Legal
Data Processing Agreement for Customer Data
Effective: May 10, 2026
Summary
This DPA applies when Accountmade processes Customer Personal Data on behalf of a customer. For Accountmade, that can include CRM/prospect fields used for personalized decks, personal data in source documents or deck content, shared-deck viewer analytics, support context submitted by the customer, and related workspace data. The current subprocessors are listed at accountmade.com/legal/subprocessors.
This summary is not legally binding. The sections below are.
1. Parties and scope
This Data Processing Agreement ("DPA") forms part of the agreement between The Plain Works Co., Ltd. (주식회사 더플레인웍스), operating Accountmade ("Accountmade," "we," "us"), and the customer using Accountmade ("Customer," "you").
This DPA applies where Accountmade processes Customer Personal Data on behalf of Customer in connection with the Service and data protection law requires processor terms.
This DPA does not apply to personal information that Accountmade processes as an independent controller, such as Account Data, Service Data, billing metadata received from Paddle, communications with Accountmade, and internal business operations. That processing is covered by the Privacy Policy.
2. Definitions
"Account Data" means personal information about Customer's representatives and workspace users used to administer accounts, authentication, billing relationship, support, and communications.
"Customer Content" means prompts, source documents, URLs, transcripts, notes, brand kits, images, fonts, logos, personas, CRM fields, generated decks, exports, shared decks, and other materials submitted to or generated through the Service by or for Customer.
"Customer Personal Data" means personal data contained in Customer Content or otherwise processed by Accountmade on Customer's behalf under the agreement.
"Data Protection Laws" means applicable privacy, data protection, and cybersecurity laws governing the processing of Customer Personal Data, including where applicable GDPR, UK GDPR, Swiss FADP, Korean PIPA, and CCPA/CPRA.
"Security Incident" or "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Accountmade.
"Service Data" means usage, telemetry, diagnostics, logs, metadata, and aggregated or anonymized data generated by operation or use of the Service, excluding Customer Content.
The terms "controller," "processor," "data subject," "processing," "personal data," "subprocessor," and "supervisory authority" have the meanings given by applicable Data Protection Laws.
3. Roles
Customer is the controller of Customer Personal Data. Accountmade is Customer's processor.
If Customer acts as a processor for a third-party controller, Accountmade acts as Customer's subprocessor. Customer must ensure that its instructions to Accountmade are consistent with the third-party controller's instructions and applicable law.
The parties are not joint controllers for Customer Personal Data.
4. Processing instructions
Customer instructs Accountmade to process Customer Personal Data as necessary to provide, maintain, secure, support, troubleshoot, and optimize the Service for Customer's configured use; comply with Customer's configurations and documented instructions; comply with law; prevent abuse; and perform the agreement.
The agreement, this DPA, Customer's use of the Service, Customer's product settings, Customer's integration configuration, and written instructions sent to legal@accountmade.com constitute Customer's documented instructions.
Accountmade will process Customer Personal Data only on documented instructions from Customer unless required by law. If Accountmade believes an instruction violates Data Protection Laws, Accountmade will notify Customer unless legally prohibited.
5. Processing details
The subject matter, nature, purpose, duration, data-subject categories, and personal-data categories are described in Schedule 1.
Customer Personal Data is not expected to include special-category data, protected health information, payment card data, government identifiers, precise geolocation, biometric data, or children's data. Customer must not submit those data types unless the Service expressly supports them and the parties have entered into a separate written agreement covering that data.
6. Customer obligations
Customer will:
- comply with Data Protection Laws in its use of the Service;
- provide all required notices and obtain all required consents, permissions, and lawful bases;
- ensure Customer Personal Data is accurate, lawful, and appropriate for processing through Accountmade;
- avoid submitting prohibited sensitive data;
- configure integrations, CRM field mappings, viewer analytics, shared links, and access controls lawfully;
- respond to data-subject requests where Customer is the controller; and
- ensure that Customer's instructions to Accountmade are lawful.
7. Accountmade processor obligations
Accountmade will:
- process Customer Personal Data only on Customer's documented instructions;
- ensure personnel authorized to process Customer Personal Data are subject to confidentiality obligations;
- implement appropriate technical and organizational measures as described in Schedule 2;
- assist Customer with data-subject requests, taking into account the nature of the processing and information available to Accountmade;
- assist Customer with security, breach notification, data protection impact assessments, and prior consultations where required by Data Protection Laws and reasonably related to Accountmade's processing;
- delete or return Customer Personal Data as described in Section 13;
- maintain records required by applicable Data Protection Laws; and
- make available information reasonably necessary to demonstrate compliance with this DPA.
8. Security measures
Accountmade will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access.
Current measures are described in Schedule 2. Accountmade may update security measures from time to time, provided the updates do not materially reduce overall protection for Customer Personal Data.
9. Subprocessors
Customer gives Accountmade general authorization to engage subprocessors to process Customer Personal Data. Current subprocessors are listed at accountmade.com/legal/subprocessors.
Accountmade will impose data protection obligations on subprocessors that are no less protective in substance than those in this DPA, to the extent applicable to the subprocessor's role. Accountmade remains responsible for subprocessor performance as required by Data Protection Laws.
Accountmade will provide at least 30 days' notice before adding or replacing a subprocessor, unless urgent security, legal, or continuity needs require a shorter period. Notice may be provided by updating the Subprocessor List, email, in-product notice, or another reasonable method.
Customer may object to a new subprocessor on reasonable data-protection grounds within 14 days after notice. Accountmade will use reasonable efforts to resolve the objection. If the parties cannot resolve it, Customer may terminate the affected portion of the Service and receive a prorated refund for unused prepaid fees for that affected portion, unless the subprocessor is required to continue providing the Service or comply with law.
Customer-selected integrations, such as the customer's own HubSpot or Salesforce account, are generally not Accountmade subprocessors merely because Customer connects them to the Service.
10. Data-subject requests
If Accountmade receives a request from a data subject relating to Customer Personal Data, Accountmade will, where legally permitted, refer the requester to Customer or notify Customer. Accountmade will not respond substantively to the request unless instructed by Customer or required by law.
Accountmade will provide reasonable assistance for Customer to respond to data-subject requests. Customer is responsible for verifying the requester and deciding how to respond where Customer is the controller.
11. Personal Data Breach
Accountmade will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Where feasible, Accountmade will provide initial notice within 72 hours after confirmation.
Notice will include, to the extent known: the nature of the breach; affected data categories; approximate number of affected data subjects and records; likely consequences; measures taken or proposed; and a contact point.
Accountmade will take reasonable steps to contain, investigate, remediate, and mitigate the breach and will provide additional information as it becomes available.
12. Audits and compliance information
Upon reasonable written request, Accountmade will provide information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, subprocessor lists, retention information, transfer information, and questionnaire responses.
If the provided information is insufficient for Customer to satisfy a legal obligation, Customer may request an audit. Audits must be conducted no more than once every 12 months unless required by a regulator or following a confirmed Personal Data Breach affecting Customer Personal Data; with at least 30 days' notice; during normal business hours; in a manner that does not disrupt the Service; by an independent auditor bound by confidentiality; and at Customer's expense unless the audit identifies a material breach of this DPA.
13. Deletion and return
During the term, Customer may delete or export Customer Content using the Service where available.
Upon termination or expiration of the Service, Accountmade will delete or return Customer Personal Data according to Customer's instructions and the Service's export functionality, unless retention is required by law or permitted under the agreement.
Unless otherwise stated in an order form, Accountmade will make reasonable efforts to make Customer Content available for export for 30 days after termination, except where termination was for serious cause, security risk, legal requirement, or abuse.
Backups are protected under this DPA and are deleted according to the backup lifecycle, typically within 35 days after deletion from active systems. Data retained for legal, security, fraud-prevention, tax, accounting, or dispute purposes remains protected until deleted.
14. International transfers
Customer authorizes Accountmade and its subprocessors to process Customer Personal Data in Korea, the United States, the European Economic Area, the United Kingdom, and other countries where Accountmade or its subprocessors operate.
For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on appropriate safeguards as described below.
14.1 EU SCCs
For restricted transfers from the EEA, the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 are incorporated by reference and deemed executed by the parties.
- Module Two applies where Customer is a controller and Accountmade is a processor.
- Module Three applies where Customer is a processor and Accountmade is a subprocessor.
- Clause 7 docking is included.
- Clause 9 Option 2 applies, with the subprocessor notice period in Section 9.
- Clause 11 optional language is not included.
- Clause 17 Option 1 applies; the governing law is the law of Ireland, unless another EU Member State law is required for the relevant exporter.
- Clause 18(b) venue is the courts of Ireland, unless another EU Member State venue is required for the relevant exporter.
- Annex I is completed by Schedule 1 and Schedule 3.
- Annex II is completed by Schedule 2.
- Annex III is completed by the Subprocessor List.
- Annex I.C supervisory authority is determined by the data exporter's GDPR context and competent supervisory authority, not hard-coded globally.
14.2 UK transfers
For restricted transfers from the UK, the EU SCCs apply as modified by the UK International Data Transfer Addendum, or the UK International Data Transfer Agreement where the parties agree to use it. Tables and appendices are completed by the agreement, this DPA, Schedule 1, Schedule 2, Schedule 3, and the Subprocessor List.
14.3 Swiss transfers
For restricted transfers from Switzerland, the EU SCCs apply with adaptations required by the Swiss Federal Act on Data Protection, including references to the FDPIC where applicable and protection for Swiss data subjects as required by Swiss law.
14.4 Transfer impact and government requests
Accountmade will use reasonable efforts to support transfer risk assessments where required and reasonably related to Accountmade's processing.
If Accountmade receives a legally binding government or law-enforcement request for Customer Personal Data, Accountmade will, where legally permitted, notify Customer, redirect the requester to Customer, review the request, challenge unlawful or excessive requests where reasonable, and disclose only the minimum required.
15. CCPA/CPRA service-provider terms
Where the CCPA/CPRA applies and Accountmade processes Customer Personal Data on behalf of Customer, Accountmade acts as a service provider or contractor.
Accountmade will not sell or share Customer Personal Data. Accountmade will not retain, use, or disclose Customer Personal Data except for the limited and specified business purposes in Schedule 4, as otherwise permitted by the CCPA/CPRA, or as instructed by Customer.
Accountmade will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Accountmade and Customer except as permitted by the CCPA/CPRA.
Accountmade will not combine Customer Personal Data with personal information received from another source except as permitted by the CCPA/CPRA.
Accountmade will provide the same level of privacy protection required by the CCPA/CPRA for service providers and contractors, assist Customer with consumer requests as described in this DPA, implement reasonable security measures, notify Customer if Accountmade determines it can no longer meet its CCPA/CPRA obligations, and allow Customer to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
Accountmade will require subprocessors that process Customer Personal Data subject to the CCPA/CPRA to comply with equivalent restrictions.
Accountmade certifies that it understands and will comply with the restrictions in this Section.
16. Liability and precedence
Liability under this DPA is subject to the limitations of liability in the Terms, except to the extent prohibited by Data Protection Laws or the SCCs.
If this DPA conflicts with the Terms regarding processing of Customer Personal Data, this DPA controls. If the SCCs conflict with this DPA, the SCCs control for restricted transfers.
17. Term and execution
This DPA takes effect when Customer accepts the Terms, signs an order form incorporating this DPA, or transmits Customer Personal Data to Accountmade, whichever occurs first.
This DPA continues while Accountmade processes Customer Personal Data and ends when all Customer Personal Data has been deleted or returned, except for provisions that must survive by their nature.
This DPA is accepted electronically through the Terms. To request a countersigned copy, contact legal@accountmade.com.
Schedule 1 — Details of processing
| Element | Description |
|---|---|
| Subject matter | Processing of Customer Personal Data submitted to, generated through, or collected by Accountmade on Customer's behalf |
| Duration | The term of the agreement, plus deletion/export/backup/legal-retention periods |
| Nature of processing | Collection, receipt, hosting, storage, retrieval, use, transmission, rendering, generation, export, sharing, analytics, logging, deletion, and security processing |
| Purposes | Creating, generating, editing, rendering, storing, exporting, and sharing decks; applying brand kits and personas; processing source documents and prompts; syncing configured CRM fields; personalizing decks; hosting shared decks; recording viewer analytics; providing support; securing the Service; preventing abuse; and complying with law |
| Data subjects | Customer's workspace users, prospects, customers, leads, recipients, shared-deck viewers, employees, contractors, partners, and any individuals whose data Customer submits or causes to be processed |
| Personal data categories | Names, business email addresses, company names, job titles, CRM identifiers, company attributes, custom CRM fields selected by Customer, deck content, source-document content, prompts, notes, viewer event data, approximate location, IP address, user agent, device/browser data, support content, and other personal data included by Customer |
| Sensitive data | Not expected. Customer must not submit special-category data, sensitive personal information, protected health information, government identifiers, payment card data, credentials, or children's data without a separate written agreement |
| Frequency | Continuous or as initiated by Customer through use of the Service |
| Retention | As described in the Privacy Policy, Terms, this DPA, and Customer's Service settings |
Schedule 2 — Technical and organizational measures
Accountmade maintains safeguards designed to protect Customer Personal Data. Measures include:
Access control. Authentication for workspace access, role-based permissions, least-privilege administrative access, restricted production access, and access review for sensitive systems.
Encryption. Encryption in transit using TLS. Encryption at rest through database, storage, and infrastructure providers where supported.
Tenant separation. Workspace-level access controls and data-isolation controls designed to prevent unauthorized cross-workspace access.
Credential protection. Secure handling of integration tokens and API credentials, with encryption or equivalent protections where supported. Customers should not place secrets in prompts, decks, URLs, or source documents.
Logging and monitoring. Security logs, error monitoring, abuse detection, rate limiting, and operational alerts designed to detect abnormal activity and service issues.
Vulnerability management. Dependency review, security patching, provider security monitoring, and remediation of critical vulnerabilities according to risk.
Incident response. Procedures for identifying, containing, investigating, remediating, and notifying affected customers of security incidents.
Subprocessor oversight. Written agreements with subprocessors, review of relevant vendor security posture, and maintenance of a public Subprocessor List.
Backups and recovery. Encrypted or provider-protected backups with lifecycle deletion, designed to support service recovery and continuity.
Personnel confidentiality. Confidentiality obligations for personnel and contractors with access to systems or Customer Personal Data.
Data minimization. Product and support practices designed to limit access to Customer Personal Data to what is necessary for the Service.
Schedule 3 — SCC party details
Data exporter
Name: Customer, as identified in the applicable account, order form, or agreement. Address: Customer's address as provided in the applicable account, order form, or agreement. Contact: Customer's account owner or privacy contact. Role: Controller or processor, as applicable. Activities: Use of Accountmade to generate, store, export, and share decks and process related CRM, prospect, viewer, and Customer Content data.
Data importer
Name: The Plain Works Co., Ltd. (주식회사 더플레인웍스), operating Accountmade. Address: Cheonan, Chungcheongnam-do, Republic of Korea. Contact: legal@accountmade.com. Role: Processor or subprocessor, as applicable. Activities: Providing Accountmade and processing Customer Personal Data according to this DPA.
Competent supervisory authority
For the EU SCCs, the competent supervisory authority is determined by the data exporter's GDPR context, including the exporter's establishment, representative, or relevant data subjects. If no other authority is identifiable, the parties will identify an appropriate authority consistent with Clause 13 of the SCCs.
Schedule 4 — CCPA/CPRA limited and specified business purposes
For Customer Personal Data subject to the CCPA/CPRA, the limited and specified business purposes are:
- Providing Accountmade account, workspace, authentication, and permission features.
- Generating, editing, rendering, exporting, and storing presentation decks requested by Customer.
- Processing prompts, source documents, brand kits, personas, and mapped CRM fields to create or personalize decks.
- Hosting shared decks and providing configured access controls, password protection, custom domains, and duplication controls.
- Recording and reporting shared-deck viewer analytics requested by Customer.
- Syncing, caching, and processing customer-authorized CRM and integration data.
- Providing customer support, troubleshooting, debugging, and account administration.
- Securing the Service, preventing fraud and abuse, enforcing terms, and protecting users and third parties.
- Maintaining backups, logs, audit records, and legal records necessary for the Service.
- Complying with applicable law, legal process, sanctions, export-control, tax, and regulatory obligations.