (“we”, “us”, “our”) processes Personal Data on behalf of a customer (“you”, “Controller”) in connection with the ConductLoop Service.
ConductLoop is local-first by design: the desktop app stores and processes your data on your own computer and does not transmit it to our servers. This DPA covers only the limited processing we do on our infrastructure — primarily license validation and, when applicable, transactional email for billing.
1. Definitions
- “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).
- “Standard Contractual Clauses” means the 2021 EU Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914).
- “Sub-processor” means any third party engaged by ConductLoop to process Personal Data on its behalf.
2. Roles
For Personal Data you submit through the Service (e.g., your email address at checkout), you are the Controller and ConductLoop is the Processor. For Personal Data we collect independently (e.g., website analytics), ConductLoop is the Controller; see our Privacy Policy.
3. Scope, nature, and purpose of processing
- Scope: limited to license validation, transactional email, and customer support correspondence.
- Nature: receipt, storage, retrieval, and transmission of Personal Data as required to operate the Service.
- Purpose: providing the Service, validating subscription entitlements, sending billing and product emails you opt into, and responding to support requests.
- Categories of Data Subjects: ConductLoop customers and, where you provide their email, your team members (e.g., shared license seats).
- Categories of Personal Data: email address, billing country, license key hash, machine identifier, activation count, and the contents of any direct support correspondence.
4. Processor obligations
ConductLoop will:
- Process Personal Data only on your documented instructions, including with regard to international transfers.
- Ensure that persons authorized to process Personal Data are committed to confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including encryption in transit (TLS 1.2+) and at rest (AES-256-GCM), least-privilege access controls, and routine backups.
- Engage sub-processors only with your prior specific or general authorization, and notify you of any intended changes so you have the opportunity to object.
- Assist you, taking into account the nature of the processing, by appropriate technical and organizational measures, in fulfilling your obligations to respond to Data Subject requests (Articles 12–22 GDPR).
- Assist you in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA).
- At your choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law.
- Make available to you all information necessary to demonstrate compliance with this DPA and allow audits, including inspections, conducted by you or another auditor mandated by you.
5. Sub-processors
You authorize ConductLoop to engage the following sub-processors. We will notify you at least 30 days before adding or replacing any sub-processor so you can object for legitimate reasons.
- Stripe — payment processing (US/EU)
- Resend — transactional email (US)
- Cloudflare — license worker hosting (global edge network)
- GitHub — auto-update channel and issue tracker (US)
- Google Analytics — website analytics (only with consent, US)
6. International data transfers
ConductLoop is operated from the European Economic Area (Spain). Where Personal Data is transferred outside the EEA to a country not recognized by the European Commission as providing an adequate level of protection, we rely on the Standard Contractual Clauses (Module 2: Controller-to-Processor) or another lawful transfer mechanism. You can request a signed copy of the SCCs at privacy@conductloop.com.
7. Personal data breach notification
ConductLoop will notify you without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach affecting your Personal Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
8. Data Subject requests
ConductLoop will promptly forward to you any request received directly from a Data Subject relating to Personal Data we process on your behalf, and will not respond to such requests except to acknowledge receipt and direct the Data Subject to you, unless you instruct us otherwise in writing.
9. Liability
The liability of the parties arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the ConductLoop Terms of Use.
10. Order of precedence
In the event of any conflict between this DPA and the Terms of Use with respect to the processing of Personal Data, this DPA prevails.
11. Changes
We may update this DPA; material changes will be reflected by the “Last updated” date above. If changes are significant, we'll notify active subscribers at least 30 days before they take effect.
12. Signature
By using the Service, you agree to this DPA. If you would like a countersigned DPA on file (recommended for enterprise procurement), email privacy@conductloop.com and we'll send a DocuSign envelope within 2 business days.
Contact
Data protection questions? Email privacy@conductloop.com.