Data Processing Agreement

Version 1.0 — June 2026. This DPA is published at https://dropboardhq.com/dpa and is incorporated into our Terms of Service. It applies to business customers that use Dropboard to process personal data of their own end users (for example, job applicants), and takes effect on acceptance of the Agreement (no signature required); a counter-signed copy is available on request.

This Data Processing Agreement (“DPA”) forms part of the agreement for the provision of the Dropboard service (the “Agreement”) between:

This Meeting Matters, LLC, an Indiana limited liability company, 9783 E 116th St PMB 2448, Fishers, IN 46037, United States (“Processor”, “we”, “us”); and
the customer that has accepted the Agreement (“Controller”, “you”).

Where the Controller is itself acting as a processor for its own client (for example, a recruiting agency processing applicant data on behalf of an employer), the Controller enters into this DPA as that client’s processor and we act as a sub-processor; the relevant SCC module (Module Three) applies accordingly.

Capitalized terms not defined here have the meaning given in the EU General Data Protection Regulation 2016/679 (“GDPR”).

1. Subject matter and roles

1.1 This DPA governs our Processing of Personal Data on your behalf in connection with the Service. With respect to that Personal Data you are the Controller (or a processor acting for your own controller) and we are the Processor (or sub-processor).

1.2 This DPA does not apply to Personal Data for which we are an independent controller (e.g. the account-administrator contact details and website usage data described in our Privacy Policy).

1.3 The details of the Processing (subject matter, duration, nature and purpose, types of Personal Data and categories of Data Subjects) are set out in Annex I.

2. Processing instructions

2.1 We will Process Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case we will, where legally permitted, inform you first).

2.2 The Agreement, this DPA, and your configuration and use of the Service through its standard features constitute your complete and documented instructions.

2.3 We will inform you if, in our opinion, an instruction infringes the GDPR or other applicable data protection law.

2.4 Your compliance responsibility. You are responsible for your own compliance with the data protection laws that apply to you for the Personal Data you Process through the Service — including having a lawful basis, giving any required notices to Data Subjects, and determining and meeting any obligations those laws place on you directly (for example, appointing a representative under Article 27 of the GDPR or UK GDPR where required). You will not use the Service to target or recruit Data Subjects in a jurisdiction unless you are responsible for complying with that jurisdiction’s data protection law in respect of that Processing.

3. Confidentiality

We ensure that persons authorized to Process the Personal Data are bound by an appropriate duty of confidentiality.

4. Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing.

5. Sub-processors

5.1 You provide general authorization for us to engage sub-processors to support the Service. The current list of sub-processors is set out in Annex III.

5.2 We will give at least 30 days’ notice of any intended addition or replacement of a sub-processor by updating the list in Annex III and notifying customers who have asked to be told of sub-processor changes (you can opt in by emailing hello@dropboardhq.com). During that notice period you may object on reasonable data-protection grounds; if you object and we cannot reasonably accommodate the objection, you may terminate the affected part of the Service.

5.3 We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for each sub-processor’s performance.

5.4 Customer-Enabled Third-Party Services. The Service lets you optionally connect third-party services using your own account and credentials (for example, a third-party email-delivery provider you configure for outbound email). Where you enable such a service: (i) you authorize and instruct us to transmit the relevant Personal Data to that service; (ii) that provider is engaged by you, not by us — it is your processor (or an independent controller), not our sub-processor, and the obligations in this Section 5 and the Standard Contractual Clauses in Section 11 do not apply to its processing; (iii) you are responsible for assessing it and for entering into any required data-protection terms (including any transfer mechanism) directly with it; and (iv) we remain responsible only for securing the Personal Data within our systems and in transit to the endpoint you configured. Current optional integrations of this kind are listed in Annex III (Section D) for transparency.

6. Data subject rights

Taking into account the nature of the Processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under the GDPR. If we receive such a request directly, we will forward it to you and will not respond except on your instructions or as legally required. The Service also provides self-service tools to access, export and delete applicant Personal Data.

7. Assistance

Taking into account the nature of Processing and the information available to us, we will assist you in ensuring compliance with your obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments and prior consultation).

8. Personal data breach

We will notify you without undue delay after becoming aware of a Personal Data breach affecting your Personal Data, and will provide information reasonably available to us to help you meet your breach-notification obligations.

9. Deletion or return

On termination of the Service, we will delete or return all Personal Data Processed on your behalf and delete existing copies, unless applicable law requires storage, within 30 days of your request. Backup copies are deleted in line with our standard backup-rotation cycle.

10. Audits

We will make available to you the information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. We may satisfy this obligation by providing reasonable documentation; on-site audits are limited to once per 12 months, on reasonable prior notice, subject to confidentiality.

11. International transfers — Standard Contractual Clauses

11.1 To the extent our Processing involves the transfer of Personal Data from the EEA, the United Kingdom or Switzerland to us in the United States, or to any other country without an adequacy decision, the European Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, are hereby incorporated into this DPA by reference and completed as follows:

Module Two (Controller-to-Processor) applies where you are a Controller. Module Three (Processor-to-Processor) applies where you are a processor and we are your sub-processor.
Clause 7 (docking clause): applies.
Clause 9 (sub-processors): Option 2 (general written authorization), with the notice period in Section 5.2 of this DPA.
Clause 11 (redress): the optional independent dispute-resolution body is not selected.
Clause 17 (governing law): the law of Ireland.
Clause 18 (forum and jurisdiction): the courts of Ireland.
Annexes I, II and III of the SCCs are populated by Annex I, II and III of this DPA.

11.2 United Kingdom: the UK International Data Transfer Addendum issued by the ICO is incorporated and amends the SCCs for transfers subject to UK GDPR; Tables 1–3 are populated by the Annexes to this DPA and Table 4 importer/exporter both may end the Addendum.

11.3 Switzerland: the SCCs apply with the amendments necessary under the Swiss Federal Act on Data Protection (references to the GDPR read as the FADP; the competent authority is the FDPIC; “member state” does not bar Swiss Data Subjects from suing in their place of residence).

11.4 If the SCCs are invalidated or superseded, the parties will work in good faith to implement an alternative lawful transfer mechanism.

Annex I — Description of Processing

A. List of parties

Data exporter: the Controller (customer) identified in the Agreement.
Data importer: This Meeting Matters, LLC, 9783 E 116th St PMB 2448, Fishers, IN 46037, United States, contact: hello@dropboardhq.com.

B. Description of transfer

Categories of Data Subjects: job applicants and candidates; the Controller’s staff users who administer hiring.
Categories of Personal Data: name; email address; phone; CV/résumé and its contents; cover letters; application answers and notes; any other data the Controller chooses to collect through the Service.
Special category data: The Service does not require special-category data (GDPR Article 9) or criminal-offence data (Article 10), but such data may be present in hiring — for example disability or accommodation requests, diversity-monitoring responses, or information volunteered in CVs, cover letters, application answers, notes, or custom attributes. Where the Controller chooses to collect such data through the Service, the Controller is responsible for ensuring it has a valid Article 9 condition (and an appropriate basis for any Article 10 data), and we will Process that data only on the Controller’s documented instructions and under the security measures in Annex II.
Frequency: continuous, for the duration of the Service.
Nature and purpose: hosting and operating an applicant-tracking / hiring service on the Controller’s behalf (receiving, storing, displaying, organizing and enabling communication about applications).
Retention: for the duration of the Agreement and then as set out in Section 9.
Sub-processors: see Annex III; processing for the duration of their engagement.

C. Competent supervisory authority: the supervisory authority of the EEA member state in which the data exporter (or its EU representative) is established; where not established in the EEA, the Irish Data Protection Commission.

Annex II — Technical and organizational measures

The following describes the measures in place as at the effective date.

Hosting and location. The Service is hosted on Amazon Web Services (AWS) in the United States.
Database. Personal Data is stored in a managed relational database that is encrypted at rest and is not publicly accessible (reachable only from within a private network). Automated backups are retained for up to 30 days.
File storage. Uploaded files (including résumés/CVs and application documents) are stored in encrypted object storage (server-side encryption at rest, AES-256). Applicant files are access-controlled by the application and are not publicly accessible — they are delivered only via short-lived signed URLs. (Separately, the buckets that hold customers’ public branding/job-board images are served openly and contain no applicant Personal Data.)
Document conversion. Non-PDF uploads are converted to PDF in-house, inside our AWS environment, so applicant documents are not sent to an external converter for supported formats. A third-party fallback (CloudConvert) is used only for formats the in-house converter cannot handle (e.g. “.pages”) — see Annex III.
Encryption in transit. All external traffic is served over HTTPS/TLS, with HTTPS redirection enforced and a minimum of TLS 1.2.
Content delivery. Static assets and images are delivered through a content delivery network. White-label customer domains are served via our custom-domain providers (see Annex III).
Secrets and credentials. Application secrets and credentials are stored in a dedicated secrets manager, not in source code.
Access control. Access to the production environment and to Personal Data is limited to authorized personnel on a need-to-know basis and protected by authentication.
Organizational. Personnel are bound by confidentiality obligations; changes follow a controlled software-development and deployment process; sub-processors are reviewed before engagement.
Data subject tooling. The Service provides functionality to export and delete applicant Personal Data, supporting the Controller’s response to data-subject requests.

Annex III — List of sub-processors

A. Core sub-processors (always involved in delivering the Service and may Process applicant Personal Data):

Amazon Web Services, Inc. — United States

Cloud hosting, database, file storage, CDN, monitoring, secrets — including in-house document→PDF conversion (runs inside our AWS environment) and default outbound email delivery via Amazon SES (used unless the Controller configures its own email sender — see Section D).

CloudConvert (Lunaweb GmbH, Germany) — EU entity (Germany); files processed on US servers in practice, because conversion requests originate from our US infrastructure

Document conversion fallback — converts uploaded non-PDF documents (e.g. “.pages”) to PDF only for formats our in-house converter cannot handle; processes applicant documents of those file types only.

B. Conditional sub-processors (engaged by us only where the Controller enables the relevant feature):

Cloudflare, Inc. — United States / global edge

DNS / TLS / reverse-proxy for white-label domains. Triggered by: white-label custom domain.

SaaS Custom Domains (White Shores Tech d.o.o.) — Croatia (EU); sub-processors include US (AWS/Heroku)

Custom-domain provisioning — runs its own proxy stack, separate from Cloudflare. Triggered by: white-label custom domain.

The optional email-delivery providers a Controller can configure (Postmark, SendGrid, Amazon SES, EmailIt) are not our sub-processors — the Controller connects them with its own account/credentials, so they are Customer-Enabled Third-Party Services under Section 5.4 and are listed in Section D below.

C. Not applicant-data sub-processors. The following process data relating to the Controller’s own account (billing, marketing) where This Meeting Matters, LLC is the controller, and are therefore not sub-processors of applicant Personal Data: Stripe (account billing), Moosend (our own marketing/newsletter list), and AppSumo (distribution/licensing). They are listed here for transparency only.

Separately, where a Controller optionally enables Stripe Connect to collect payments from its own clients (for example, for job postings), Stripe processes those clients’ payment data as an independent controller. The Controller enables this with its own connected Stripe account, and the data involved is payment data — not applicant Personal Data — so Stripe is not a sub-processor under this DPA for that activity.

D. Customer-Enabled Third-Party Services (optional email-delivery providers the Controller may configure using its own account and credentials). Per Section 5.4 these are engaged by the Controller, not by us — they are not our sub-processors, and the Controller is responsible for any data-protection terms with them. They are mutually exclusive (a Controller uses at most one at a time) and are listed here for transparency:

Postmark (ActiveCampaign, LLC) — outbound email delivery; engaged via the Controller’s own Postmark account/token.

SendGrid (Twilio Inc.) — outbound email delivery; engaged via the Controller’s own SendGrid API key.

Amazon SES (Amazon Web Services, Inc.) — outbound email delivery; engaged via the Controller’s own AWS SES credentials.

EmailIt (FunFirst s.r.o.) — outbound email delivery; engaged via the Controller’s own EmailIt API key.

If a Controller configures none of these, outbound email is delivered through our Amazon SES (a core sub-processor — see Section A).

Acceptance

This DPA takes effect on your acceptance of the Agreement and does not require a signature. If your organization requires a counter-signed copy for its records, contact hello@dropboardhq.com and we will provide one.