Back to home

Data Processing Agreement

Last updated: March 23, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between YDevOps, an Israeli Sole Proprietorship (Licensed Dealer), operating as Cordiqa ("Processor", "we", "us"), and the customer using the Service ("Controller", "you"). This DPA applies where we process personal data on your behalf in connection with the Cordiqa platform ("Service").

1. Definitions

"Personal Data", "Processing", "Data Controller", "Data Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and, where applicable, the Israeli Privacy Protection Law, 5741-1981.

2. Roles and Scope

When you (as a Supplier) use Cordiqa to manage your Clients' data, you are the Data Controller and YDevOps is the Data Processor. We process personal data only on your behalf and in accordance with your documented instructions.

Categories of Data Subjects

  • Your end-customers ("Clients") whose data you import or manage through the Service
  • Your team members who access the Service on your behalf

Types of Personal Data Processed

  • Contact information (name, email address, company name)
  • Support ticket content (subjects, descriptions, messages)
  • File attachments uploaded through the Service
  • CRM data synced from HubSpot (contact properties, ticket properties)
  • Usage metadata (timestamps, IP addresses)

3. Processor Obligations

As the Data Processor, YDevOps shall:

  • Process personal data only on your documented instructions, unless required by applicable law to do otherwise, in which case we will inform you (unless prohibited by law).
  • Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS) and at rest, encrypted storage of OAuth tokens, and access controls.
  • Not engage another processor (sub-processor) without your prior general written authorization. We will inform you of any intended changes to sub-processors, giving you the opportunity to object.
  • Assist you, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under applicable data protection law.
  • Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
  • At your choice, delete or return all personal data to you after the end of the provision of the Service, and delete existing copies unless applicable law requires storage.
  • Make available to you all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

4. Sub-Processors

You authorize us to engage the following sub-processors for the purposes described:

Sub-ProcessorPurposeLocation
Clerk (Clerk, Inc.)Authentication and user managementUnited States
Supabase (Supabase, Inc.)Database hosting and file storageUnited States
Vercel (Vercel, Inc.)Application hosting and deploymentUnited States
Resend (Resend, Inc.)Transactional email deliveryUnited States
HubSpot (HubSpot, Inc.)CRM sync (only when you connect your HubSpot account)United States
Stripe (Stripe, Inc.)Payment processingUnited States

We will notify you of any changes to this list. If you object to a new sub-processor, you may terminate the affected Service by providing written notice within 30 days.

5. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or Israel, we ensure that appropriate safeguards are in place. Our sub-processors maintain their own data protection agreements and certifications. Where required, transfers are covered by the sub-processors' Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms.

6. Data Breach Notification

We will notify you without undue delay after becoming aware of a personal data breach affecting data processed on your behalf. Such notification will include, to the extent available: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach.

We will cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests under applicable law (access, rectification, erasure, restriction, portability, objection). If we receive a request directly from a data subject, we will promptly redirect them to you unless otherwise instructed.

8. Data Retention and Deletion

We retain personal data processed on your behalf for as long as your account is active. Upon termination of the Service or at your request, we will delete personal data within 30 days, except where retention is required by applicable law. Backups containing personal data are purged within 90 days of deletion.

9. Security Measures

We implement and maintain the following technical and organizational security measures:

  • Encryption of data in transit using TLS 1.2+
  • Encryption of data at rest
  • Encrypted storage of third-party OAuth tokens (AES-256)
  • Role-based access controls and authentication via Clerk
  • Supplier-scoped data isolation (each supplier's data is logically separated)
  • Automated security headers (Content Security Policy, HSTS, X-Frame-Options)
  • Regular dependency updates and vulnerability monitoring

10. Audits

Upon reasonable request and subject to appropriate confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. Audit requests should be directed to privacy@cordiqa.io.

11. Term and Termination

This DPA takes effect when you start using the Service and remains in effect for as long as we process personal data on your behalf. The obligations in this DPA survive termination of the Service to the extent required to complete the deletion or return of personal data.

12. Governing Law

This DPA shall be governed by the laws of the State of Israel. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts of the Tel Aviv District, Israel.

13. Contact

For questions about this DPA or to exercise any rights under it, contact us at privacy@cordiqa.io.