Data Processing Agreement

How we handle data, in writing.

GDPR & UK GDPR aligned. Forms part of the agreement when you sign an order form.

Last updated · 2026-05-20

Roles

Customer is Controller; Coffee is Processor. Subject matter is the Coffee workspace service; duration is the agreement term.

Processor obligations

  • Instructions. Process only on documented instructions.
  • Confidentiality. Personnel under written NDAs.
  • Security. TLS 1.2+, AES-256, RBAC, audit logs, region isolation.
  • Sub-processors. Bound to equivalent terms; 30-day notice for additions; right to object.
  • Assistance. Help with DSARs and Art. 32–36 obligations.
  • Breach. Notified without undue delay, within 72 hours.
  • Return / delete. Within 30 days of termination.
  • Audit. Information & on-notice audits at Controller’s expense.

Transfers

SCCs / UK IDTA where required, or pin your workspace to a local region to avoid transfers entirely.

Annexes

  • I · Processing details. Categories: workspace members & their guests. Data: identifiers, content, telemetry. No special-category data requested.
  • II · TOMs. Encryption in transit / at rest, region isolation, RBAC (Owner/Admin/Collaborator/Viewer), per-request audit, quarterly pen tests, documented incident response.
  • III · Sub-processors. List available in workspace settings & on request to [email protected]. Categories: cloud per region, LiveKit, email delivery, Stripe, optional AI inference (when not BYO key).

Counter-signature: [email protected].