Data Processing Agreement
Last updated: 13th of July 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service, or any other agreement governing the Customer's use of Feedbucket's services (together, the "Agreement"), between:
- Feedbucket AB, Helsingborg, Sweden, company number SE559141029401 ("Feedbucket", "we", "us"), and
- the customer that has entered into the Agreement ("Customer", "you").
This DPA takes effect on the date the Customer accepts the Agreement or first uses the Services, whichever is earlier, and applies for as long as Feedbucket processes Customer Personal Data. No signature is required: by using the Services, the Customer agrees to this DPA.
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Customer Personal Data.
1. Definitions
1.1 In this DPA:
- "Customer Personal Data" means any Personal Data processed by Feedbucket on behalf of the Customer in connection with the Services, in particular data submitted through the Feedbucket widget and application, as further described in Annex I.
- "Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the GDPR, the UK GDPR where applicable, and any national laws implementing or supplementing them.
- "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation), and "UK GDPR" means the GDPR as incorporated into the law of the United Kingdom.
- "Services" means the Feedbucket website-feedback application and widget, and related services, provided under the Agreement.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as amended or replaced from time to time.
- "Subprocessor" means any third party engaged by Feedbucket to process Customer Personal Data on the Customer's behalf in connection with the Services.
1.2 The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "processing", "Member State" and "Supervisory Authority" have the meanings given to them in the GDPR, and related terms are construed accordingly.
2. Scope, Roles and Customer Responsibilities
2.1 Roles. For Customer Personal Data, the Customer acts as Controller and Feedbucket acts as Processor. The individuals who submit feedback through the Customer's website or whose Personal Data appears in submitted content are Data Subjects; they do not become customers of Feedbucket. If the Customer uses the Services on behalf of its own client or another Controller, the Customer acts as Processor and Feedbucket acts as Subprocessor. In that case, the Customer warrants that its instructions to Feedbucket are consistent with its obligations to that Controller.
2.2 Feedbucket as independent Controller. Feedbucket acts as an independent Controller, and this DPA does not apply, where Feedbucket processes Personal Data for its own purposes, such as managing Customer accounts and billing, communicating with the Customer, analytics and marketing for its own website and Services, and complying with its own legal obligations. That processing is described in Feedbucket's Privacy Policy.
2.3 Customer responsibilities. The Customer is responsible for:
- ensuring that its processing of Customer Personal Data, including its instructions to Feedbucket, has a valid legal basis and otherwise complies with Data Protection Laws;
- providing all notices to, and obtaining any consents from, Data Subjects that are required for the processing described in this DPA;
- the accuracy, quality and lawfulness of Customer Personal Data submitted to the Services, and the means by which it was obtained;
- configuring and using the Services in a manner consistent with Data Protection Laws, including its choice of enabled features and integrations; and
- not submitting to the Services any special categories of Personal Data within the meaning of Article 9 GDPR, or other highly sensitive data (such as data relating to criminal convictions or payment card data), unless the parties have agreed to this in writing and appropriate safeguards are in place.
2.4 Feedbucket has no obligation to actively monitor the Customer's compliance with Data Protection Laws.
3. Processing Instructions
3.1 Feedbucket shall process Customer Personal Data only on the Customer's documented instructions, unless required to do so by applicable law. In that case, Feedbucket shall inform the Customer of that legal requirement before processing, unless the law prohibits it.
3.2 The Customer's documented instructions consist of: (a) the Agreement and this DPA; (b) the Customer's configuration of and actions within the Services, including settings, deletions, exports and enabled integrations; and (c) any other written instructions agreed between the parties.
3.3 Feedbucket shall promptly inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. Feedbucket may suspend performance of such an instruction until it has been confirmed or modified by the Customer.
4. Feedbucket Obligations
4.1 Feedbucket shall comply with the Data Protection Laws applicable to it as a Processor and shall process Customer Personal Data only as necessary to provide, maintain, support,improve, and secure the Services and to perform its obligations under the Agreement and this DPA.
4.2 Feedbucket shall ensure that access to Customer Personal Data is limited to personnel who need such access to perform their duties, and that all such personnel are bound by contractual or statutory obligations of confidentiality.
4.3 Feedbucket remains responsible to the Customer for the performance of its obligations under this DPA, including where those obligations are performed by a Subprocessor as set out in Section 6.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Feedbucket shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including, as appropriate, the measures referred to in Article 32(1) GDPR.
5.2 The measures Feedbucket currently maintains are described in Annex II. Feedbucket shall review these measures periodically and may update them from time to time, provided that any update does not materially reduce the overall level of protection of Customer Personal Data.
6. Subprocessors
6.1 General authorisation. The Customer provides a general written authorisation for Feedbucket to engage the Subprocessors listed in Annex III to process Customer Personal Data in connection with the Services.
6.2 Subprocessor obligations. Feedbucket shall: (a) carry out appropriate due diligence on each Subprocessor; (b) enter into a written agreement with each Subprocessor imposing data protection obligations that provide at least the same level of protection for Customer Personal Data as this DPA, to the extent applicable to the services the Subprocessor provides; and (c) remain liable to the Customer for the performance of each Subprocessor's obligations with respect to Customer Personal Data.
6.3 Changes to Subprocessors. Feedbucket shall inform the Customer of any intended addition or replacement of a Subprocessor by updating Annex III and notifying the Customer's account owner or administrators by email at least fifteen (15) days before authorising the Subprocessor, thereby giving the Customer a reasonable opportunity to object. Where an urgent replacement is necessary to maintain the security or continuity of the Services, Feedbucket may provide notice as soon as reasonably practicable.
6.4 Objections. If the Customer has legitimate, documented data-protection concerns regarding a new Subprocessor, it may object by contacting hello@feedbucket.app within fifteen (15) days of the notice. The parties shall discuss the objection in good faith and seek a reasonable solution. If no reasonable solution can be found, the Customer may, as its sole remedy, terminate the affected Services in accordance with the Agreement.
6.5 Customer-enabled integrations. The Services allow the Customer to connect its own third-party tools (for example Jira, Trello, Slack, GitHub, Asana, Notion or custom webhooks) so that feedback data is forwarded to them. Such tools are selected, enabled and controlled by the Customer, act on the Customer's instructions, and are not Subprocessors of Feedbucket. Feedbucket's transmission of Customer Personal Data to such tools constitutes a documented instruction from the Customer, and Feedbucket is not responsible for the processing of Customer Personal Data by such tools after transmission.
7. Data Subject Requests
7.1 Taking into account the nature of the processing, Feedbucket shall assist the Customer, by appropriate technical and organisational measures and insofar as this is possible, in fulfilling the Customer's obligation to respond to Data Subjects exercising their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability and objection), to the extent the Customer cannot reasonably fulfil such requests itself through the functionality of the Services.
7.2 If Feedbucket receives a request from a Data Subject relating to Customer Personal Data, Feedbucket shall, to the extent legally permitted, promptly notify the Customer and shall not respond to the request itself, except to direct the Data Subject to the Customer, on the Customer's documented instructions, or where required by applicable law.
8. Personal Data Breach
8.1 Feedbucket shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall, to the extent the information is available to Feedbucket, describe:
- the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned;
- the likely consequences of the breach;
- the measures taken or proposed to address the breach and mitigate its possible adverse effects; and
- a contact point where more information can be obtained.
8.2 Where it is not possible to provide all of this information at the same time, Feedbucket may provide it in phases without undue further delay.
8.3 Feedbucket shall reasonably cooperate with the Customer in investigating, containing and remediating the breach, and shall provide reasonable assistance to enable the Customer to meet its own notification obligations under Data Protection Laws.
8.4 Feedbucket's notification of, or response to, a Personal Data Breach is not an acknowledgement of fault or liability.
9. Data Protection Impact Assessments and Prior Consultation
9.1 Taking into account the nature of the processing and the information available to Feedbucket, Feedbucket shall provide the Customer with reasonable assistance in ensuring compliance with the Customer's obligations under Articles 32 to 36 GDPR, including data protection impact assessments and prior consultations with Supervisory Authorities, in each case solely in relation to the processing of Customer Personal Data by Feedbucket.
10. Return and Deletion of Customer Personal Data
10.1 During the term of the Agreement, the Customer can access and delete Customer Personal Data through the functionality of the Services. Export functionality is available through the Services where included in the Customer's plan, or on reasonable request.
10.2 Upon termination or expiry of the Agreement, Feedbucket shall, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless European Union or Member State law requires storage of the Personal Data. If the Customer does not request return of Customer Personal Data within thirty (30) days of termination, Feedbucket shall proceed with deletion.
10.3 Customer Personal Data that has been deleted may remain in encrypted or otherwise protected backups until those backups are cycled out in accordance with Feedbucket's standard backup rotation. Feedbucket shall not restore such data except where necessary for disaster recovery, and this DPA shall continue to apply to any such data until it is deleted.
10.4 Where applicable law requires Feedbucket to retain any Customer Personal Data, Feedbucket shall retain only what that law requires, keep it confidential, and continue to comply with this DPA with respect to that data.
11. Information and Audits
11.1 Feedbucket shall maintain records of its processing as required by Data Protection Laws and, upon the Customer's reasonable written request, provide information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
11.2 If that information is not reasonably sufficient, the Customer may, at its own cost, conduct an audit through an independent auditor that is not a competitor of Feedbucket, subject to: (a) no more than one audit in any twelve-month period, unless otherwise required by a Supervisory Authority or Data Protection Laws; (b) at least thirty (30) days' prior written notice; (c) a mutually agreed scope and audit plan; (d) appropriate confidentiality obligations; and (e) performance during normal business hours without unreasonable disruption. An audit shall not provide access to data of other customers or to information that would compromise Feedbucket's security.
11.3 Feedbucket may satisfy an audit request by providing available independent third-party audit reports or equivalent evidence of compliance.
12. International Data Transfers
12.1 Feedbucket's application servers are located in Frankfurt, Germany (DigitalOcean), and uploaded content such as screenshots, screen recordings and attachments is stored in Frankfurt, Germany (Amazon Web Services). Customer Personal Data is primarily stored and processed within the European Economic Area (EEA).
12.2 Feedbucket shall not transfer Customer Personal Data to, or process it in, a country outside the EEA or the United Kingdom unless a valid transfer mechanism under Data Protection Laws is in place, being: (a) an adequacy decision of the European Commission (including, where applicable, certification under the EU-U.S. Data Privacy Framework); (b) the Standard Contractual Clauses; or (c) another transfer mechanism recognised by Data Protection Laws.
12.3 Where the SCCs apply to a transfer between the Customer and Feedbucket, they are incorporated into this DPA by reference, with Module Two (Controller to Processor) applying where the Customer is a Controller and Module Three (Processor to Processor) applying where the Customer is a Processor. Annex I, Annex II and Annex III provide the relevant processing, security and Subprocessor details, and the parties shall complete any additional information reasonably required for the SCCs to apply. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs applies on the same basis.
12.4 Where Feedbucket engages Subprocessors outside the EEA or the United Kingdom, Feedbucket shall ensure that an equivalent transfer mechanism is in place for that Subprocessor's processing of Customer Personal Data.
13. Liability
13.1 Each party's liability arising out of or in connection with this DPA (including the SCCs, where they apply) is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to a party's liability means that party's aggregate liability under the Agreement and this DPA together.
13.2 Nothing in this DPA limits or excludes either party's liability where such limitation or exclusion is prohibited by applicable law, or affects a Data Subject's rights under Data Protection Laws or the SCCs.
14. Term and Termination
14.1 This DPA takes effect as described in the preamble and remains in force for as long as Feedbucket processes Customer Personal Data on behalf of the Customer, notwithstanding the expiry or termination of the Agreement.
14.2 Obligations under this DPA that by their nature should survive — including confidentiality, deletion and return, international transfer safeguards, and the provision of compliance information — survive until Feedbucket has ceased all processing of Customer Personal Data.
15. Notices, Governing Law and Jurisdiction
15.1 Notices to Feedbucket under this DPA shall be sent to hello@feedbucket.app. Notices to the Customer may be given by email to the Customer's account owner or administrators, or through the Services.
15.2 This DPA is governed by the laws of Sweden, and any dispute arising in connection with it that the parties cannot resolve amicably is subject to the exclusive jurisdiction of the courts of Helsingborg, Sweden. This Section does not affect any mandatory rights of Data Subjects, the powers of any Supervisory Authority, or the governing-law and jurisdiction provisions of the SCCs where they apply.
Annex I — Details of Processing
Subject matter. Provision of the Feedbucket website-feedback collection and collaboration Services, through which the Customer collects, manages and collaborates on feedback about its websites and web applications.
Duration. The term of the Agreement, plus the deletion and backup-rotation period described in Section 10 of this DPA.
Nature of the processing. Collection, transmission, storage, organisation, structuring, display, analysis for the purpose of providing the Services, notification, export, disclosure by transmission to Customer-enabled integrations, deletion, and related support and security operations.
Purposes of the processing. Enabling the Customer and its invited users to submit, view, manage, discuss, export and resolve website feedback, including screenshots, screen recordings, comments, attachments and technical metadata that helps reproduce reported issues; sending related notifications; providing support; and keeping the Services secure.
Frequency. Continuous, as initiated by the Customer, its users and its reporters through their use and configuration of the Services.
Categories of Data Subjects.
- The Customer's employees, contractors and other team members with Feedbucket accounts.
- Clients, testers, reviewers and other individuals invited by the Customer to submit feedback.
- Visitors and end users of the Customer's websites who submit feedback through the widget.
- Individuals whose Personal Data is incidentally visible in submitted content, such as in screenshots or screen recordings.
Categories of Personal Data.
- Identification and contact data: name and email address of reporters and users (where provided), and notification preferences.
- Feedback content: title, description, comments, tags, file attachments, screenshots and screen recordings of the page being reviewed.
- Technical metadata: page URL, browser and version, operating system, device type, screen and viewport size, annotation location on the page, and browser console logs where the Customer has enabled that feature.
- Usage and request data: IP addresses and related technical log data generated by use of the Services.
- Any other Personal Data the Customer or its users choose to include in feedback content.
Special categories of Personal Data. None intended or required. The Customer must not submit special categories of Personal Data except as set out in Section 2.3 of this DPA.
Customer instructions. The Agreement, this DPA, the Customer's settings and actions within the Services (including deletions, exports and enabled integrations), and any other documented instructions agreed between the parties.
Annex II — Technical and Organisational Measures
Feedbucket maintains, as a minimum, the following technical and organisational measures:
1. Access control.
- Access to systems processing Customer Personal Data is limited to authorised personnel who need it to perform their duties.
- Role-based access within the application: Customer Personal Data is logically separated per customer account, and access requires authentication and appropriate authorisation.
2. Personnel.
- All personnel with access to Customer Personal Data are bound by confidentiality obligations.
- Personnel are instructed in the proper handling of Personal Data.
3. Encryption in transit.
- Connections to the Services are encrypted using TLS.
4. Hosting and infrastructure.
- Application and database hosting with DigitalOcean in Frankfurt, Germany.
- Storage of uploaded content (screenshots, screen recordings, attachments) and backups with Amazon Web Services in Frankfurt, Germany.
- Web traffic is routed through Cloudflare for performance and security, including protection against common attacks.
5. Availability and recovery.
- Regular automated backups of production data, with automatic backup rotation.
- Documented recovery processes for restoring the Services in case of failure.
6. Monitoring and vulnerability management.
- Logging of relevant system events and automated error monitoring.
- Regular vulnerability testing and timely application of security patches.
7. Incident response.
- Procedures for identifying, assessing, containing and remediating security incidents, including the breach-notification process described in Section 8 of this DPA.
8. Deletion.
- Controlled deletion processes for Customer Personal Data, as described in Section 10 of this DPA, including removal of associated stored files.
9. Subprocessor management.
- Due diligence on Subprocessors and written data-processing agreements as described in Section 6 of this DPA.
10. Review.
- Periodic review of these measures against changes in risk, technology and the Services.
Annex III — Authorised Subprocessors
1. Subprocessors of Customer Personal Data. Feedbucket engages the following Subprocessors to process Customer Personal Data:
2. Service providers in Feedbucket's own Controller role. For transparency, Feedbucket also uses the following providers to process personal data relating to the Customer itself (such as account, contact and billing information). For this data Feedbucket acts as an independent Controller as described in Section 2.2, so these providers are not Subprocessors of Customer Personal Data under this DPA; this processing is described in Feedbucket's Privacy Policy:
Other vendors used solely for Feedbucket's internal operations — such as internal communication, document management, its marketing website and its own analytics — do not process Customer Personal Data and are not listed here.
Feedbucket will update this Annex, and notify the Customer as described in Section 6.3, when it adds or replaces a Subprocessor of Customer Personal Data.
For any questions about this DPA or Feedbucket's processing of Personal Data, contact hello@feedbucket.app.
Feedbucket AB
Helsingborg, Sweden
Company number: SE559141029401
