Last updated April 17, 2026

Data Processing Addendum (DPA)

This Data Processing Addendum forms part of the Terms of Service between you (the "Customer") and the operator of Daily Question ("we," "us," "our"). It governs the processing of personal data we perform on Customer's behalf in providing the Service. Capitalised terms not defined here have the meaning given in the Terms of Service or the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), as amended.

1. Roles

For personal data Customer or its members submit to the Service ("Customer Personal Data"), Customer is the controller and we are the processor. We act only on documented instructions from Customer (the Terms of Service, this DPA, and Customer's use of the Service).

2. Subject matter, duration, nature, purpose

  • Subject matter: provision of the Service.
  • Duration: the term of Customer's subscription, plus the retention windows described in the Privacy Policy.
  • Nature and purpose: hosting, storing, transmitting, and operating the Service for Customer.
  • Categories of data subjects: Customer's account holders, organization members, and end recipients of daily-question emails.
  • Categories of personal data: contact details (email, optional name), authentication credentials (hashed), profile preferences, organization and campaign metadata, member rosters (email addresses), and operational telemetry as described in the Privacy Policy.
  • No special-category data: Customer agrees not to submit to the Service any data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation, except as specifically authorized in writing.

3. Our obligations

We will:

  • process Customer Personal Data only on Customer's documented instructions;
  • ensure that personnel authorized to process Customer Personal Data are bound by confidentiality;
  • implement and maintain the technical and organizational measures described in Section 7;
  • assist Customer in fulfilling its obligations to respond to data-subject rights requests;
  • notify Customer without undue delay (and in any event within 72 hours) on becoming aware of a personal-data breach affecting Customer Personal Data;
  • at termination, delete or return Customer Personal Data per the retention schedule in the Privacy Policy, unless retention is required by law.

4. Subprocessors

Customer authorizes us to engage subprocessors to provide the Service. We will impose written terms on each subprocessor that are no less protective than this DPA. A current list of subprocessors is available on request. We will give Customer notice of any new subprocessor with a reasonable opportunity to object on legitimate grounds; if Customer objects and we cannot accommodate the objection, Customer may terminate the affected portion of the Service for convenience.

5. International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and, where applicable, the UK International Data Transfer Addendum, both of which are incorporated by reference. The "data exporter" is Customer; the "data importer" is us; clauses with options are completed as follows: docking clause applies; Clause 9 Option 2 (general written authorization) for subprocessor changes with 30 days' notice; Clause 17 Option 1, governed by Irish law; Clause 18 venue: Ireland.

6. Data-subject rights and assistance

If we receive a request from a data subject relating to Customer Personal Data, we will refer the request to Customer without undue delay. We will provide reasonable assistance to enable Customer to respond to data-subject rights requests and to meet obligations under Articles 32 to 36 of the GDPR. Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request.

7. Security

We maintain technical and organizational measures appropriate to the risk, including:

  • encryption of personal data in transit (TLS 1.2+) and at rest;
  • hashed and salted authentication credentials;
  • role-based access control with least-privilege defaults;
  • access logging and periodic review;
  • vulnerability monitoring of our infrastructure and dependencies;
  • backup and disaster-recovery procedures;
  • secure software-development practices, including code review.

8. Audits

On Customer's reasonable written request, no more than once per year, we will make available information necessary to demonstrate compliance with this DPA, including responding to a written security questionnaire. On-site audits are not required where the requested information can be provided in writing.

9. Liability

The liability provisions in the Terms of Service apply equally to this DPA. The total liability of either party arising out of or relating to this DPA, when combined with all liability under the Terms of Service, will not exceed the limit set in the Terms of Service.

10. Conflict

If there is a conflict between this DPA and the Terms of Service regarding the processing of Customer Personal Data, this DPA controls.