Data Processing Addendum
Effective: July 10, 2026 · v2026-07-10
This Data Processing Addendum (the "DPA") explains how HoldFast processes personal data on behalf of its customers, sets out the terms required by the EU General Data Protection Regulation (GDPR) and the UK GDPR, and lists every third-party vendor we rely on to run the service. It is written in plain English wherever the law lets us. Where a plain word and a legal term mean the same thing, we use the plain word.
This DPA is between Smoke & Oakum, the operator of HoldFast ("HoldFast", "we", "us"), and the customer that has agreed to the HoldFast Terms of Service ("you", "Customer", "Controller").
How this DPA applies — no signature required
This DPA is part of the Terms of Service and applies automatically, with no separate signing step, to every customer whose use of HoldFast is subject to the GDPR or UK GDPR. We do this on purpose: a small SaaS should not make you chase a countersignature before you can use the product lawfully. The terms below bind us the moment you accept the Terms of Service.
If your procurement or legal team needs a countersigned copy on their own letterhead, email [email protected] and we will sign and return one. That copy will match the terms on this page; it does not change them.
1. The two roles we play — and why we tell you both
Most processor DPAs claim the vendor "only acts on the customer's instructions." For most of what HoldFast does, that is true. But it is not the whole truth, and pretending otherwise is the kind of misrepresentation regulators punish. So we split our role honestly:
Where we are your processor
For the content you upload and the viewer data we collect when we run your review links, reels, and presentations, HoldFast is a processor acting on your documented instructions. You are the controller. This covers:
- Media files, transcripts, comments, approvals, and project data you or your team upload.
- Viewer engagement data (who opened a link, how long they watched, device and browser type, city/region-level location, and the resolved company) that we collect and show back to you as analytics for your shared links.
- Contacts you import, and the emails we send on your behalf.
Where we are an independent controller
For a limited set of purposes described in our Privacy Policy, we decide the "why" and "how" ourselves, so for those we are an independent controller, not your processor:
- Account data — the information we hold about you and your workspace users to run your account, bill you, secure the platform, and support you.
- Aggregated and de-identified service improvement — statistics and models we build from platform-wide activity to operate, secure, and improve HoldFast, in a form that does not identify any individual (see §7).
- The company-resolution graph — a firmographic (company-level) graph pooled across all workspaces to improve company identification. It maps network and device signals to company domains only; no viewer name, email, or personal profile is shared between workspaces (see §7).
The CRM-sync feature (where enabled by you) pushes viewer engagement data into your own CRM; for that flow we and you are plausibly joint controllers, and you remain responsible for how your CRM uses the data once it arrives.
2. What we process, and for whom
This section is the "description of processing" the GDPR (Art 28(3)) requires.
- Subject matter & duration — processing personal data to provide the HoldFast service, for as long as your account is active and through the deletion window in §5(h).
- Nature & purpose — hosting and transcoding media; running review, reel, and presentation links; generating and showing engagement analytics; resolving viewer identity and company; sending email you direct; and the related support and security work.
- Categories of data subjects — (1) your workspace users, and (2) viewers — the people you share links with, who never signed up for HoldFast.
- Categories of personal data — names, email addresses, company/organization, phone numbers (for imported contacts); IP addresses; device, browser, and general-location data; a device identifier and, where consented, a browser-fingerprint identifier; engagement events (opens, watch time, clip and slide activity, clicks); resolved company; and behavioral engagement scores derived from the above. Media files and transcripts may themselves contain personal data that you control.
- Special-category data — HoldFast is not designed for special-category data (Art 9). You should not upload it unless you have your own lawful basis. Transcription runs entirely in the viewer's or member's browser — audio and voice are never sent to our servers for transcription.
3. Our promises as your processor
These are the Article 28(3) commitments. For the personal data we process on your behalf, we will:
(a) Act only on your instructions
We process personal data only on your documented instructions — which include your use of the product's features and settings, and this DPA — unless a law we are subject to requires otherwise, in which case we will tell you first unless that law forbids it. If we believe an instruction breaks data-protection law, we will let you know.
(b) Keep it confidential
Everyone we authorize to process your data is bound by confidentiality obligations (by contract or duty) and only gets access on a need-to-know basis.
(c) Secure it
We keep appropriate technical and organizational measures in place (Art 32). In summary, and honestly stated:
- Account and link/deck passwords are hashed with bcrypt — we never store them in plain text.
- All data in transit is encrypted with TLS/HTTPS; media segment URLs are signed.
- Sensitive stored credentials — per-workspace SMTP credentials, OAuth tokens, and backup-funnel tokens — are encrypted at rest at the application layer.
- Our primary application and database, which hold the personal data, are hosted in Germany (EU).
- Multi-tenant isolation is enforced in application code: every request is scoped to a single workspace, and no workspace can read another's data through the product.
- Session tokens are short-lived (JWT, 7-day expiry) and gate-proof cookies are secure and HTTP-only in production.
Disk-level encryption of stored data relies on our infrastructure providers' standard configurations; we do not over-claim database-level at-rest encryption beyond what those providers give us. A current summary of our security measures is available on request and forms part of this DPA.
(d) Use subprocessors under a general authorization
You give us a general authorization to engage the subprocessors listed in §8 (and to add or replace subprocessors of a similar kind) to help deliver the service. We stay responsible to you for what they do. Every subprocessor is bound by data-protection terms no less protective than this DPA. When we plan to add or replace a subprocessor, we will update the list in §8 and post the change here. If you reasonably object to a new subprocessor on data-protection grounds, tell us within 30 days of the change and we will work with you in good faith; if we cannot resolve it, you may stop using the affected feature or terminate the affected service as your remedy.
(e) Help you answer data-subject requests
Taking account of the nature of the processing, we will help you respond to requests from data subjects to exercise their rights (access, correction, deletion, objection, portability, and restriction). If a viewer or user contacts us directly about data we process on your behalf, we will forward it to you rather than answer for you.
(f) Help you meet your other obligations
We will give you reasonable help — considering what we know and the tools we have — with your security, breach-notification, data-protection-impact-assessment, and prior-consultation duties (Arts 32–36).
(g) Tell you about breaches without undue delay
If we become aware of a personal-data breach affecting data we process for you, we will notify you without undue delay, with the information you reasonably need to meet your own notification duties (including what happened, the likely consequences, and the steps we are taking).
(h) Return or delete on termination — with a 90-day window
When your account ends, we return or delete the personal data we process for you, at your choice, and delete existing copies unless the law requires us to keep them. In practice: a terminated or lapsed workspace is archived for 90 days — during which you can export your data — and is then permanently deleted, along with the viewer data tied to it. You can request an export at any time before the window closes.
(i) Support your audits — through documentation
We make available the information needed to show we meet these obligations. For a small SaaS, that means this DPA, the subprocessor list, our security-measures summary, and reasonable answers to a security questionnaire no more than once a year (or after a breach that affected you). On-site audits are available only where a supervisory authority or the law specifically requires one, on reasonable notice and subject to confidentiality.
4. Your responsibilities as controller
Because you decide what to upload and who to share links with, some duties sit with you:
- You confirm you have a lawful basis to upload the content and contacts you put into HoldFast, and to have us process them.
- For the analytics we run on your shared links, you confirm you maintain your own privacy policy, give your viewers the notice the law requires, obtain any consent or opt-out that applies to them, and are authorized to have us process their data. HoldFast's viewer-facing consent banner helps with this, but the controller duty toward your viewers is yours.
- Your instructions to us must comply with data-protection law.
5. International data transfers
HoldFast is a US-based operator, and some of our subprocessors are outside the EEA and the UK (see §8). Where we or a subprocessor transfer personal data out of the EEA or the UK, we rely on a valid transfer mechanism:
- The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference — Module Two (controller-to-processor) for transfers from you to us, and Module Three (processor-to-subprocessor) for onward transfers to our subprocessors. Where a term must be chosen, the docking clause is included, the audit option is documentation-based (§3(i)), and the governing law and forum follow §6.
- For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (issued under s.119A of the UK Data Protection Act 2018) is likewise incorporated by reference.
- Where a subprocessor is certified under an applicable adequacy framework (for example the EU–US and UK Extension Data Privacy Framework), that framework may also apply; we keep the SCCs as the fallback because adequacy findings can be challenged.
The parties named in the SCCs are you (data exporter) and HoldFast (data importer); Annex I details are drawn from §2, the security measures from §3(c), and the subprocessor list from §8.
6. Governing law, liability, and the Terms
This DPA is part of, and governed by, the Terms of Service, including its governing-law, venue, and liability-cap provisions — under the law of the State of Delaware, USA, except where the SCCs require the law of an EU member state for a given transfer. If this DPA and the Terms of Service conflict on the processing of personal data, this DPA controls for that subject. Each party's total liability under this DPA is subject to the same limitations and cap as the Terms of Service.
7. Aggregated data and the company-resolution graph
You authorize us to do two specific things as an independent controller. We call these out separately because they go beyond pure processing, and the law requires that we have your authorization for them.
Aggregated and de-identified data
We may create aggregated and de-identified data from the processing and use it to operate, secure, analyze, and improve HoldFast and to produce benchmarks and statistics. This data does not identify you, your workspace users, or any viewer, and we do not attempt to re-identify it.
The company-resolution graph
HoldFast maintains a shared company-resolution graph that maps IP addresses, network identifiers (ASN), and device-fingerprint hashes to company domains, pooled across all customer workspaces to improve company (not individual) identification. No viewer name, email, or personal profile is shared between workspaces. The signal that crosses workspaces is limited to network and device signals and the resolved company. We are the controller for this graph; you authorize us to build and use it, and this authorization is what keeps that activity inside our contract with you. You can read the plain-English version of this in our Privacy Policy.
8. Subprocessors
These are the third parties that may process personal data to help us run HoldFast. We keep this list current; when we add or replace a subprocessor, we update this table and note the change here (§3(d)). "Location" is where the vendor primarily processes the data.
Customer-directed means the integration only runs if you turn it on and point it at your own account; when you do, you direct the transfer and your own agreement with that vendor governs it. Incidental means a content-delivery network that a viewer's browser may contact directly when loading a presentation — we have no data-processing account relationship with it.
| Vendor | Location | Role | Data it may receive | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | USA (global CDN) | Media storage (R2) and content delivery | Media files, transcripts, presentation bundles, and the viewer IP addresses that reach the CDN | SCCs; DPF where applicable |
| Hetzner Online GmbH | Germany (EU) | Application and database hosting (our primary systems) | All personal data held by the platform | None — data stays in the EU |
| Runpod, Inc. | USA | GPU video transcoding | Source video files only (fetched via a short-lived signed URL); no viewer personal data | SCCs |
| Stripe, Inc. | USA / Ireland (EU) | Payment processing and billing | Customer (workspace-owner) billing and contact details | SCCs; DPF where applicable |
| ipinfo.io (IPinfo) | USA | IP-to-company / ASN / geolocation enrichment | Raw viewer IP addresses | SCCs |
| Hunter (Hunter.io) | France | Company-domain lookup (email discovery) | Company domains (org-level, not viewer identity) | SCCs where processed outside the EEA/UK |
| FingerprintJS, Inc. | USA | Device / browser identification (viewer identifier) | Browser signals from a viewer's device, returned as an opaque identifier. Loads only after consent for EU/UK/California viewers. | SCCs |
| Google LLC | USA | OAuth sign-in and Google Contacts import | Account email; imported contact name/email/company/phone | SCCs; DPF where applicable |
| Microsoft Corporation | USA | OAuth sign-in and Microsoft Contacts import | Account email; imported contact name/email/company/phone | SCCs; DPF where applicable |
| Vimeo, Inc. | USA | Backup-funnel OAuth (library scan) | Vimeo account email and video metadata | SCCs; DPF where applicable |
| Email (SMTP) provider Customer-directed (per-workspace) |
Varies by provider | Outbound email delivery | Recipient names and emails, and message content | SCCs / provider's own terms; per-workspace SMTP is configured and directed by you |
| Copper CRM (Copper, Inc.) Customer-directed |
USA | CRM sync (only if you connect it) | Viewer email, name, company, phone, plus HoldFast-derived engagement score and intent tier | Your own agreement with Copper governs; SCCs where applicable |
| Slack (Slack Technologies) / Mattermost Customer-directed |
USA / self-hosted or your choice | Engagement alerts (only if you add a webhook) | Viewer name, email, and company in alert message text | Your own arrangement with the tool governs |
| esm.sh · cdn.jsdelivr.net Incidental |
USA / global CDN | Serve JavaScript libraries that render some presentation formats | A viewer's IP address and the presentation URL (referer), sent by the viewer's browser when it loads a library | No account relationship; contacted directly by the viewer's browser. See our Cookie Policy. |
9. Changes to this DPA and the list
We may update this DPA to reflect new legal requirements or changes to how the service works. When we make a material change, we will update the effective date and version at the top and, where appropriate, tell you by email or in-app. Subprocessor changes are handled as described in §3(d) and §8.
10. Contact
Questions about this DPA, a data-processing request, or a signed copy? Email [email protected].
This document is drafted for review by qualified counsel in the applicable jurisdiction before it is relied upon. It is not itself legal advice.