Data Processing Addendum

Effective: July 10, 2026 · v2026-07-10

This Data Processing Addendum (the "DPA") explains how HoldFast processes personal data on behalf of its customers, sets out the terms required by the EU General Data Protection Regulation (GDPR) and the UK GDPR, and lists every third-party vendor we rely on to run the service. It is written in plain English wherever the law lets us. Where a plain word and a legal term mean the same thing, we use the plain word.

This DPA is between Smoke & Oakum, the operator of HoldFast ("HoldFast", "we", "us"), and the customer that has agreed to the HoldFast Terms of Service ("you", "Customer", "Controller").

How this DPA applies — no signature required

This DPA is part of the Terms of Service and applies automatically, with no separate signing step, to every customer whose use of HoldFast is subject to the GDPR or UK GDPR. We do this on purpose: a small SaaS should not make you chase a countersignature before you can use the product lawfully. The terms below bind us the moment you accept the Terms of Service.

If your procurement or legal team needs a countersigned copy on their own letterhead, email [email protected] and we will sign and return one. That copy will match the terms on this page; it does not change them.

1. The two roles we play — and why we tell you both

Most processor DPAs claim the vendor "only acts on the customer's instructions." For most of what HoldFast does, that is true. But it is not the whole truth, and pretending otherwise is the kind of misrepresentation regulators punish. So we split our role honestly:

Where we are your processor

For the content you upload and the viewer data we collect when we run your review links, reels, and presentations, HoldFast is a processor acting on your documented instructions. You are the controller. This covers:

Where we are an independent controller

For a limited set of purposes described in our Privacy Policy, we decide the "why" and "how" ourselves, so for those we are an independent controller, not your processor:

The CRM-sync feature (where enabled by you) pushes viewer engagement data into your own CRM; for that flow we and you are plausibly joint controllers, and you remain responsible for how your CRM uses the data once it arrives.

2. What we process, and for whom

This section is the "description of processing" the GDPR (Art 28(3)) requires.

3. Our promises as your processor

These are the Article 28(3) commitments. For the personal data we process on your behalf, we will:

(a) Act only on your instructions

We process personal data only on your documented instructions — which include your use of the product's features and settings, and this DPA — unless a law we are subject to requires otherwise, in which case we will tell you first unless that law forbids it. If we believe an instruction breaks data-protection law, we will let you know.

(b) Keep it confidential

Everyone we authorize to process your data is bound by confidentiality obligations (by contract or duty) and only gets access on a need-to-know basis.

(c) Secure it

We keep appropriate technical and organizational measures in place (Art 32). In summary, and honestly stated:

Disk-level encryption of stored data relies on our infrastructure providers' standard configurations; we do not over-claim database-level at-rest encryption beyond what those providers give us. A current summary of our security measures is available on request and forms part of this DPA.

(d) Use subprocessors under a general authorization

You give us a general authorization to engage the subprocessors listed in §8 (and to add or replace subprocessors of a similar kind) to help deliver the service. We stay responsible to you for what they do. Every subprocessor is bound by data-protection terms no less protective than this DPA. When we plan to add or replace a subprocessor, we will update the list in §8 and post the change here. If you reasonably object to a new subprocessor on data-protection grounds, tell us within 30 days of the change and we will work with you in good faith; if we cannot resolve it, you may stop using the affected feature or terminate the affected service as your remedy.

(e) Help you answer data-subject requests

Taking account of the nature of the processing, we will help you respond to requests from data subjects to exercise their rights (access, correction, deletion, objection, portability, and restriction). If a viewer or user contacts us directly about data we process on your behalf, we will forward it to you rather than answer for you.

(f) Help you meet your other obligations

We will give you reasonable help — considering what we know and the tools we have — with your security, breach-notification, data-protection-impact-assessment, and prior-consultation duties (Arts 32–36).

(g) Tell you about breaches without undue delay

If we become aware of a personal-data breach affecting data we process for you, we will notify you without undue delay, with the information you reasonably need to meet your own notification duties (including what happened, the likely consequences, and the steps we are taking).

(h) Return or delete on termination — with a 90-day window

When your account ends, we return or delete the personal data we process for you, at your choice, and delete existing copies unless the law requires us to keep them. In practice: a terminated or lapsed workspace is archived for 90 days — during which you can export your data — and is then permanently deleted, along with the viewer data tied to it. You can request an export at any time before the window closes.

(i) Support your audits — through documentation

We make available the information needed to show we meet these obligations. For a small SaaS, that means this DPA, the subprocessor list, our security-measures summary, and reasonable answers to a security questionnaire no more than once a year (or after a breach that affected you). On-site audits are available only where a supervisory authority or the law specifically requires one, on reasonable notice and subject to confidentiality.

4. Your responsibilities as controller

Because you decide what to upload and who to share links with, some duties sit with you:

5. International data transfers

HoldFast is a US-based operator, and some of our subprocessors are outside the EEA and the UK (see §8). Where we or a subprocessor transfer personal data out of the EEA or the UK, we rely on a valid transfer mechanism:

The parties named in the SCCs are you (data exporter) and HoldFast (data importer); Annex I details are drawn from §2, the security measures from §3(c), and the subprocessor list from §8.

6. Governing law, liability, and the Terms

This DPA is part of, and governed by, the Terms of Service, including its governing-law, venue, and liability-cap provisions — under the law of the State of Delaware, USA, except where the SCCs require the law of an EU member state for a given transfer. If this DPA and the Terms of Service conflict on the processing of personal data, this DPA controls for that subject. Each party's total liability under this DPA is subject to the same limitations and cap as the Terms of Service.

7. Aggregated data and the company-resolution graph

You authorize us to do two specific things as an independent controller. We call these out separately because they go beyond pure processing, and the law requires that we have your authorization for them.

Aggregated and de-identified data

We may create aggregated and de-identified data from the processing and use it to operate, secure, analyze, and improve HoldFast and to produce benchmarks and statistics. This data does not identify you, your workspace users, or any viewer, and we do not attempt to re-identify it.

The company-resolution graph

HoldFast maintains a shared company-resolution graph that maps IP addresses, network identifiers (ASN), and device-fingerprint hashes to company domains, pooled across all customer workspaces to improve company (not individual) identification. No viewer name, email, or personal profile is shared between workspaces. The signal that crosses workspaces is limited to network and device signals and the resolved company. We are the controller for this graph; you authorize us to build and use it, and this authorization is what keeps that activity inside our contract with you. You can read the plain-English version of this in our Privacy Policy.

8. Subprocessors

These are the third parties that may process personal data to help us run HoldFast. We keep this list current; when we add or replace a subprocessor, we update this table and note the change here (§3(d)). "Location" is where the vendor primarily processes the data.

Customer-directed means the integration only runs if you turn it on and point it at your own account; when you do, you direct the transfer and your own agreement with that vendor governs it. Incidental means a content-delivery network that a viewer's browser may contact directly when loading a presentation — we have no data-processing account relationship with it.

Vendor Location Role Data it may receive Transfer mechanism
Cloudflare, Inc. USA (global CDN) Media storage (R2) and content delivery Media files, transcripts, presentation bundles, and the viewer IP addresses that reach the CDN SCCs; DPF where applicable
Hetzner Online GmbH Germany (EU) Application and database hosting (our primary systems) All personal data held by the platform None — data stays in the EU
Runpod, Inc. USA GPU video transcoding Source video files only (fetched via a short-lived signed URL); no viewer personal data SCCs
Stripe, Inc. USA / Ireland (EU) Payment processing and billing Customer (workspace-owner) billing and contact details SCCs; DPF where applicable
ipinfo.io (IPinfo) USA IP-to-company / ASN / geolocation enrichment Raw viewer IP addresses SCCs
Hunter (Hunter.io) France Company-domain lookup (email discovery) Company domains (org-level, not viewer identity) SCCs where processed outside the EEA/UK
FingerprintJS, Inc. USA Device / browser identification (viewer identifier) Browser signals from a viewer's device, returned as an opaque identifier. Loads only after consent for EU/UK/California viewers. SCCs
Google LLC USA OAuth sign-in and Google Contacts import Account email; imported contact name/email/company/phone SCCs; DPF where applicable
Microsoft Corporation USA OAuth sign-in and Microsoft Contacts import Account email; imported contact name/email/company/phone SCCs; DPF where applicable
Vimeo, Inc. USA Backup-funnel OAuth (library scan) Vimeo account email and video metadata SCCs; DPF where applicable
Email (SMTP) provider
Customer-directed (per-workspace)
Varies by provider Outbound email delivery Recipient names and emails, and message content SCCs / provider's own terms; per-workspace SMTP is configured and directed by you
Copper CRM (Copper, Inc.)
Customer-directed
USA CRM sync (only if you connect it) Viewer email, name, company, phone, plus HoldFast-derived engagement score and intent tier Your own agreement with Copper governs; SCCs where applicable
Slack (Slack Technologies) / Mattermost
Customer-directed
USA / self-hosted or your choice Engagement alerts (only if you add a webhook) Viewer name, email, and company in alert message text Your own arrangement with the tool governs
esm.sh · cdn.jsdelivr.net
Incidental
USA / global CDN Serve JavaScript libraries that render some presentation formats A viewer's IP address and the presentation URL (referer), sent by the viewer's browser when it loads a library No account relationship; contacted directly by the viewer's browser. See our Cookie Policy.

9. Changes to this DPA and the list

We may update this DPA to reflect new legal requirements or changes to how the service works. When we make a material change, we will update the effective date and version at the top and, where appropriate, tell you by email or in-app. Subprocessor changes are handled as described in §3(d) and §8.

10. Contact

Questions about this DPA, a data-processing request, or a signed copy? Email [email protected].

This document is drafted for review by qualified counsel in the applicable jurisdiction before it is relied upon. It is not itself legal advice.