Back to Home
NDesk

Data Processing Agreement

Last updated: March 19, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Data Controller") and NDesk ("Data Processor") for the provision of helpdesk services. This DPA sets out the terms under which NDesk processes personal data on behalf of the customer.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection laws.
  • "Processing" means any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
  • "Data Controller" means the customer who determines the purposes and means of processing personal data using the NDesk platform.
  • "Data Processor" means NDesk, which processes personal data on behalf of the Data Controller.
  • "Sub-processor" means any third party engaged by NDesk to process personal data on behalf of the Data Controller.

2. Scope of Processing

2.1 Categories of Data Subjects

  • Customer's employees and agents who use the NDesk platform
  • Customer's end-users who submit support tickets or interact with the helpdesk
  • Customer's contacts and enterprise clients stored in the platform

2.2 Types of Personal Data

  • Names, email addresses, phone numbers
  • Support ticket content and communications
  • Account credentials (stored in hashed form)
  • Usage data and activity logs
  • IP addresses and browser information (for security purposes)

2.3 Purpose of Processing

NDesk processes personal data solely for the purpose of providing the helpdesk platform services as described in the service agreement, including:

  • Ticket management and customer support operations
  • User authentication and access control
  • AI-powered features (ticket categorisation, smart replies, similar ticket detection)
  • Reporting and analytics
  • Email notifications and communications

3. Obligations of the Data Processor

NDesk shall:

  • Process personal data only on documented instructions from the Data Controller, unless required by law
  • Ensure that persons authorised to process personal data are subject to confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
    • Multi-tenant data isolation at the application and database level
    • Role-based access control with principle of least privilege
    • Regular security assessments and vulnerability scanning
    • Comprehensive audit logging of data access and modifications
  • Not engage another processor without prior written authorisation of the Data Controller
  • Assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability)
  • Notify the Data Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach
  • Delete or return all personal data upon termination of the service agreement, at the choice of the Data Controller

4. Sub-processors

The Data Controller authorises NDesk to engage the following sub-processors for the purposes described:

Sub-processorPurposeData Processed
Abacus AICloud hosting, AI/LLM processingTicket content (for AI features), application data
GoogleSSO authentication, analyticsEmail, name (SSO); anonymised usage data (analytics)

NDesk will inform the Data Controller of any intended changes to sub-processors, giving the Data Controller the opportunity to object to such changes.

5. Data Retention

  • Personal data is retained for the duration of the service agreement
  • Upon termination, all personal data will be deleted within 30 days unless retention is required by law
  • The Data Controller may request data export at any time during the agreement term
  • Backup copies are purged within 90 days of deletion from production systems

6. Data Subject Rights

NDesk will assist the Data Controller in fulfilling data subject rights requests, including:

  • Right of Access: Providing copies of personal data upon request
  • Right to Rectification: Correcting inaccurate personal data
  • Right to Erasure: Deleting personal data when requested (subject to legal retention requirements)
  • Right to Data Portability: Exporting personal data in a structured, commonly used format
  • Right to Restriction: Restricting processing of personal data upon request

7. Data Breach Notification

In the event of a personal data breach, NDesk will:

  • Notify the Data Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide details including: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
  • Cooperate with the Data Controller in investigating and remediating the breach
  • Document all data breaches, including facts, effects, and remedial actions taken

8. Audit Rights

The Data Controller has the right to audit NDesk's compliance with this DPA. NDesk will:

  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits and inspections conducted by the Data Controller or an authorised auditor
  • Provide SOC 2 Type II reports and ISO 27001 certificates upon request (when available)

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the main service agreement between the parties. Where the Data Controller is subject to the GDPR, the provisions of this DPA shall be interpreted in accordance with the GDPR.

Questions about this DPA?

If you have questions about this Data Processing Agreement or wish to execute a customised version, please contact us at contact us orcontact us.

Privacy PolicyTerms of ServiceSecurity & Trust Center

© 2026 NDesk. All rights reserved.