Platform
BUILD HIGH-PERFORMING SITES
Website builder
Create beautiful websites at scale
ALL ESSENTIALS INCLUDED
AI Assistant
Boost your efficiency with built-in AI tools
SEO
Build sites that rank higher
eCommerce
Sell products online and offline
Transactional sites
Sell services, subscriptions, and more
ACCELERATE YOUR GROWTH
White label platform
Fully own your customer experience
Client management
Manage all of your projects in one place
Team collaboration
Invite staff and clients to work together
Client billing
Manage client payments hassle-free
EXPAND YOUR BUSINESS
App store
Drive recurring revenue with apps
The Simple Editor (DIY)
Simple interface for non-technical users
MORE FROM DUDA
Templates
Made with Duda
Accessibility
Solutions
DUDA FOR
Agencies
See why Duda is the top website builder for agency growth
SaaS
Add a seamless-integrated website builder to your SaaS offering
 
Hosts
Provide high-end website solutions integrated with your services
INDUSTRY CASE STUDIES
Real estate
Travel & Hospitality
Transportation
View all success stories
Resources
BUILD
Templates
Get started with beautiful templates
Developer portal
API, extensions, and developer tools
Hire an expert
Get expert help for your next project
CONNECT
Webinars & events
Learn from experts, online or in-person
Community
Collaborate with other Duda users
LEARN
Blog
Get insights to fuel your business
Product Updates
Discover Duda's latest releases
Duda University
Take your skills to the next level
GET HELP
Support portal
System health check
Pricing Enterprise
Contact sales

Data Processing Agreement

This Data Processing Agreement (“DPA”) is made by and between the Duda Customer identified on the particular ordering document for Duda services (“Customer”) and Duda, Inc.(“Duda”) (each a “Party” and together the “Parties”) as required by applicable data privacy laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the California Privacy Rights Act (“CPRA”), and corresponding provisions of other applicable laws (together “Applicable Data Protection Laws”). This Agreement governs matters of Personal Data protection between the Parties, and shall be in force for as long as the Parties process personal data in connection with the relevant Duda services agreement attached to or incorporated by reference into the ordering document previously executed by Customer, referred to generically in this DPA as the “Duda Contract,” which bind the Parties, and it amends any prior agreement between the Parties with respect to data protection matters. Capitalized terms not otherwise defined herein, shall take the meaning ascribed to them by Applicable Data Protection Laws.

  1. Customer is a Processor or Service Provider in accordance with Applicable Data Protection Laws (“Personal Data”). Duda is a sub-Processor for Customer.
  2. Each Party shall comply at all times with Applicable Data Protection Laws. Duda shall promptly notify Customer of any circumstance of which it becomes aware that may prevent either party from complying with its obligations under this DPA or under Applicable Data Protection Laws. Each party shall reasonably cooperate with the other in responding to inquiries, incidents, claims, and complaints regarding the Processing of the Personal Data or as otherwise needed for either party to demonstrate compliance with Applicable Data Protection Laws.
  3. Duda will Process Personal Data only pursuant to Customer’s documented instructions, which include the Duda Contract, any other agreement between the Parties with respect to the provision of Duda's services to Customer, and any other instructions communicated in writing to Duda. The nature and purpose of the processing of Personal Data, the duration of such processing, the types of Personal Data processed and the categories of data subjects whose Personal Data is processed will be in accordance with the Duda Contract. Duda may also process Personal Data where required by Applicable Data Protection Laws to which Duda is subject.
  4. Customer instructs Duda to Process the Personal Data for the following purposes: (i) providing Duda’s services to Customer; and (ii) compliance with other reasonable and lawful instructions provided by Customer where such instructions are consistent with the Duda Contract.
  5. Duda may only Process the types of Personal Data, relating to such categories of Data Subjects, as are detailed in documented instructions per section 3 above.
  6. In accordance with CPRA, unless otherwise instructed by Customer, Duda will refrain from: selling or sharing personal information; retaining, using or disclosing personal information for any purpose other than for the business purposes specified in the Duda Contract, including retaining, using or disclosing personal information for a commercial purpose other than the business purposes specified in the Duda Contract or as otherwise permitted by the CPRA; retaining, using or disclosing the information outside of the direct business relationship between the Duda and Customer; combining the personal information it receives from the Customer with personal information it receives from or on behalf of another person or persons or that it collects from its own interaction with the consumer.
  7. Duda's personnel engaged in Processing Personal Data are and will remain committed to confidentiality. Duda implements appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure; details are available here: https://support.duda.co/hc/en-us/articles/1500001597862-Security-Measures.
  8. Duda maintains an updated list of its sub processors, available here: https://www.duda.co/legal/privacy/subprocessors. Customer is encouraged to check this list on a regular basis. Customer shall have the right to object, on reasoned grounds, to any new sub processor within fourteen (14) days of the list being updated by Duda. In the event that Customer, acting reasonably and in good faith, objects to such processing, then the Customer may terminate the Duda Contract immediately. Duda shall ensure that the arrangement between Duda and each sub-processor is governed by a written contract including terms which offer substantively at least the same level of protection for the Personal Data being Processed hereunder as those set out in this DPA and which meet the requirements of Article 28(3) of the GDPR, and shall remain liable to Customer for the performance of the Sub-Processor’s obligations.
  9. Duda will assist Customer in responding to requests for exercising Data Subjects' rights (GDPR Articles 15-22; “Request”). Duda will inform Customer promptly if it receives a Request, and in any event within 72 hours of receiving the Request, and will not take any other action without Customer’s authorization. Duda will likewise assist Customer with its obligations pursuant to Applicable Data Protection Laws, such as GDPR Articles 32-36, including also data security, data protection impact assessments, and breach notifications. Duda will reasonably allow for and contribute to audits and inspection in this regard. Duda will inform Customer without delay, and in any event within 48 hours, if Duda experiences a Personal Data Breach, and will provide full details to Customer, including all information reasonably needed by Customer to comply with Applicable Data Protection Laws, including without limitation, the root cause of the incident, information about the affected Data Subjects and the possible consequences of the incident, and further developments or information as it becomes available. In cooperation with Customer, Duda shall mitigate the effects of any Personal Data Breach or unauthorized or unlawful Processing and implement appropriate remedial measures to prevent recurrence.
  10. Duda will report to Customer upon written request, on the manner in which the obligations contained in this DPA are implemented, and shall maintain up to date records of its Processing activities performed on behalf of Customer in accordance with the record keeping requirements under Applicable Data Protection Law.
  11. Unless otherwise required by Applicable Data Protection Laws, Duda shall return or delete, at Customer’s sole discretion, all Personal Data upon the termination of the Processing activities carried out under the Duda Contract, and promptly provide confirmation in writing that it has done so.
  12. When Duda processes Personal Data on behalf of its Customers that are based in the EU, EU Personal Data may at times be transferred outside of the EU. Where Duda transfers EU Personal Data to a country outside the EEA which is not considered to provide adequate data protection, the Standard Contractual Clauses (“SCCs”) (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN) shall apply. For purposes of the SCCs, module 3 (processor to processor) shall apply, or if Customer is a controller of such data, module 2 (controller to processor) shall apply. In Clause 9 option 2 (general written authorization) will apply, authorization period will be 14 days, the list shall be as above. In Clauses 7 and 11 the optional language will not apply. In Clause 17 governing law will be the Irish law; in Clause 18 disputes shall be resolved by the courts of Ireland. In Annex I Customer is the ‘Data exporter’, Duda is the ‘Data importer’; the ‘Data subjects’, ‘Categories of data’, ‘Frequency of the transfer’, ‘Nature of processing’, ‘Purpose’, ‘Retention period’ and ‘Subject matter, nature and duration of the processing’ are as described in the Duda Contract. The ‘competent supervisory authority’ is the Irish DPC.
  13. Duda may not assign its respective rights and obligations hereunder, other than if such assignment is by way of merger or acquisition of all or substantially all Duda's equity or assets, or change of control.
  14. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives. The choice of law and jurisdiction governing this agreement will be the same as those governing the applicable Duda Contract.
  15. Customer’s Data Protection personnel may be contacted at the email provided in the registration form. Duda’s Data Protection personnel may be contacted at privacy@duda.co.