Last updated: 20 May 2026
Download PDFThis Data Processing Agreement ("DPA") supplements the Productlane Terms of Service or other written agreement governing Customer's use of the Services (the "Agreement") between Productlane GmbH, a company incorporated in Germany with its registered office at Albert-Rosshaupter-Str. 3b, 81369 Munich, Germany ("Productlane"), and the entity identified as Customer in the Agreement ("Customer"). By executing the Agreement, Customer enters into this DPA on behalf of itself and, where required under Data Protection Laws, on behalf of its Affiliates using the Services. Capitalized terms not defined here have the meanings in the Agreement.
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a party (≥50% ownership or voting control), only for so long as such control exists.
Authorized Sub-processor means a third party engaged by Productlane to process Customer Personal Data in order to provide the Services, listed in Exhibit B or later authorized under Section 4.
Customer Account Data means personal data relating to Customer's account with Productlane (e.g., admin names, contact details, billing).
Customer Usage Data means service usage / telemetry data generated by Customer's use of the Services (e.g., logs, performance metrics) used to operate, secure, and improve the Services.
Customer Personal Data means personal data processed by Productlane on behalf of Customer within the Services (e.g., support messages, portal content) excluding Customer Account Data and Customer Usage Data.
Data Protection Laws means all applicable privacy / data protection laws and regulations, including GDPR, UK GDPR, the Swiss FADP, CCPA / CPRA, and implementing rules, as amended. Terms like controller, processor, personal data, processing, supervisory authority, and personal data breach have the meanings in GDPR.
EU SCCs means the European Commission's Standard Contractual Clauses (2021/914) as incorporated in this DPA.
UK Addendum means the UK Information Commissioner's International Data Transfer Addendum to the EU SCCs, as incorporated in this DPA.
Services means the Productlane services provided under the Agreement.
For Customer Personal Data, Customer is controller (or processor on behalf of a third-party controller) and Productlane is processor (or sub-processor). For Customer Account Data and Customer Usage Data, Productlane acts as an independent controller (see Section 8).
Productlane will process Customer Personal Data only (a) to provide, maintain, and secure the Services; (b) as documented in the Agreement and this DPA (including transfers); and (c) as otherwise documented by Customer's lawful instructions. Productlane will notify Customer if, in Productlane's opinion, an instruction infringes Data Protection Laws.
The subject matter, duration, nature and purpose of processing, categories of data subjects, and types of personal data are set out in Exhibit A.
Upon termination of the Services or at Customer's written request, Productlane will delete or return Customer Personal Data (at Customer's choice) within 30 days, unless retention is required by law (in which case the data remains isolated and protected until the legal retention period expires, after which it is deleted). Certifications of deletion will be provided upon request where required by the EU SCCs / UK Addendum.
For Customer Personal Data, Productlane is a service provider / processor and will not sell or share such personal information nor use it for purposes other than providing the Services or as permitted by law.
Customer is responsible for (i) the accuracy, quality, and lawfulness of Customer Personal Data; (ii) providing any necessary notices and obtaining all required consents; and (iii) making lawful instructions.
Customer provides general written authorization for Productlane to use Sub-processors to provide the Services.
Current Sub-processors are listed in Exhibit B. Productlane will provide at least 15 days' prior notice of any new Sub-processor by updating Exhibit B and / or notifying Customer via email subscription. Customer may object on reasonable data-protection grounds within 10 days of notice. If no commercially reasonable alternative is available, Customer may suspend the affected Service (without prejudice to fees accrued).
Productlane will impose data protection obligations on Sub-processors equivalent to those in this DPA and remains liable for their acts and omissions.
Taking into account the state of the art, costs, and risks, Productlane implements appropriate technical and organizational measures to protect Customer Personal Data as described in Exhibit C (including encryption in transit and at rest, access controls, logging / monitoring, resilience, and backup / DR).
Productlane ensures personnel accessing Customer Personal Data are subject to appropriate confidentiality obligations and receive security / privacy training.
Productlane will notify Customer without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information to assist Customer in meeting its legal obligations (including GDPR Articles 33 to 34), consistent with law enforcement or regulatory restrictions.
Taking into account the nature of processing and available information, Productlane will assist Customer with DPIAs, data subject requests (see also Section 7), and security obligations under Data Protection Laws. Reasonable, documented costs of non-standard assistance may be charged.
Upon written request no more than once per 12 months, Productlane will provide (a) available third-party security reports / certifications or (b) where insufficient, permit Customer (or an independent auditor bound by confidentiality) to perform a reasonable audit of Productlane's data protection controls during normal business hours with 30 days' notice, without disrupting operations, and limited to facilities, systems, and records relevant to the Services and Customer Personal Data. Customer bears audit costs; Productlane may charge reasonable fees for support.
Where a data subject request relates to Customer Personal Data, Productlane will, where legally permitted, redirect the requester to Customer and reasonably assist Customer in responding, considering the nature of processing and available features. Customer remains responsible for responding to requests and for any applicable fees.
Productlane processes Customer Account Data and Customer Usage Data as an independent controller to: manage the relationship and billing; operate, secure, and improve the Services; detect, prevent, and investigate abuse / security incidents; comply with law; and as otherwise permitted by Data Protection Laws. Productlane may de-identify / aggregate data for legitimate purposes.
Customer Personal Data may be transferred and processed outside its origin country where necessary to provide the Services, subject to appropriate safeguards under Data Protection Laws.
Where GDPR / Swiss FADP applies and Customer Personal Data is transferred to a country without an adequacy decision, the EU SCCs (2021/914) are incorporated by reference and deemed executed between the parties as completed below:
For the EU SCCs: Clause 7 (Docking) not used; Clause 9 (general authorization; notice per Sec. 4.2); Clause 17 (governing law): Germany; Clause 18 (forum): Germany. Annex I / II / III details are in Exhibits A to C.
For transfers under UK GDPR, the UK Addendum is incorporated and deemed executed (with Exhibits A to C completing the tables). If the ICO updates the Addendum, the newest version will automatically apply per its terms.
Productlane maintains supplementary technical / organizational / legal measures consistent with EDPB guidance (see Exhibit C) and will notify Customer of any government access requests to the extent legally permitted.
If there is a conflict, the order of precedence is: (1) EU SCCs / UK Addendum; (2) this DPA; (3) the Agreement. Liability and limitations in the Agreement apply to this DPA to the extent permitted by law. This DPA is governed by the governing law in the Agreement, except where the EU SCCs / UK Addendum specify otherwise.
Productlane processes Customer Personal Data to provide the Productlane customer support platform (support inbox, live chat widget, customer portal, docs / help center, changelog, AI features), including hosting, storage, transmission, display, logging, support, security, troubleshooting, and product improvement (as processor).
For the term of the Agreement plus any legally required retention period.
Customer's end-users (the people who write into Customer's support inbox or use Customer's portal), Customer's support agents and other employees / contractors who access the Services, and any other individuals whose data Customer submits to the Services.
Typically business contact data (name, email, role), support messages and attachments (free-text may incidentally include personal data), usage metadata (timestamps, IPs, device / browser information), and configuration data. Customer does not need to submit special category / sensitive data for normal Service use.
Not intended to be processed. If Customer elects to submit such data in support content, it will be processed under this DPA but is discouraged.
Collection, storage, retrieval, organization, transmission, display, deletion, and other operations necessary to deliver the Services per Customer's instructions.
Customer = controller (or processor); Productlane = processor (or sub-processor).
| Sub-processor | Purpose | Location / region |
|---|---|---|
| Amazon Web Services, Inc. | Primary hosting (compute, storage, databases) | EU (Frankfurt) |
| Cloudflare, Inc. | CDN, WAF, edge services | Global |
| Rocicorp, Inc. | Real-time sync engine (Zero) | EU |
| Inngest, Inc. | Background job and workflow orchestration | US |
| Meilisearch SAS | Hosted full-text search index | EU |
| Sentry (Functional Software, Inc.) | Error tracking and monitoring | US |
| PostHog, Inc. | Product analytics | EU |
| Unkey, Inc. | API key issuance and verification (legacy v1 API) | US |
| Brandfetch GmbH | Brand and company data enrichment (logos, domains) | EU |
| Stripe, Inc. | Payments and billing | US |
| Resend, Inc. | Transactional email delivery | US |
| Loops, Inc. | Transactional and lifecycle email delivery | US |
| Postmark (Wildbit, LLC) | Outbound email delivery for customer inboxes | US |
| OpenAI, L.L.C. | AI inference for optional features (regional endpoints where configured) | EU |
| Anthropic, PBC | AI inference for optional features (Claude models) | US |
| Flightcontrol, Inc. | Deployment and hosting platform services on top of AWS | US |
| Google LLC | Google Workspace: business email, calendar, and document collaboration for Productlane personnel | Global |
| Linear Orbit, Inc. | Linear integration: issue tracking and project sync for customer feedback when enabled by workspace admins | US |
| Slack Technologies, LLC | Slack integration: workspace notifications and Slack Connect customer channels when enabled | US |
| Superhuman Labs Inc. | Email client used by Productlane personnel for business correspondence | US |
Notes: Productlane will provide at least 15 days' prior notice of changes via email. Where available, EU data residency options are enabled (e.g., AWS Frankfurt, PostHog EU). Some providers are global / US with SCCs and supplementary measures.
By entering into the Agreement, the parties are deemed to have executed the EU SCCs (2021/914) and the UK Addendum, with: Module Two (Controller-to-Processor) and / or Module Three (Processor-to-Sub-processor) as applicable; Clause 9 (general authorization; notice per Sec. 4.2); Clause 17 Germany; Clause 18 Germany; Annex I / II / III populated by Exhibits A to C of this DPA; UK Addendum tables populated by Exhibits A to C.