1. Parties
Processor: Quad Studio, Zürich, Switzerland (“Pengon”, “we”).
Controller: The natural or legal person who operates the Squarespace site on which the Pengon snippet is installed (“Customer”, “you”).
This DPA supplements the Terms of Service and forms part of the agreement between the parties. It implements the requirements of GDPR Art. 28 (EU 2016/679), the UK GDPR, and the Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023).
2. Subject matter & duration
Subject matter: Pengon classifies submissions from the Customer’s Squarespace contact forms as “spam” or “clean” using AI, and stores flagged messages in a dashboard for human review.
Duration: For the lifetime of the Customer’s Pengon account. Terminates automatically when the account is deleted.
3. Nature & purpose of processing
Processing consists of receiving form submissions, running them through an AI classifier, storing the classification result and the submission text, and presenting them in the Customer’s dashboard. Purpose: spam filtering for the Customer’s contact-form inbox.
4. Categories of data subjects
Visitors who submit the Customer’s Squarespace contact form - typically prospective clients, leads, or members of the public reaching out.
5. Categories of personal data
- Name (as entered by the visitor)
- Email address
- Phone number (if the form collects one)
- Message body
- Source page URL on the Customer’s site
- Timestamp
Pengon does not intentionally collect special-category data (GDPR Art. 9). If a visitor voluntarily includes such data in a free-text message field, it’s stored alongside the rest of the message until you delete the submission.
6. Processor obligations
Pengon will:
- Process personal data only on the Customer’s documented instructions. Creating an account and installing the snippet constitutes such an instruction.
- Ensure personnel authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see section 9).
- Assist the Customer with data-subject requests, breach notifications, and prior consultations with supervisory authorities, taking into account the nature of the processing.
- On termination, delete all personal data within 30 days unless EU/Swiss law requires longer retention.
7. Sub-processors
The Customer authorises Pengon to engage the following sub-processors:
- Cloudflare, Inc. - Workers, D1, Workers AI, Pages. Hosting, database, AI inference. Data may be processed at any global Cloudflare edge location; primary storage region selectable per Pengon’s configuration.
- Clerk, Inc. - authentication. Stores Customer’s sign-up email, name, and authentication tokens. US-based.
- Stripe Payments Europe, Ltd. / Stripe, Inc. - payment processing for Founding Member payments. Stripe acts as an independent controller for payment data per its own DPA.
- Resend - transactional email delivery (recovery notices, account emails). US-based.
We’ll give 30 days’ notice by email before adding or replacing a sub-processor. The Customer may object on legitimate data-protection grounds; if we can’t resolve the objection, the Customer may terminate this DPA and the Pengon account with a pro-rated refund as described in Terms §7.
8. International transfers
Some sub-processors are based outside Switzerland and the EEA (notably Clerk and Resend in the US, Stripe’s global infrastructure). Transfers are covered by:
- EU Standard Contractual Clauses (2021/914) and the Swiss-approved variant for transfers out of Switzerland, incorporated by reference;
- EU–US Data Privacy Framework certifications where the recipient holds one (Stripe and Cloudflare currently do; check each provider’s public DPF listing).
9. Security measures
Technical & organisational measures (TOMs):
- All data in transit encrypted via TLS 1.2+; all data at rest encrypted by Cloudflare D1 and Workers AI by default.
- Access to production data restricted to the proprietor of Quad Studio; no employees. Access requires MFA (Cloudflare, Clerk dashboards) and SSH keys rotated regularly.
- The Pengon worker runs on Cloudflare’s isolated V8 sandbox; no persistent compute.
- Database backups via Cloudflare D1’s built-in point-in-time recovery (Time Travel) for 30 days.
- Anonymised training corpus rows are stripped of PII (email, phone, URL) via deterministic token replacement before storage and have no link back to the source account.
- Incident response: any confirmed breach involving Customer data is notified within 72 hours of confirmation, by email to the Customer’s account address.
10. Data-subject requests
Pengon’s dashboard lets you delete individual submissions and bulk-delete by selection. For deletion of an entire account and associated data, email [email protected] - actioned within 7 business days.
If a data subject contacts Pengon directly with a request, we forward it to the relevant Customer within 5 business days. The Customer remains responsible for handling the underlying request.
11. Audits
Given Pengon’s scale (one-person operation, edge-deployed on managed infrastructure), on-site audits are not practical. Instead, the Customer may request, no more than once per year:
- Cloudflare’s SOC 2 Type II report (provided under NDA);
- Pengon’s current sub-processor list (this section, authoritative);
- Written answers to a reasonable security questionnaire.
12. Liability
Each party’s liability under this DPA is subject to the limitations in the Terms of Service, section 10. Statutory liability under GDPR Art. 82 is not excluded.
13. Governing law
This DPA is governed by Swiss law. Place of jurisdiction: Zürich. Mandatory data-protection law in the Customer’s or data subject’s jurisdiction is not affected.
14. Contact
DPA-related inquiries: [email protected], subject line “DPA - [your domain]”.
Need a counter-signed PDF for your records? Send your countersigned copy to [email protected] and we’ll return a signed PDF within 5 business days at no charge.