Data Processing Agreement
Last updated: 15 May 2026 · Version 1.0
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Raymond Demarteau (Teamdock) and the store operator ("you", "Controller"). By signing up for Teamdock you accept this DPA. It is binding on both parties without requiring a separate signature.
1. Parties
- Processor: Raymond Demarteau, operating as Teamdock, Netherlands — legal@teamdock.ai
- Controller: The store operator who has created a Teamdock workspace (identified by the email address and company name provided at registration).
2. Subject matter and duration
Teamdock processes personal data on behalf of the Controller to provide the Teamdock order management and customer support platform. Processing begins when the workspace is provisioned and continues until the subscription is terminated. Upon termination, data is deleted within 30 days as specified in clause 9.
3. Nature and purpose of processing
Teamdock processes personal data for the following purposes on the Controller's documented instruction:
- Synchronising order and customer data from the Controller's WooCommerce store
- Storing and displaying support tickets, email messages, and WhatsApp conversations
- AI-assisted analysis of support tickets (summarisation, reply suggestions, intent detection) — only when enabled by the Controller
- Creating WooCommerce customer accounts on behalf of the Controller's staff
- Automatically archiving and deleting ticket data according to the retention schedule configured by the Controller
4. Categories of personal data processed
| Category | Examples |
|---|---|
| Identity | First name, last name, company name |
| Contact details | Email address, phone number |
| Address details | Billing address, shipping address, postal code |
| Order details | Order numbers, products, amounts, payment method, order status |
| Support content | Email content, WhatsApp messages, ticket replies, attachments |
| VAT number | EU VAT number (if provided for B2B orders) |
Data subjects are the Controller's store customers. Teamdock does not process special categories of personal data (Art. 9 GDPR) and the Controller must not submit such data to the platform.
5. Processor obligations
In accordance with Article 28(3) GDPR, Teamdock shall:
5.1 Instruction
Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law. In such a case, Teamdock shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on grounds of public interest.
5.2 Confidentiality
Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security (Art. 32 GDPR)
Implement and maintain appropriate technical and organisational measures, including:
- Encryption of data in transit (HTTPS/TLS 1.2+)
- Encryption of sensitive session credentials at rest (AES-256-GCM)
- Per-tenant database isolation — no data is shared between workspaces
- Automatic ticket archival and deletion according to configured retention periods
- CSRF protection on all write operations
- Rate limiting on authentication endpoints and API calls
- Access restricted to authenticated staff with appropriate WordPress roles
- Auth credentials and PII automatically omitted from application logs
5.4 Sub-processors
Not engage another processor (sub-processor) without prior written authorisation of the Controller. By accepting this DPA the Controller grants general written authorisation for the sub-processors listed in Annex A. Teamdock will notify the Controller of any intended changes concerning the addition or replacement of sub-processors by updating Annex A and providing at least 14 days' notice by email, giving the Controller the opportunity to object.
5.5 Data subject rights
Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subjects' rights under Chapter III of the GDPR. Teamdock provides the following tools:
- Art. 15/20 (Access/Portability): JSON data export available via the admin panel
- Art. 17 (Erasure): Customer data purge via the admin panel; ticket deletion via retention settings
- Art. 18 (Restriction): Tickets can be individually excluded from AI processing
5.6 Security breach assistance
Assist the Controller in ensuring compliance with obligations pursuant to Articles 32–36 GDPR, taking into account the nature of processing and the information available to Teamdock. In the event of a personal data breach affecting Controller's data, Teamdock will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be sent to the email address on the Controller's account.
5.7 Deletion and return
At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data. Upon subscription cancellation, all workspace data is deleted within 30 days. The Controller may request a JSON export of their data at any time before deletion.
5.8 Audit rights
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller may request a compliance summary by emailing legal@teamdock.ai. On-site audits require 30 days' notice and are subject to reasonable scheduling.
6. Controller obligations
The Controller shall:
- Ensure a lawful basis exists under GDPR for processing their store customers' personal data through Teamdock
- Maintain and publish an accurate privacy notice to their store customers describing how their data is processed
- Not submit special categories of personal data (Art. 9 GDPR) to the platform without implementing additional safeguards
- Configure appropriate data retention periods in their workspace settings
- Ensure their staff members are aware of data protection obligations when using the platform
- Notify Teamdock promptly if they become aware of any potential data protection issue arising from use of the platform
7. International data transfers
All personal data is stored on EU servers (Hetzner, Germany). Transfers to non-EEA countries only occur when the Controller has enabled an AI provider (OpenAI, Google Gemini, or Groq). All such transfers are governed by Standard Contractual Clauses (SCCs) pursuant to EU Commission Decision 2021/914. The Controller's acceptance of this DPA constitutes authorisation for these transfers under the conditions set out in Annex A.
8. Governing law
This DPA is governed by the laws of the Netherlands. Any dispute arising from this DPA shall be submitted to the competent court in the Netherlands.
9. Term and termination
This DPA remains in force for the duration of the subscription. Upon termination, Teamdock's obligation to process the Controller's data ceases and all data is deleted within 30 days in accordance with clause 5.7.
Annex A — Approved sub-processors
Last updated: 15 May 2026. The Controller authorises the use of the following sub-processors. Changes are communicated by email with 14 days' notice.
| Sub-processor | Purpose | Location | Transfer mechanism | Required? |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure — servers and storage hosting all workspace databases | Germany (EU) | No transfer outside EU | Mandatory |
| OpenAI Ireland Ltd | AI ticket analysis: ticket subject, body, customer name, email, order summary, FAQ content | US | SCCs (EU Decision 2021/914) | Optional — only if AI provider is set to OpenAI in workspace settings |
| Google LLC (Vertex AI / Gemini) | AI ticket analysis: same data fields as above | US | SCCs (EU Decision 2021/914) | Optional — only if AI provider is set to Gemini in workspace settings |
| Groq, Inc. | AI ticket analysis: same data fields as above | US | SCCs (EU Decision 2021/914) | Optional — only if AI provider is set to Groq in workspace settings |
Payment card data is processed by Stripe, Inc. (US, SCCs) solely for billing purposes and is not part of the controller-processor relationship under this DPA.
Annex B — Technical and organisational measures (Art. 32 GDPR)
Teamdock implements the following measures:
| Area | Measure |
|---|---|
| Transit encryption | HTTPS/TLS 1.2+ on all connections; HSTS enforced |
| At-rest encryption | Session credentials encrypted AES-256-GCM; disk-level encryption on Hetzner volumes |
| Tenant isolation | Each tenant runs in a dedicated Docker container with its own MariaDB instance on a private network |
| Access control | Authentication via WordPress session + HMAC-SHA256 tokens; role-based access (administrator / shop_manager) |
| Session security | Cookies: HttpOnly, Secure, SameSite=Lax; CSRF tokens on all state-changing requests |
| Rate limiting | Login attempts and API calls rate-limited per IP |
| Log hygiene | Auth headers, tokens, passwords, and PII fields automatically redacted from application logs |
| Data minimisation | Automatic archival after 365 days and permanent deletion after 730 days (configurable by Controller) |
| Backups | Nightly encrypted database backups stored on the same EU infrastructure |
Contact
Questions about this DPA or to submit a data protection request:
Raymond Demarteau
legal@teamdock.ai