# Data Processing Addendum

Source: https://metadock.app/dpa

# Data Processing Addendum (DPA)

Last Updated: June 14, 2026

## Overview

This page summarizes Gammal Software, Inc.'s position as a processor of personal data on behalf of business customers ("Controllers") and provides our standard Data Processing Addendum (DPA) for execution under the EU GDPR, the UK GDPR, Quebec Law 25, and Canadian PIPEDA.

MetaDock is primarily a desktop product where the user's browsing data, workspaces, and profiles are stored **locally**on the user's device. We typically do not process personal data_about end users of your application_ through MetaDock itself. The DPA below applies when:

-   You use MetaDock as part of a workflow that processes personal data of EU/UK/Quebec/Canadian residents and you require a processor agreement under GDPR Art. 28 or equivalent;
-   You purchase MetaDock seats on behalf of an organization and need a DPA for your privacy programme;
-   You request Standard Contractual Clauses (SCCs) for transfers of personal data to our Canadian-based service.

## Requesting Our DPA

To execute our standard DPA, email [legal@metadock.app](mailto:legal@metadock.app) with subject line **"DPA Request"** and include:

-   Your organization's legal name and country of registration
-   The data-protection regime(s) you are subject to (GDPR / UK GDPR / Quebec Law 25 / PIPEDA / CCPA / other)
-   The MetaDock account email or subscription identifier
-   Whether you require EU SCCs (Module 2 — controller to processor), UK Addendum, or Quebec-specific terms

We will return a counter-signed DPA within 5 business days. Our standard DPA incorporates the **European Commission Standard Contractual Clauses (Decision 2021/914)**, the **UK International Data Transfer Addendum**, and Quebec Law 25 cross-border transfer requirements where applicable.

## Subprocessors

We engage the following subprocessors. Where personal data of EU/UK/Quebec residents is transferred outside the customer's jurisdiction, the transfer is governed by Standard Contractual Clauses or an equivalent transfer mechanism.

Subprocessor

Purpose

Location

Stripe, Inc.

Subscription payment processing

United States & global

Mailjet

Transactional and marketing email (subscription receipts, license keys, optional newsletter)

France / European Union

Microsoft Clarity

Website analytics: session replays, heatmaps, click maps on metadock.app (loaded only after analytics-cookie consent)

United States, with global Microsoft infrastructure

Microsoft (WebView2 runtime)

Browser engine inside the MetaDock desktop application; sends standard Edge diagnostics directly to Microsoft

Global Microsoft infrastructure

Sentry (Functional Software, Inc.)

Application crash and error diagnostics (stack traces, application version, OS, hashed hardware ID); retained ~90 days

United States

We will provide written notice before adding or replacing any subprocessor that processes personal data of customers covered by an executed DPA, giving you a reasonable opportunity to object.

## Security & Audits

Security measures are described in our [Privacy Policy — Data Security](https://metadock.app/privacy#data-security) section. We will reasonably cooperate with Controller audits required by GDPR Art. 28(3)(h) or equivalent, subject to confidentiality, scoping, and frequency limits set out in the DPA.

## International Transfers

Personal data transferred from the EEA, UK, or Switzerland to Gammal Software in Canada is covered by the European Commission's adequacy decision for Canadian commercial organizations under PIPEDA. That adequacy decision applies only to organizations and processing subject to PIPEDA and remains under periodic review by the European Commission; where an EEA, UK, or Swiss customer requires it, we will enter into Standard Contractual Clauses (or the applicable transfer mechanism) as a supplementary measure. Transfers to subprocessors located in the United States or globally are governed by the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, the Swiss DPA equivalence mechanism, or the EU–U.S. Data Privacy Framework where the subprocessor is certified.

For transfers of personal data of Quebec residents outside Quebec, we conduct a privacy impact assessment as required by Law 25 s. 17 and select subprocessors that maintain adequate protection.

## Contact

Privacy Officer
Gammal Software, Inc.
303D-2967 Dundas Street West
Toronto, Ontario M6P 1Z2, Canada
[legal@metadock.app](mailto:legal@metadock.app) / [privacy@metadock.app](mailto:privacy@metadock.app)
