GDPR Data Processing Addendum
Last updated: March 17, 2026
This Data Processing Addendum (“DPA”) supplements the Terms of Service and applies to customers whose use of Reach Seats involves the processing of personal data of individuals in the European Economic Area (EEA), the United Kingdom, or Switzerland under the General Data Protection Regulation (GDPR) and equivalent laws.
1. Definitions
- “Controller” means the entity that determines the purposes and means of processing personal data — in this context, you (the customer).
- “Processor” means the entity that processes personal data on behalf of the Controller — in this context, Reach Seats.
- “Personal Data” means any information relating to an identified or identifiable natural person within your organization's connected platforms (e.g. employee email addresses, names, login timestamps).
- “Processing” means any operation performed on personal data, including collection, storage, retrieval, and deletion.
- “Sub-processor” means any third party engaged by Reach Seats to process personal data in connection with the Service.
2. Roles and Responsibilities
You act as the Controller of personal data you bring into the Service via connected integrations. Reach Seats acts as the Processor, processing that data only on your documented instructions — specifically, to detect inactive license seats and surface cost waste.
Reach Seats will not process personal data for any purpose other than providing the Service, unless required to do so by applicable law, in which case we will notify you unless prohibited by law.
3. Nature and Purpose of Processing
4. Technical and Organisational Security Measures
Reach Seats implements the following measures to protect personal data:
- Encryption at rest — OAuth tokens and API keys are encrypted using AES-256-GCM. Database storage is encrypted at the infrastructure level.
- Encryption in transit — All data is transmitted over TLS 1.2 or higher.
- Access controls — Production database access is restricted to authorized personnel. Application-level role controls limit data access to the relevant organization.
- Session security — Sessions use secure, HTTP-only cookies. No long-lived JWT tokens are stored client-side.
- Multi-tenancy isolation — All data is scoped to your organization. Cross-organization data access is prevented at the query level.
- Minimal data collection — We collect only the data necessary to provide the Service (email, display name, last login, license status). We do not collect financial details, passwords, or personal communications.
5. Sub-processors
Reach Seats uses the following categories of sub-processors to deliver the Service. All sub-processors are bound by data processing agreements and are required to implement appropriate security measures.
| Sub-processor | Purpose | Location |
|---|---|---|
| PostgreSQL hosting provider | Database storage | EU |
| Email delivery provider | Magic Link sign-in emails | EU / EEA |
| VPS / application hosting | Application runtime | EU |
We will notify you of any intended changes to sub-processors at least 14 days in advance by email or in-app notice, giving you the opportunity to object.
6. International Data Transfers
Reach Seats stores and processes data within the EU. In the event that any processing occurs outside the EEA (e.g. via a sub-processor), we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) adopted under GDPR Article 46(2)(c).
7. Data Subject Rights
As Controller, you are responsible for responding to data subject requests from your employees. Reach Seats will assist you in fulfilling these obligations by providing access to relevant data or deleting specific records upon your written request.
Supported data subject rights we can assist with:
- Right of access (Article 15) — export of all data held for a specific individual
- Right to rectification (Article 16) — correction of inaccurate records
- Right to erasure (Article 17) — deletion of records for a specific individual
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20) — CSV export of all synced data
Submit requests to [email protected]. We will respond within 30 days.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Reach Seats will notify you without undue delay and within 72 hours of becoming aware of the breach, to the extent reasonably possible. Notification will include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach
As Controller, you are responsible for notifying your relevant supervisory authority (e.g. your national Data Protection Authority) if required under GDPR Article 33.
9. Deletion and Return of Data
Upon termination of your account or upon your written request, Reach Seats will securely delete all personal data processed on your behalf within 30 days, unless we are required to retain it by applicable law. We will provide written confirmation of deletion upon request.
10. Audit Rights
Reach Seats will make available all information reasonably necessary to demonstrate compliance with GDPR obligations applicable to processors (Article 28). Upon reasonable notice, we will support audits or inspections conducted by you or a mandated third party, subject to reasonable confidentiality protections.
11. Contact and Data Protection Inquiries
For all GDPR-related inquiries, contact us at [email protected].