Legal
Data Processing Agreement
Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Processor: Luke Hawkins, trading as Zaklad — sole trader registered in the Czech Republic, IČO 14031671, Osadní 23, 170 00 Prague 7, Czech Republic, contact [email protected].
- Controller: the customer (“you”) who has accepted Zaklad’s Terms of Service and uses the Service to process personal data.
This DPA forms part of and is incorporated into the Terms of Service between the parties. It applies where the Processor processes personal data on behalf of the Controller in connection with the Service, and is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).
By accepting the Terms of Service, the Controller accepts this DPA. No signature is required, although signed copies can be provided on request to [email protected].
1. Definitions
Terms used in this DPA have the meanings given in the GDPR, including “personal data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach”. “Subprocessor” means any third party engaged by the Processor to process personal data on behalf of the Controller in connection with the Service.
2. Subject Matter and Duration
Subject matter. The Processor processes personal data on behalf of the Controller as necessary to provide the Service, in accordance with the Terms of Service and this DPA.
Duration. Processing continues for the duration of the Controller’s use of the Service, and any retention periods set out in the Privacy Policy thereafter.
Nature and purpose of processing. Storage, retrieval, transmission, display, encryption, backup, and related operations necessary to host the Controller’s design system projects, manage user accounts, authenticate requests, sync data to Figma on the Controller’s instruction, and operate the Service.
3. Categories of Data and Data Subjects
Categories of personal data:
- Email addresses of account holders and organisation members.
- Authentication credentials (stored in hashed form).
- Figma OAuth tokens and Figma user identifiers (tokens are encrypted at rest), if the Controller uses OAuth integration.
- IP addresses and request metadata in technical logs.
- Session identifiers.
- Any additional personal data that the Controller or its users choose to include within project content (for example, contributor names in component metadata). The Processor has no visibility into such content and processes it only as stored data.
Categories of data subjects: the Controller’s employees, contractors, collaborators, and other individuals whose personal data the Controller chooses to process using the Service.
4. Instructions
The Processor will process personal data only on documented instructions from the Controller, including with regard to transfers to a third country, except where required to do so by EU or Member State law. The Controller’s acceptance of the Terms of Service, configuration of the Service, and use of Service features constitute documented instructions for the purposes of this DPA. The Processor will inform the Controller if it believes an instruction infringes the GDPR or other applicable data protection law.
5. Confidentiality
The Processor ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to production personal data is restricted to the operator.
6. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include, in categories:
- Encryption in transit for all connections (HTTPS/TLS).
- Modern, memory-hard password hashing for authentication credentials. Passwords are never stored in plain text.
- Authenticated encryption at rest for sensitive credentials such as third-party OAuth tokens.
- Cryptographic hashing for API keys; raw keys are shown once at creation and are not recoverable afterwards.
- Secure, HTTP-only session cookies.
- Access controls restricting production access, with logging.
- Regular backups with encrypted storage and defined rotation.
- Monitoring, logging, and rate limiting for abuse detection.
- Documented processes for responding to security incidents and personal data breaches.
For security reasons, specific algorithm names, key sizes, and configuration details are not published. The Processor will share additional information on request under appropriate confidentiality terms, where the Controller has a legitimate procurement or compliance requirement.
The Processor may update security measures from time to time provided that the overall level of protection is not reduced.
7. Subprocessors
The Controller authorises the Processor to engage the subprocessors listed below, and any additional subprocessors notified to the Controller in accordance with this Section.
Current subprocessors:
- Cloudflare, Inc. (United States) — network delivery, DDoS protection, aggregated analytics, and object storage (Cloudflare R2) for content delivery of project assets and encrypted backups.
- Figma, Inc. (United States) — design collaboration platform; used only when the Controller initiates a sync via the plugin or OAuth integration.
- Resend, Inc. (United States) — transactional email delivery.
- Payment processor — subscription payment processing. Specific provider will be listed here once engaged.
The Processor imposes on each subprocessor data protection obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
Changes. The Processor will give the Controller at least 14 days’ notice before engaging a new subprocessor or replacing an existing one, by updating this page and where practicable by email. The Controller may object to a new subprocessor on reasonable grounds related to data protection within that notice period. If the parties cannot agree a resolution, the Controller may terminate the Service for the affected processing, without refund for periods already paid, as its sole remedy.
8. International Transfers
Where subprocessors are located outside the European Economic Area (“EEA”), the Processor ensures that appropriate safeguards for international transfers are in place, such as the European Commission’s Standard Contractual Clauses (Decision 2021/914) or any successor mechanism. On request, the Processor will provide a summary of the transfer mechanisms in place.
9. Assistance with Data Subject Rights
Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests for exercising the rights of data subjects under Articles 15–22 of the GDPR. Where a data subject contacts the Processor directly with such a request, the Processor will forward the request to the Controller without undue delay.
10. Assistance with Controller Obligations
The Processor assists the Controller in ensuring compliance with its obligations under Articles 32–36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes providing reasonable information about the processing necessary for the Controller to carry out data protection impact assessments.
11. Personal Data Breaches
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting the Controller’s personal data. The notification will include, to the extent known at the time: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
12. Audits and Information
The Processor makes available to the Controller all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the GDPR. The Controller may request a summary of the Processor’s security measures and subprocessor arrangements by writing to [email protected].
Given the size and nature of the Service, on-site audits are not generally offered. Where a Controller has a documented regulatory requirement to conduct an audit, the parties will discuss in good faith a reasonable, scoped arrangement, which may be at the Controller’s cost, subject to appropriate confidentiality undertakings, and limited to what is strictly necessary. Third-party audit reports, where available, will be provided in lieu of on-site audits.
13. Deletion and Return
At the choice of the Controller, the Processor will delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies, unless EU or Member State law requires storage of the personal data. Default deletion timelines are set out in the Privacy Policy.
14. Term and Termination
This DPA takes effect when the Controller accepts the Terms of Service and continues for the duration of those terms. It terminates automatically on termination of the Terms of Service. Sections relating to ongoing obligations (confidentiality, breach notification for incidents occurring during the term, deletion and return, and liability) survive termination as required.
15. Liability
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law. Nothing in this DPA affects the direct liability of either party to a data subject under the GDPR.
16. Governing Law
This DPA is governed by the laws of the Czech Republic. Any dispute arising under this DPA is subject to the jurisdiction clause in the Terms of Service.
17. Contact
Questions about this DPA, or requests for a signed copy, can be sent to [email protected].