Gem Team (Business)
Effective Date: June 11, 2026 | Version: 1.0
DIGITAL MARKETING AGENCY LTD, Republic of Bulgaria
This Data Processing Addendum (the “DPA”) forms an integral part of the Terms of Use for the Gem Team (Business) service (the “Terms”) concluded between DIGITAL MARKETING AGENCY LTD, a limited liability company incorporated under the laws of the Republic of Bulgaria (Company No. (UIC): 204897396, VAT Registration No: BG204897396, registered office at bul. “Vasil Levski” No. 38, floor 2, Sredets District, Sofia, Republic of Bulgaria) (“DMA”) and the Customer, and is incorporated into the Terms by reference. This DPA governs the processing of Customer Personal Data by DMA on behalf of the Customer in connection with the Service and reflects the parties’ agreement pursuant to Article 28(3) of the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”).
1.1. Definitions. Capitalised terms not defined in this DPA have the meanings given to them in the Terms. “Controller,” “processor,” “personal data,” “processing,” “personal data breach,” “data subject,” and “supervisory authority” have the meanings given to them in the GDPR. “Customer Personal Data” means personal data contained in Customer Data and Submitted Content that DMA processes on behalf of the Customer in the course of providing the Service.
1.2. Order of Precedence. In the event of any conflict between this DPA and the Terms with respect to the processing of Customer Personal Data, this DPA prevails. In all other respects the Terms remain unaffected.
1.3. Duration. This DPA applies for as long as DMA processes Customer Personal Data, including any period after termination of the Terms until deletion or return of Customer Personal Data in accordance with Section 9.
2.1. Roles. As between the parties, the Customer is the controller (or, where the Customer acts on behalf of a third-party controller, a processor) and DMA is the processor (or sub-processor, as applicable) of Customer Personal Data.
2.2. Documented Instructions. The Terms, this DPA, and the Customer’s configuration of and use of the Service (including settings applied through the Admin Panel) constitute the Customer’s complete documented instructions to DMA. Additional or alternative instructions require the parties’ prior written agreement.
2.3. Compliance with Instructions. DMA will process Customer Personal Data only on the Customer’s documented instructions, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do otherwise by Union or Member State law to which DMA is subject; in such a case, DMA will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.4. Infringing Instructions. DMA will immediately inform the Customer if, in DMA’s opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. DMA may suspend the performance of such instruction until it is confirmed or modified by the Customer.
3.1. End-to-End Encrypted Content. Text messages and real-time signalling between End Users are protected by end-to-end encryption based on the MLS protocol (RFC 9420), as described in Section 11.1 of the Terms. DMA does not hold, and is not technically able to access, the cleartext of such content; DMA’s processing of such content is limited to the transmission and storage of ciphertext.
3.2. Other Customer Personal Data. Files, media, and attachments (protected by encryption in transit and at rest, but not by end-to-end encryption), operational metadata described in Section 11.3 of the Terms, account and registration data, and diagnostic data described in Section 20 of the Terms are processed by DMA as set out in Annex I.
4.1. DMA will ensure that all persons authorised by DMA to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and process Customer Personal Data only to the extent required to perform their tasks.
5.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks for the rights and freedoms of natural persons, DMA will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The measures applicable as at the Effective Date are described in Annex II. DMA may update these measures from time to time, provided that the updates do not materially reduce the overall level of protection.
6.1. General Authorisation. The Customer grants DMA a general written authorisation to engage sub-processors for the processing of Customer Personal Data. The sub-processors engaged as at the Effective Date are listed in Annex III.
6.2. Changes. DMA will inform the Customer of any intended addition or replacement of sub-processors at least thirty (30) days before the change takes effect (by email to the Admin, in-Service notification, or publication on the Website), thereby giving the Customer the opportunity to object on reasonable data protection grounds. If the parties cannot resolve a justified objection, the Customer may terminate the affected subscription with effect from the date the change takes effect and receive a pro rata refund of pre-paid fees for the period after that date.
6.3. Flow-Down and Liability. DMA will impose on each sub-processor, by way of contract, data protection obligations that are in substance no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where a sub-processor fails to fulfil its data protection obligations, DMA remains fully liable to the Customer for the performance of that sub-processor’s obligations.
6.4. Payment Provider. For the avoidance of doubt, the Payment Provider (Section 4.7 of the Terms) processes payment data as an independent controller acting as merchant of record and is not a sub-processor of DMA under this DPA.
7.1. Data Subject Requests. Taking into account the nature of the processing, DMA will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests for exercising data subjects’ rights under Chapter III of the GDPR. If DMA receives a request from a data subject relating to Customer Personal Data, DMA will, to the extent legally permitted, promptly forward the request to the Admin and will not respond to it other than to direct the data subject to the Customer.
7.2. Articles 32 to 36. Taking into account the nature of the processing and the information available to DMA, DMA will assist the Customer in ensuring compliance with the Customer’s obligations under Articles 32 to 36 GDPR, including with respect to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities.
8.1. DMA will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent the information is available to DMA, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. Information may be provided in phases as it becomes available. DMA’s notification of, or response to, a breach is not an acknowledgement of fault or liability.
9.1. Upon termination of the Terms, the Customer may export Customer Data during the Export Window in accordance with Section 5.7 of the Terms. After expiry of the Export Window, DMA will, at the choice of the Customer communicated before such expiry, delete or return all Customer Personal Data and delete existing copies, in accordance with Section 5.8 of the Terms, unless Union or Member State law requires storage of the personal data. In the absence of an election by the Customer, DMA will delete Customer Personal Data in accordance with Section 5.8 of the Terms. Upon written request, DMA will confirm deletion in writing. The Customer acknowledges that end-to-end encrypted content may exist only on End User devices and is outside DMA’s control.
10.1. DMA will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Audits: (a) may be conducted no more than once in any twelve (12) month period, save where required by a supervisory authority or following a personal data breach; (b) require at least thirty (30) days’ prior written notice; (c) are conducted during normal business hours, without unreasonable disruption to DMA’s operations, and subject to the confidentiality obligations of the Terms; and (d) are at the Customer’s cost. DMA may satisfy audit requests, in the first instance, by providing relevant certifications, attestations, or third-party audit reports.
11.1. Customer Personal Data is hosted in data centre regions located in Europe, as described in Section 11.5 of the Terms. DMA will not transfer Customer Personal Data outside the European Economic Area unless the transfer is made: (a) to a country or recipient covered by an adequacy decision of the European Commission; (b) subject to the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914), incorporating supplementary measures where required; or (c) on the basis of another valid transfer mechanism under Chapter V of the GDPR.
12.1. The liability of each party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in Section 13 of the Terms, which apply in aggregate across the Terms and this DPA. Nothing in this Section limits a data subject’s rights or either party’s liability under Article 82 GDPR to the extent such liability cannot be limited by agreement.
13.1. This DPA is governed by the law specified in Section 17 of the Terms, and disputes are resolved in accordance with Section 18 of the Terms. If any provision of this DPA is held invalid or unenforceable, Section 21.4 of the Terms applies. DMA may amend this DPA in accordance with Section 19 of the Terms, provided that amendments do not materially reduce the level of protection of Customer Personal Data.
Subject matter and nature of processing: hosting, transmission, storage, routing, backup, and technical support of communications and related data within the Gem Team business messaging and collaboration platform; for end-to-end encrypted content – transmission and storage of ciphertext only.
Purpose: provision and operation of the Service in accordance with the Terms, including security, abuse prevention, troubleshooting, and compliance with applicable law.
Duration: the term of the Terms, plus the Export Window and the deletion period described in Sections 5.7–5.8 of the Terms.
Categories of data subjects: End Users (employees, contractors, and other authorised persons of the Customer); Admins; third parties with whom End Users communicate; persons referenced in Customer Data.
Categories of personal data: identification and account data (names, business contact details, account and device identifiers); content of communications – as ciphertext where end-to-end encrypted; files, media, and attachments; operational metadata (existence and timing of communications, IP addresses, routing data, group and channel membership); log, diagnostic, and telemetry data.
Special categories of data: the Service is not intended for the processing of special categories of personal data; any such data is processed only incidentally, where included in Customer Data by the Customer or End Users, and – in the case of end-to-end encrypted content – without DMA having access to its cleartext.
Frequency: continuous, for the duration of the Terms.
| Sub-processor | Processing activity | Location of processing |
|---|---|---|
| Google Cloud EMEA Limited | Cloud infrastructure, computing, and storage | EU/EEA data centre regions |
| [•] | [•] | [•] |
The current list of sub-processors is available on the Website. Questions concerning this DPA may be directed to info@gemteam.eu.