Data Processing Agreement

Scope and parties

This Data Processing Agreement ("DPA") forms part of the agreement between Enstate Labs, Inc. ("Enstate Labs", "Processor", "we", "us", or "our") and the customer organization that uses Enping ("Customer" or "Controller"). Together, Enstate Labs and Customer are the "Parties".

This DPA applies when Enstate Labs processes personal data on behalf of Customer in connection with the Enping website, web application, feedback widget, APIs, integrations, AI features, support services, and related services (the "Service").

This DPA is intended to satisfy controller-processor contract requirements under Article 28 of the GDPR and equivalent data protection laws. If a separately executed data processing agreement signed by both Parties conflicts with this DPA, the separately executed agreement controls for that Customer.

Roles and Customer responsibilities

Customer acts as controller of Customer Personal Data. Enstate Labs acts as processor of Customer Personal Data unless a separate written agreement, product-specific term, or applicable law states otherwise.

Customer is responsible for the lawfulness of Customer Personal Data it uploads, connects, collects, imports, or otherwise makes available through the Service, including lawful basis, notices, consents, data accuracy, configuration choices, user permissions, reviewer access, widget installation settings, screenshot settings, and instructions given through Customer's staff, integrations, and connected systems.

Where Customer connects a website, repository, project-management tool, communication channel, webhook, API, or other third-party system to Enping, Customer is responsible for having the necessary rights and authorization to connect that system and make the related data available to Enstate Labs.

Subject matter, duration, nature, and purpose

The subject matter of processing is Enstate Labs' provision of Enping and related support, security, billing, and integration services.

The duration of processing is the term of Customer's agreement with Enstate Labs plus any period needed to complete deletion, return, backup rotation, legal retention, security handling, dispute handling, or compliance obligations.

The nature of processing may include collection, recording, organization, structuring, storage, encryption, retrieval, consultation, display, transmission, synchronization, hosting, support access, AI-assisted processing, export, deletion, anonymization, and audit logging.

The purpose of processing is limited to:

• providing, securing, maintaining, and supporting Enping;
• supporting Customer's website feedback, review, triage, collaboration, and issue-routing workflows;
• processing widget submissions, annotations, comments, statuses, priorities, assignments, and activity history;
• validating widget origins, installation keys, access policies, reviewer sessions, invite tokens, and signed host identity;
• providing AI-assisted classification, summarization, recommendations, and workflow assistance;
• troubleshooting, debugging, monitoring, and improving the Service in accordance with Customer's agreement and applicable law;
• complying with legal obligations, enforcing agreements, preventing abuse, and protecting the Service.

Enstate Labs will not sell Customer Personal Data or use Customer Personal Data for unrelated independent commercial purposes.

Categories of data subjects

• Customer staff, contractors, administrators, owners, developers, and authorized users;
• reviewers, visitors, customers, clients, or employees who submit or comment on feedback through a Customer-installed widget;
• individuals whose information appears in feedback, comments, screenshots, attachments, page context, support requests, or connected systems;
• billing, support, sales, or security contacts associated with Customer.

Categories of personal data

• names, email addresses, roles, account identifiers, authentication metadata, and organization membership data;
• organization, workspace, customer, project, site, environment, permission, team, and configuration data;
• feedback titles, messages, comments, labels, statuses, priorities, assignments, annotations, and activity logs;
• page URL, route, selected element metadata, DOM anchors, percentage-relative annotation rectangles, viewport and browser context, and page state;
• reviewer session data, invite metadata, signed host identity metadata, visitor or reviewer browser state, and access audit metadata;
• optional screenshots, attachments, storage metadata, and related deletion or audit records where enabled by Customer policy;
• AI prompts, model context, tool inputs, tool results, AI outputs, summaries, recommendations, and usage logs where AI features are enabled;
• billing contacts, subscription metadata, invoices, tax records, payment workflow metadata, usage counters, and customer portal metadata;
• device, IP address, request, telemetry, diagnostic, error, audit, security, abuse-prevention, and usage metadata.

Unless separately agreed in writing, Customer will not intentionally submit special categories of personal data under Article 9 GDPR, payment card data, government ID numbers, children's data, medical data, passwords, secrets, raw authentication tokens, or other unusually sensitive datasets to the Service.

Customer instructions

Enstate Labs will process Customer Personal Data only on Customer's documented instructions. Customer's agreement, this DPA, product configuration, connected integrations, staff actions, support requests, and written instructions from authorized Customer representatives together form those instructions unless otherwise agreed in writing.

If Enstate Labs believes an instruction clearly infringes applicable data protection law, Enstate Labs may notify Customer and suspend the affected processing until the instruction is clarified, unless applicable law prohibits notice.

Confidentiality

Enstate Labs will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations or an appropriate statutory duty of confidentiality.

Enstate Labs limits internal access to Customer Personal Data to personnel, contractors, and service providers who need access to operate, secure, support, or maintain the Service, subject to appropriate access controls and confidentiality obligations.

Security measures

Enstate Labs will implement technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, alteration, or disclosure, taking into account the nature of processing and risks to data subjects.

• TLS encryption in transit;
• tenant-scoped authorization and server-side permission checks;
• authenticated access controls, session management, role-based permissions, and audit trails;
• origin, installation key, access policy, reviewer session, invite token, and signed identity validation for widget ingress;
• screenshot capture disabled by default and enforced by organization/project policy before storage;
• minimal page context storage, without full DOM snapshots by default;
• sensitive URL parameter stripping and controls against logging raw auth headers, invite tokens, signed identity payloads, screenshots, and private feedback payloads;
• input validation, file type and size restrictions, rate limiting, and abuse-prevention controls;
• need-to-know internal access and administrative access restrictions;
• backup and recovery processes where used;
• incident handling, remediation, monitoring, and vulnerability review processes;
• vendor and subprocessor review appropriate to the Service.

Enstate Labs may update or replace security measures from time to time, provided that the overall level of protection is not materially reduced.

AI processing

Enping may use AI features to assist with feedback classification, summarization, triage, implementation context, recommendations, and related workflow assistance.

Enstate Labs does not use Customer workspace data, feedback data, prompts, screenshots, AI outputs, or related model context to train third-party foundation models. Where supported, Enstate Labs routes AI requests through providers and controls intended to deny provider data collection and enforce zero data retention.

Customer remains responsible for reviewing AI output before relying on it and for determining whether Customer's use of AI features is appropriate for its legal, operational, employment, security, visitor-facing, or regulatory context.

Subprocessors

Customer gives Enstate Labs general authorization to use subprocessors to provide the Service. Enstate Labs will impose data protection obligations on subprocessors as required by Article 28 GDPR and will remain responsible for subprocessor processing to the extent required by applicable law.

Current subprocessors and provider categories are listed on the Enping subprocessor page. Enstate Labs may update subprocessors where reasonably necessary to operate, secure, maintain, or improve the Service. If a change is material, Enstate Labs will inform Customer in accordance with the agreement or applicable notice process, and Customer may object on reasonable data protection grounds.

Assistance with data subject rights and compliance

Taking into account the nature of processing and information available to Enstate Labs, Enstate Labs will provide reasonable assistance to Customer with:

• data subject access requests;
• rectification requests;
• erasure and anonymization requests;
• data portability requests;
• restriction, objection, consent withdrawal, and processing hold requests;
• security of processing obligations;
• personal data breach handling;
• data protection impact assessments and regulatory consultation where relevant;
• return, deletion, or export of Customer Personal Data.

Customer remains responsible for receiving, validating, and responding to requests where Customer is the controller, unless otherwise agreed.

Personal data breaches

Enstate Labs will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

Enstate Labs may provide information in stages as it becomes available, including the nature of the breach, affected data categories, likely consequences, mitigation steps, remediation, and contact information for follow-up.

Enstate Labs will cooperate reasonably with Customer's investigation, mitigation, and notification obligations, taking into account the nature of processing and information available to Enstate Labs.

Return, deletion, anonymization, and retention

At the end of the agreement, upon verified deletion request, or as otherwise required by Customer's written instruction, Enstate Labs will delete, return, or anonymize Customer Personal Data within a commercially reasonable period unless retention is required by law or necessary for backup rotation, security, fraud prevention, dispute handling, audit logs, tax records, or legal claims.

Backup copies may persist temporarily until overwritten in the normal backup cycle, provided they remain protected and are not actively used except where necessary.

Some broad customer, project, site, or whole-organization deletion workflows may require scoped engineering support until fully automated in the Service. Enstate Labs will not perform ad hoc broad table deletes outside a verified and scoped deletion process.

International transfers

Enstate Labs is incorporated in the United States. Customer Personal Data may be processed in the United States, the European Economic Area, or other locations where Enstate Labs and its subprocessors operate.

Where required by applicable data protection law, international transfers will rely on a valid transfer mechanism, such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Addendum, data processing agreements, supplementary measures, or another lawful safeguard.

Compliance information and audit

Enstate Labs will make available information reasonably necessary to demonstrate compliance with this DPA, taking into account the nature of the Service, Customer's risk, confidentiality, security, and the rights of other customers.

Compliance review will normally be satisfied through written answers, a current subprocessor list, a summary of technical and organizational measures, audit or compliance documentation where available, and remote review discussions if needed.

Any further audit request must be reasonable, limited in scope, directly related to Customer Personal Data, and conducted on reasonable notice during business hours with appropriate confidentiality protections. Onsite inspections are not included by default and may occur only if legally required or justified by a confirmed material security incident.

Beta, pilot, and evolving functionality

Where Customer uses a beta, pilot, early-access, or evaluation version of the Service, Customer acknowledges that functionality may change, be limited, or be removed during the evaluation period for product development, security, bug fixing, or operational reasons.

This DPA does not create a separate service level agreement, uptime commitment, certification commitment, or product warranty beyond the obligations expressly stated here or in the applicable agreement.

Liability and third-party systems

This DPA does not expand either Party's liability beyond mandatory law and the applicable agreement between the Parties.

Enstate Labs is not responsible for Customer's legal basis for processing, the accuracy or legality of data supplied by Customer, Customer's configuration choices, Customer's internal access decisions, or third-party systems directly selected, connected, or instructed by Customer.

Governing law

This DPA is governed by the governing law stated in the applicable agreement between Enstate Labs and Customer, unless mandatory data protection law requires otherwise. If no governing law is stated in the applicable agreement, this DPA is governed by the law that applies to the primary agreement for the Service.

Contact for data protection requests

For questions relating to this DPA or data handling, contact Enstate Labs at privacy@enping.app or hello@enping.app.

You may also contact Enstate Labs by mail at:

• Enstate Labs, Inc.
• 1111b South Governors Avenue STE 96453, Dover, Delaware 19904, US
• United States