Data processing addendum

For account, billing, security, website, support, and product operations data, CUSTOMER EXPERIENCE SRL acts as controller. For journey content, uploaded documents, exports, and other customer data entered by a business customer about its own customers, employees, patients, users, or stakeholders, the business customer acts as controller and CUSTOMER EXPERIENCE SRL acts as processor.

We process customer content only to provide and secure Journey Builder, including workspace collaboration, storage, export, audit, AI-assisted generation or extraction requested by the customer, billing support, abuse prevention, troubleshooting, and compliance with applicable law.

Customer content may include journey maps, personas, stages, touchpoints, pain points, opportunities, evidence, KPIs, reviews, uploaded documents, action plans, workspace member identifiers, and exports. Customers should avoid unnecessary sensitive, special-category, regulated, or high-risk personal data unless a written agreement explicitly permits it and the customer has a valid legal basis.

We may use subprocessors listed on the Subprocessors page to host, secure, support, and operate the service. We will keep that page reasonably current and require subprocessors to process personal data only for the services they provide to us.

We maintain technical and organizational measures appropriate to the service, including authentication, workspace access controls, row-level security, server-side authorization checks, rate limiting, audit logging for sensitive workspace actions, encrypted transport, restricted administrative access, and operational monitoring.

We will provide reasonable assistance for data subject requests, security inquiries, audits, export, and deletion requests relating to customer content, taking into account the nature of the processing and information available to us. When the service relationship ends, we will delete or return customer content according to the product controls, written agreement, and legal retention obligations.

Some subprocessors may process data outside the European Economic Area. Where required, we rely on appropriate safeguards such as data processing terms, standard contractual clauses, or equivalent transfer mechanisms.

If we become aware of a personal data breach affecting customer content, we will notify the affected business customer without undue delay and provide information reasonably available to us so the customer can assess its notification obligations.

DPA and privacy questions can be sent to dpo@customerexperience.ro.