Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Controller") and akanoodles holdings limited, a company registered in England & Wales (number 16289830) ("Processor", "akanoodles"). It applies whenever akanoodles processes Personal Data on the Controller's behalf in the course of providing Drop. This DPA is offered as standard to all Pro, Team, and Enterprise customers; it does not require negotiation for the standard terms below.
1. Definitions
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Sub-processor" have the meanings given in the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
"Customer Personal Data" means Personal Data that the Controller (or its end users) submits to Drop or which Drop processes on the Controller's behalf in providing the service.
2. Roles and scope
For Customer Personal Data, the Controller is the data controller and akanoodles is the data processor. akanoodles will only process Customer Personal Data:
- On the Controller's documented instructions, including those set out in the Terms of Service and this DPA;
- For the purposes of providing, securing, supporting, and improving Drop;
- As required by law (in which case akanoodles will inform the Controller before processing, unless the law forbids).
3. Subject-matter, duration, nature, purpose, and categories
| Subject-matter | Provision of the Drop design-to-code service |
| Duration | The term of the Controller's subscription, plus the retention periods set out in our Privacy Policy |
| Nature of processing | Storage, transmission, retrieval, hashing, anonymised analytics |
| Purpose | Authenticating users; managing subscriptions; generating code from design tokens; diagnosing faults; processing payments; delivering email notifications |
| Categories of Data Subject | The Controller's authorised users (typically the Controller's employees, contractors, or design-system collaborators) |
| Categories of Personal Data | Email addresses; account identifiers (one-way hashed for telemetry); subscription billing metadata; IP addresses incidental to HTTP requests; feedback submissions where users include personal data |
Drop does not process special-category Personal Data (Article 9 UK GDPR) or criminal-conviction data (Article 10) in the ordinary course of providing the service.
4. Sub-processors
The Controller authorises akanoodles to engage the sub-processors listed below. We maintain a written contract with each, requiring data-protection terms substantially equivalent to those in this DPA. The current sub-processor list is:
| Sub-processor | Service | Region of processing |
|---|---|---|
| Stripe Payments UK Ltd | Payment processing, subscription billing | UK / EU / US (SCCs) |
| Supabase Inc. | Authentication, Postgres database, edge function runtime | EU (Frankfurt) |
| Cloudflare, Inc. | DNS, CDN, network security | UK / EU / global edge |
| Oracle Cloud Infrastructure | Cloud hosting for the telemetry endpoint and observability stack | United Kingdom |
| Resend | Transactional email delivery | US (SCCs) |
| Microsoft Corporation | Email (Microsoft 365 / Exchange Online) | EU + UK |
| Figma, Inc. | Plugin runtime — the Controller separately accepts Figma's terms when using Figma | US |
akanoodles will give the Controller at least 30 days' notice before adding or replacing a sub-processor (e.g. via email to the account contact and an update to drop.akanoodles.com/dpa). The Controller may object on reasonable data-protection grounds; if a workaround cannot be agreed, the Controller may terminate the affected portion of the service and receive a pro-rata refund for unused prepaid fees.
5. Confidentiality and personnel
akanoodles ensures that any person authorised to process Customer Personal Data is bound by confidentiality (contractual or statutory) and has been trained on data-protection responsibilities proportionate to their role.
6. Security measures
akanoodles implements appropriate technical and organisational measures to protect Customer Personal Data, taking account of the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. Current measures include, without limitation:
- Transport encryption: TLS 1.2 or higher for all data in transit;
- At-rest encryption for both the production database and the telemetry storage volumes;
- One-way SHA-256 hashing of identifying tokens before they enter the telemetry pipeline;
- Defence-in-depth PII filtering at the telemetry ingest edge that strips known PII keys before storage;
- Bearer-token authentication on all telemetry ingest endpoints;
- Row-level security in Postgres restricting customers to their own subscription data;
- 90-day default retention on telemetry, with operator scripts to handle Article-17 erasure on demand;
- Multi-factor authentication required for all akanoodles personnel with access to production systems;
- Centralised audit logging on the production database and infrastructure plane;
- Annual review of security measures and incident-response plan;
- Vulnerability disclosures via [email protected].
7. Personal Data Breach
akanoodles will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Customer Personal Data. The notice will include the nature of the breach, the categories and approximate volumes affected, the likely consequences, and the measures taken or proposed to address it.
8. Data Subject rights
Where a Data Subject submits a request directly to akanoodles to exercise rights under UK GDPR (access, rectification, erasure, portability, restriction, objection), akanoodles will forward the request to the Controller without undue delay and will assist the Controller in responding using appropriate technical and organisational measures, insofar as possible.
If you delete your akanoodles account, an automated erasure runs against telemetry, identity, and subscription stores, typically within 5 minutes of the deletion. Stripe and our accounting records retain financial data for 7 years after cancellation as required by HMRC.
9. Audits
akanoodles will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Once per year, on at least 30 days' notice, the Controller may audit akanoodles' compliance through written information requests; on-site audits are available to Enterprise customers under the Master Services Agreement. SOC 2 / ISO 27001 attestations, where obtained, will be made available to the Controller in lieu of audit on request.
10. International transfers
akanoodles is established in the United Kingdom. Customer Personal Data is stored in the United Kingdom or the European Union. For sub-processors outside those regions, akanoodles relies on the standard contractual clauses incorporated in their data-processing agreements; the Controller authorises akanoodles to enter into those clauses on the Controller's behalf where required for the provision of Drop.
11. Deletion or return on termination
Upon termination of the Controller's subscription, akanoodles will, at the Controller's choice, delete or return Customer Personal Data within 30 days, except to the extent that retention is required by applicable law (notably HMRC accounting record-keeping for 7 years).
12. Liability
The liability of each party under this DPA is subject to the limitation of liability provisions in the Terms of Service.
13. Order of precedence
If there is a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict for any matter relating to the processing of Personal Data. For Enterprise customers, the Master Services Agreement may amend this DPA in writing.
14. Contact
Data Protection contact: [email protected]
Legal notices: [email protected]
15. Acceptance
By using Drop on a paid plan (Pro, Team, or Enterprise) and processing Personal Data through Drop, the Controller is deemed to accept this DPA on behalf of itself and any affiliate end users it permits to access the service. Enterprise customers receive a counter-signed copy of this DPA as part of their Master Services Agreement.