Skip to content
Skip to content
Goodspeed

Data Processing Agreement

Our DPA for customers who process personal data with the Service.

Last updated: July 2, 2026

Jump to section

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Goodspeed LLC ("Goodspeed", "Processor") and the customer ("Customer", "Controller") when Goodspeed processes Personal Data on Customer's behalf. It reflects the parties' agreement on the processing of Personal Data in line with the GDPR, the UK GDPR, and applicable US state privacy laws. Where this DPA conflicts with the Terms of Service on the subject of data protection, this DPA controls.

To request a countersigned copy, email legal@goodspeed.app.

1. Definitions

Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data contained in Customer Content that Goodspeed processes on Customer's behalf. "Subprocessor" means a third party engaged by Goodspeed to process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of Personal Data to third countries, and, for the UK, the UK Addendum.

2. Roles and Scope

For Customer Personal Data, Customer is the Controller and Goodspeed is the Processor. Where Customer is itself a processor for another controller, Goodspeed is a subprocessor. Goodspeed processes Customer Personal Data only to provide and support the Service and only on Customer's documented instructions, including as set out in the Terms of Service and this DPA, unless the law requires otherwise (in which case Goodspeed will inform Customer unless legally prohibited).

Goodspeed acts as an independent controller for a limited set of data it collects to run its business (for example, account and billing records and security logs); that processing is governed by the Privacy Policy, not this DPA.

3. Details of Processing

  • Subject matter: provision of the Goodspeed Service.
  • Duration: the term of the Terms of Service, plus the deletion period in Section 8.
  • Nature and purpose: hosting, generating, storing, transmitting, and displaying Customer Content to operate the Service.
  • Categories of Data Subjects: Customer's authorized users and any individuals whose Personal Data Customer submits to the Service.
  • Categories of Personal Data: account identifiers, contact details, content Customer chooses to submit, and technical and usage data. Customer must not submit special-category data or data subject to HIPAA except as separately agreed in writing.

4. Processor Obligations

Goodspeed will:

  • Process Customer Personal Data only on Customer's documented instructions.
  • Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality.
  • Implement the technical and organizational measures described in Section 5.
  • Assist Customer, taking into account the nature of the processing, with obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, and prior consultation).
  • Make available information reasonably necessary to demonstrate compliance with this DPA.
  • Not sell or share Customer Personal Data and not retain, use, or disclose it for any purpose other than providing the Service, and not combine it with data from other sources except as needed to provide the Service.

5. Security Measures

Goodspeed maintains administrative, technical, and physical safeguards appropriate to the risk, including: encryption of data in transit and encryption at rest for sensitive credentials; role-based access controls and least-privilege administration; per-tenant row-level security in its database; input validation and file-upload safeguards; rate limiting; audit logging of administrative actions; secret scanning; and a documented vulnerability-disclosure process (see the Security Policy). Goodspeed reviews and updates these measures over time and will not materially reduce their overall protection during the term.

6. Subprocessors

Customer authorizes Goodspeed to engage the Subprocessors listed at /subprocessors to process Customer Personal Data. Goodspeed imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA and remains responsible for its Subprocessors' performance. Goodspeed will keep the Subprocessors page current and will give notice of a new Subprocessor before it begins processing Customer Personal Data, as described on that page. If Customer reasonably objects to a new Subprocessor on data-protection grounds, Customer's remedy is to stop using the affected part of the Service.

7. Data-Subject Requests

Taking into account the nature of the processing, Goodspeed will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights. If Goodspeed receives a request directly from a Data Subject relating to Customer Personal Data, it will, unless legally required to act, refer the Data Subject to Customer.

8. Return and Deletion

On termination of the Service, and on Customer's request, Goodspeed will delete or return Customer Personal Data and delete existing copies, except to the extent it is required by law to retain them. Goodspeed's standard deletion timelines are described in the Privacy Policy; backups are purged on their normal cycle.

9. Personal Data Breach

Goodspeed will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help Customer meet its own notification obligations.

10. Audits

Goodspeed will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor Customer mandates, on reasonable prior notice, no more than once per year (except where a Supervisory Authority or a Personal Data Breach requires more), during business hours, subject to confidentiality, and in a manner that does not disrupt the Service or compromise other customers' data. Goodspeed may satisfy audit requests by providing current third-party certifications or reports where available.

11. International Transfers

Where Goodspeed processes Customer Personal Data originating in the EEA, the UK, or Switzerland in a country that has not received an adequacy decision, the parties rely on the Standard Contractual Clauses (and the UK Addendum, where applicable), which are incorporated into this DPA by reference and completed with Customer as data exporter and Goodspeed as data importer. Goodspeed's Subprocessors are engaged under equivalent transfer mechanisms.

12. General

This DPA is governed by the same law and dispute-resolution terms as the Terms of Service, except where the SCCs require the governing law of an EU member state, in which case that law applies to the SCCs. Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. If any provision is unenforceable, the rest remains in effect.

Contact

Data protection and DPA requests: legal@goodspeed.app Postal address: Goodspeed LLC, 3844 Santa Caterina Blvd, Bradenton, FL 34211

Ready to build?

Score your ideas free. No card required.