This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and Juble.io ("Processor") and governs how Juble.io processes personal data on your behalf.

By accepting the Terms of Service, you also accept this DPA. No separate signature is required. If your organization requires a countersigned copy for your records, contact support@juble.io.

Precedence: In the event of any conflict or inconsistency between this DPA and any other agreement between the parties (including any Master Service Agreement, order form, or customer-provided terms), this DPA takes precedence with respect to the subject matter of data processing. Where the parties have executed EU Standard Contractual Clauses (SCCs), the SCCs take precedence over this DPA solely to the extent required by applicable data protection law; in all other respects, this DPA governs.

Effective date: May 22, 2026
Last updated: May 23, 2026

Processor processes personal data solely to provide the services described in the Terms of Service for the duration of your active subscription. Processing continues for limited post-termination periods (up to 90 days) needed for secure offboarding, deletion, and legal obligation fulfillment. All personal data is either returned or deleted at termination (Controller's choice), unless retention is required by law.

Processing includes:

• Hosting and storage on secure cloud infrastructure (Google Cloud Platform / Firebase)
• Transmission and delivery of data through platform APIs and webhooks
• Transformation and analysis required to provide SaaS features
• Support operations (ticket handling, debugging, service improvements)
• Audit logging and compliance evidence collection

Processing is conducted solely on Controller's documented instructions and only to the extent needed to deliver the Services.

Data subjects:

• Controller's user accounts (e.g., agents, admins, support staff)
• Controller's end-users/customers (contained in support tickets, orders, or other workflows)
• Billing and administrative contacts

Categories of personal data:

• Workspace data: Names, email addresses, workspace roles, authentication identifiers, profile information
• End-customer data: Contact information, order/support context, message content, attachments (scoped by Controller's configuration)
• Billing data: Billing contact name, email, invoice metadata (card data handled separately by Stripe; Processor does not store PAN)
• Support data: Support ticket content, communication metadata, attachments (if support integration enabled)
• Operational logs: IP addresses, user agent, API call metadata, authentication events (PII redacted where possible)

Processor processes personal data only on documented instructions from Controller, as specified in this DPA, the Terms of Service, and any written request from an authorized Controller representative. Processor will not process personal data for any other purpose without prior written consent from Controller.

Legal compliance exception: Processor may process personal data without instruction only where required by applicable law (e.g., law enforcement request). Processor will notify Controller of such legal requirement unless prohibited by law.

Illegal instructions: Processor shall immediately inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

Processor ensures that:

• Personnel accessing personal data are bound by confidentiality obligations
• Only personnel with a need-to-know have access to personal data
• Technical and organizational security measures are implemented proportionate to the risk and sensitivity of data, including:
  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls and authentication (e.g., OAuth 2.0, API keys with expiration)
  • Audit logging of data access and changes
  • Regular security assessments and vulnerability scanning
  • Incident response procedures for security breaches
• Subprocessors are contractually bound to equivalent security obligations

Processor maintains documentation of security measures and provides evidence upon reasonable request (subject to commercial confidentiality limitations).

Processor reserves the right to update or modify the specific technical and organizational measures described herein, provided that such updates do not materially decrease the overall security posture of the Services.

Controller acknowledges that Processor uses subprocessors to deliver the Services. The subprocessors listed below are those that may access or process end-customer personal data on Controller's behalf. Processor's own operational tools (billing, support, analytics, session monitoring) are governed separately by Processor's Privacy Policy and are not listed here.

Public subprocessor register: juble.io/compliance/subprocessors

Vendor	Purpose	Legal basis
Google Cloud Platform / Firebase	Core data storage, authentication, messaging, and logging for end-customer data	Google DPA + SCCs
SendGrid (Twilio)	Processing email channel data (incoming and outgoing messages via email integrations)	Twilio DPA + SCCs
Customer-configured helpdesks (Zendesk, HubSpot, Gorgias, Intercom, etc.)	Message and workflow integrations configured by Controller	Customer-controlled integration terms

Processor will notify Controller of any changes to subprocessors at least 30 days in advance. Controller has the right to object to subprocessor changes on reasonable grounds related to data protection.

Processor operates on Google Cloud Platform with infrastructure potentially spanning multiple regions. Where personal data is transferred outside the EEA, UK, or other data protection jurisdictions:

• Processor applies recognized transfer mechanisms (Standard Contractual Clauses, UK Addendum, Binding Corporate Rules) as appropriate
• Processor relies on the transfer adequacy mechanisms published by Google Cloud (cloud.google.com/security/gdpr)
• Processor will notify Controller if legal changes (e.g., court decisions invalidating transfer mechanisms) materially affect compliance

Processor implements supplementary safeguards (encryption, pseudonymization, access controls) where feasible to mitigate transfer risks.

Processor will assist Controller in fulfilling data subject requests (access, correction, deletion, portability, objection, restriction) through appropriate technical and organizational measures:

• Access requests: Processor provides data export or read access through the platform API (if available)
• Deletion/erasure requests: Processor deletes personal data from primary systems within 30 days of confirmed request (subject to legal holds, backups, or contractual obligations)
• Portability requests: Processor exports data in a structured, commonly used format
• Correction requests: Controller can update data directly in the platform or request Processor assistance

Response time: Processor aims to fulfill requests within 10 business days of receiving a valid, verified request from Controller. Controller is responsible for verifying data subject identity and obtaining necessary consent/authority.

Data subjects may contact Processor directly at support@juble.io for privacy requests; Processor will coordinate with Controller as needed.

If Processor becomes aware of a personal data breach affecting Controller data, Processor will:

1. Notify Controller without undue delay (target: within 24 hours of discovery)
2. Provide a summary of: the nature and scope of the breach; categories and approximate number of data subjects affected; likely consequences; and measures taken or proposed to address harm
3. Provide reasonable cooperation for Controller's notification to data subjects, regulators, or media as required by law
4. Preserve evidence and conduct a timely investigation

Processor maintains an incident response procedure and will document all incidents in the audit trail.

Upon termination or expiration of the Services Agreement, Processor will:

• At Controller's election: Delete or return all personal data (excluding backups, which follow normal backup lifecycle)
• Retention exceptions: Retain personal data only where required by law (tax records, legal holds, regulatory requirements), documented with expiry dates
• Timeline: Complete deletion/return within 90 days of termination
• Certification: Provide written certification of deletion upon request

Processor retains the right to retain fully anonymized and aggregated data for service improvement and compliance purposes after termination.

Retention schedule

Data type	Retention period	Deletion method
File objects and attachments	14 days	Automatic lifecycle deletion from GCP storage
Email integration data	90 days (actively being reduced)	Automatic deletion job
All end-customer data	Deleted on account termination	Purged from primary storage within 90 days of termination

Processor will provide information and documentation reasonably necessary for Controller to demonstrate compliance with GDPR, including:

• Copy of this DPA
• Information on personnel confidentiality and access controls
• Details of security incidents and responses
• Proof of data deletion or return
• Subprocessor list and their DPAs

Audit rights: Processor permits Controller or an independent auditor to audit Processor's compliance with this DPA upon at least 14 days' notice, subject to confidentiality protections and a maximum of once per calendar year unless required by a regulator. Processor may satisfy audit requests through evidence (audit reports, security assessments) without requiring on-site inspection.

Processor's liability under this DPA is subject to the limitations set out in the Terms of Service.

Processor is not liable for Controller's instructions that violate GDPR, nor for risks inherent to international transfers that Controller accepts when engaging internationally-hosted services.

This DPA is governed by the laws of the State of New Jersey, USA, consistent with the governing law in the Terms of Service.

Disputes regarding this DPA will be resolved per the dispute resolution process in the Terms of Service. Either party may escalate to their respective data protection authority if necessary.

For DPA inquiries, data subject requests, or to request a countersigned copy:

Juble.io
Wharton, NJ 07885
support@juble.io