Data Processing Agreement
Last updated: March 8, 2026
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Feedash, operated by Het Ondernemers Kompas, located in The Netherlands ("Processor"), and applies whenever the Controller uses Feedash to process personal data on behalf of their own users or clients.
This DPA governs the processing of personal data by Feedash as a data processor on behalf of the Controller as required by Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and any applicable national implementing legislation.
2. Definitions
- Controller: the natural or legal person who determines the purposes and means of the processing of personal data.
- Processor: Feedash (operated by Het Ondernemers Kompas), which processes personal data on behalf of the Controller.
- Data Subject: an identified or identifiable natural person whose personal data is processed.
- Personal Data: any information relating to an identified or identifiable natural person.
- Processing: any operation performed on personal data, such as collection, storage, use, or deletion.
3. Categories of Personal Data Processed
In the course of providing the Service, Feedash may process the following categories of personal data on behalf of the Controller:
- Names and email addresses of team members and guests invited to projects
- Feedback content submitted by team members or guest reviewers
- Device and browser information captured as part of feedback metadata
- IP addresses (as processed by our infrastructure providers)
Feedash does not intentionally process special categories of data (sensitive personal data) as defined under GDPR Article 9.
4. Purpose of Processing
Feedash processes personal data solely to provide the Service to the Controller as described in the Terms of Service, specifically to enable visual feedback collection, collaboration, and project management on websites.
5. Sub-processors
Feedash uses the following sub-processors to provide the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (AWS eu-west-1) |
| Stripe | Payment processing (billing data only) | USA / EU |
| Resend | Transactional email delivery | USA |
Feedash will notify the Controller of any intended changes to the above sub-processors. The Controller has the right to object to such changes within a reasonable timeframe.
6. Security Measures
Feedash implements appropriate technical and organizational measures to protect personal data, including:
- TLS/SSL encryption for all data in transit
- Encryption at rest for all data stored in Supabase
- Role-based access control limiting data access to authorized users only
- Row-level security policies enforced at the database level
- Regular security reviews of access policies and configurations
7. Data Retention
Feedash retains personal data for as long as the Controller maintains an active account. Upon account termination or a deletion request, personal data is removed within 30 days, except where retention is required by applicable law (e.g., financial records for tax purposes).
8. Data Subject Rights Assistance
Feedash will provide reasonable assistance to the Controller in fulfilling obligations to respond to Data Subject requests regarding access, correction, deletion, and portability of personal data. Requests should be directed to hello@feedash.com.
9. Data Breach Notification
In the event of a personal data breach affecting data processed on behalf of the Controller, Feedash will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, to the extent that such notification is feasible. The notification will include all information required under GDPR Article 33(3) that is available at the time.
10. International Transfers
Feedash's primary data storage (Supabase) is hosted within the EU (AWS eu-west-1). For sub-processors based outside the EEA (Resend, Stripe), appropriate safeguards are in place through Standard Contractual Clauses or adequacy decisions where applicable.
11. Controller Obligations
By using Feedash to process personal data, the Controller confirms that:
- They have a lawful basis for the processing under applicable data protection law
- They have provided adequate notice to Data Subjects about the processing
- They are responsible for determining the purposes and means of processing
12. Agreement and Acceptance
By continuing to use Feedash as a business customer processing personal data on behalf of others, you accept the terms of this Data Processing Agreement. This DPA supplements and is incorporated into the Terms of Service.
If you require a signed DPA for compliance purposes, please contact us at hello@feedash.com.
13. Contact and Legal Entity
For all DPA-related inquiries, please contact:
Feedash, operated by Het Ondernemers Kompas
The Netherlands
Postbus 1234, 1234 AB Amsterdam
hello@feedash.com