doable.do

Data Processing Agreement

Last updated: April 26, 2026

This Data Processing Agreement (“DPA”) forms part of the Doable Terms of Service between Doable Inc. and the Customer. It governs Doable’s processing of Personal Data on the Customer’s behalf under the EU General Data Protection Regulation (Regulation 2016/679, the “GDPR”) and the UK GDPR.

1. Roles

The Customer is the Controller of Personal Data they upload or that flows through Doable. Doable is the Processor for that data, except for the small set of administrative data we collect to operate the service (billing, login records, audit logs of administrator actions), where Doable is the Controller.

2. Subject matter and duration

Doable processes Personal Data for as long as the Customer maintains a paid or free account. On account closure data enters a 30-day soft-delete window, after which it is permanently purged (see Privacy Policy for retention details).

3. Categories of data and data subjects

Account data: Customer email, name, IP address, billing address. Usage data: project metadata, deployment logs, traffic metrics. Customer-deployed application data: whatever the Customer’s deployed application stores in databases attached via Doable addons. Doable does not access this data; we provide compute and storage only.

Data subjects are the Customer’s end-users (whose data flows through the Customer’s deployed application) and the Customer’s authorised users (account members).

4. Subprocessors

The Customer authorises Doable to use the subprocessors listed at doable.do/subprocessors. Doable will give the Customer at least 14 days’ notice before adding or replacing a subprocessor that processes Customer Personal Data, and the Customer may object on reasonable grounds.

5. Security measures

  • Encryption in transit (TLS 1.2+) on all customer-facing endpoints.
  • Database access scoped to the API service via a least-privilege Postgres role.
  • Customer environment variables encrypted at rest with AES-256-GCM (KMS).
  • Internal Docker networks isolate the database from the public internet.
  • Daily encrypted-eligible backups with off-host replication.
  • Container images scanned for known CVEs in CI before each release.
  • SSH access protected by 4096-bit Ed25519 key authentication and fail2ban.
  • Audit log of all administrator actions, retained 12 months.

6. Data subject rights

Doable provides tools so the Customer can fulfil data subject requests directly: programmatic data export (Profile → Export your data or GET /v1/me/export), per-account deletion, and a 30-day recovery window after deletion. If the Customer needs Doable to act directly, email [email protected] and we will respond within 30 days.

7. Personal data breach

Doable will notify the Customer without undue delay (within 72 hours of becoming aware) of any breach of Personal Data processed under this DPA, with the information needed for the Customer to meet their own notification obligations under Article 33.

8. International transfers

Personal Data is primarily stored in the United States. Where transfers occur from the EEA / UK / Switzerland to a jurisdiction without an adequacy decision, the EU Standard Contractual Clauses (Module Two: Controller to Processor) apply, supplemented by the UK Addendum where relevant.

9. Audits

On reasonable written notice and no more than once per year, the Customer (or an independent auditor under NDA) may audit Doable’s compliance with this DPA. Doable will respond to questionnaires (CAIQ, SIG-Lite) and provide third-party attestations as available.

10. Counter-signed DPA

For a counter-signed PDF of this DPA, email [email protected] with your account email and company name. We will return a signed copy within 5 business days.