GizmoSauce Logo
Browse

Legal

Data Processing Addendum (DPA)

This DPA describes the processing terms that apply when GizmoSauce processes personal data as a processor on behalf of a Customer (for example, when widgets are embedded on Customer Sites).

Effective date: January 6, 2026

This DPA supplements the Terms of Service and is incorporated by reference when GizmoSauce acts as a data processor.

Parties: EndurantDevs LLC (d/b/a “GizmoSauce”) (“Processor”) and the Customer (“Controller”).

If your organization requires a countersigned DPA, contact moc.ecuasomzig@ycavirp.

1. Scope

This DPA applies to the processing of personal data by GizmoSauce on behalf of the Customer in connection with the Services, including embedded widgets on Customer Sites. This DPA does not apply where GizmoSauce acts as an independent controller (for example, for GizmoSauce’s own account administration, billing, and support), which is described in our Privacy Policy.

2. Definitions

  • “Customer” means the entity that uses the Services to create and embed widgets on Customer Sites.
  • “Customer Sites” means websites or applications where the Customer embeds widgets.
  • “Customer Personal Data” means personal data processed by GizmoSauce on behalf of Customer under this DPA, including End-User information submitted to or collected by widgets as configured by Customer.
  • “Data Protection Laws” means applicable privacy and data protection laws and regulations, including (where applicable) the GDPR and UK GDPR.
  • “End Users” means individuals who interact with widgets on Customer Sites.

3. Processing Details (Annex)

The parties acknowledge and agree that the processing under this DPA is described as follows (and may vary based on which widgets and features the Customer enables):

Subject Matter & Purpose

  • Provide embedded widget functionality on Customer Sites.
  • Deliver widget configuration and render embeds.
  • Process end-user submissions as configured by Customer.
  • Security, abuse prevention, and reliability of widget delivery.

Duration

Processing continues for the term of the Customer’s use of the Services and any additional period needed for deletion/return or retention required by law and described in our retention practices.

Types of Personal Data

  • Contact details (e.g., email, phone) if collected via a widget.
  • Content submitted by End Users (e.g., messages, form fields) as configured by Customer.
  • Identifiers and technical data (e.g., IP address, device/browser info, timestamps).
  • Customer-configured widget settings and content that may include personal data.

Categories of Data Subjects

  • End Users on Customer Sites.
  • Customer personnel (admins/editors) who configure widgets.

4. Customer Instructions

GizmoSauce will process Customer Personal Data only on documented instructions from the Customer, including as necessary to provide the Services under the Terms and this DPA. Customer instructions include widget configuration, embed deployment, and other actions taken by the Customer in the dashboard or via the API.

The Customer is responsible for: (a) determining the lawful basis for processing, (b) providing required notices to End Users, (c) obtaining any required consents on Customer Sites, and (d) ensuring Customer Content and data collection comply with Data Protection Laws.

5. Processor Obligations

  • Confidentiality: GizmoSauce will ensure persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
  • Security: GizmoSauce will implement commercially reasonable technical and organizational measures designed to protect Customer Personal Data (see Section 10 for examples).
  • Subprocessing: GizmoSauce may use subprocessors to provide the Services, subject to appropriate contractual obligations and as described in Section 6.
  • Assistance: GizmoSauce will reasonably assist Customer with responding to data subject requests and with impact assessments or regulator inquiries to the extent required by Data Protection Laws and appropriate for the Services.
  • Security incidents: GizmoSauce will notify Customer of a confirmed security incident affecting Customer Personal Data without undue delay, consistent with Data Protection Laws and our agreements.
  • Deletion/return: upon termination of the Services, and subject to applicable law, GizmoSauce will delete or return Customer Personal Data in accordance with the retention and deletion practices described in our Privacy Policy and/or Customer instructions.

6. Subprocessors

Customer authorizes GizmoSauce to engage subprocessors to process Customer Personal Data for the purpose of providing the Services. GizmoSauce maintains a list of subprocessors at /privacy/subprocessors.

GizmoSauce will impose data protection obligations on subprocessors that are no less protective than those in this DPA, to the extent required by Data Protection Laws. GizmoSauce remains responsible for the performance of its subprocessors under this DPA.

7. International Transfers

Customer Personal Data may be processed in the United States and other jurisdictions where GizmoSauce or its subprocessors operate. Where required by Data Protection Laws for cross-border transfers, GizmoSauce will use appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

8. Requests, Audits, and Contact

Requests regarding this DPA, data subject rights, or security may be sent to moc.ecuasomzig@ycavirp.

To protect security and other customers, audit requests must be reasonable, limited in scope, and subject to confidentiality. Where possible, GizmoSauce may satisfy requests by providing documentation, summaries, or third-party reports rather than on-site access.

9. Priority

If there is a conflict between this DPA and the Terms, this DPA governs only for the processing of Customer Personal Data under this DPA. The Terms govern for all other purposes.

10. Security Measures (Examples)

GizmoSauce’s security measures are designed to be appropriate to the nature of the data and risks. Depending on the Services and configuration, measures may include:

  • Encryption in transit (TLS) for data exchanged with the Services.
  • Access controls and least-privilege policies for internal access to systems.
  • Logging and monitoring for security and reliability signals.
  • Backups and disaster recovery practices appropriate for the Services.
  • Secure development practices and change management.