Data Processing Agreement
Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Startvest LLC ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you", "Customer") for the use of IdeaLift services (the "Service"). This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the Service.
This DPA is incorporated into and subject to the IdeaLift Terms of Service and Privacy Policy.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable privacy laws.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purpose of Processing
The Processor shall process Personal Data only as necessary to provide the Service and in accordance with the Controller's documented instructions.
Categories of Data Subjects
- Customer employees and team members
- End users who submit feedback or ideas through integrated platforms
Types of Personal Data
- Names and email addresses
- User identifiers from connected platforms (Discord, Slack, Microsoft Teams, GitHub, Linear, Jira)
- Message content explicitly captured as ideas or feedback
- Usage data and access logs
Purpose of Processing
- Providing the IdeaLift idea capture and product management service
- AI-powered summarization and categorization of submitted ideas
- Analytics and reporting on captured feedback
- Account management and customer support
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6).
- Respect the conditions for engaging Sub-processors (see Section 5).
- Assist the Controller in responding to Data Subject requests, including access, rectification, erasure, and portability requests.
- Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations.
- At the Controller's choice, delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits.
4. Obligations of the Controller
The Controller shall:
- Ensure that there is a lawful basis for the processing of Personal Data instructed to the Processor.
- Provide documented instructions to the Processor regarding the processing of Personal Data.
- Ensure that Data Subjects have been informed of the processing in accordance with applicable Data Protection Laws.
- Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
5. Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors. The current list of Sub-processors is available at /sub-processors.
The Processor shall:
- Notify the Controller of any intended changes to the list of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
- Ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
- Remain fully liable to the Controller for the performance of each Sub-processor's obligations.
Current Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure and hosting | United States |
| OpenAI | AI-powered idea summarization | United States |
| Anthropic | AI-powered analysis and classification | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional and notification emails | United States |
| Google Analytics | Product analytics | United States |
| PostHog | Product analytics | United States / EU |
| Sentry | Error monitoring | United States |
Full sub-processor list: /sub-processors
6. Security Measures
The Processor implements and maintains appropriate technical and organizational security measures, including:
Encryption
- Data encrypted in transit using TLS 1.3 (HSTS enforced)
- Data encrypted at rest using Azure SQL Transparent Data Encryption (AES-256)
- Secrets stored in Azure Key Vault with managed access policies
- Database connections secured with encrypted channels
Access Controls
- Role-based access control (RBAC) for all system access
- Multi-factor authentication (MFA) available for all accounts
- SSO and SCIM provisioning for enterprise customers
- Principle of least privilege applied to all personnel and systems
- Regular access reviews and deprovisioning procedures
Infrastructure Security
- Hosted on Microsoft Azure with SOC 2 Type II certified infrastructure
- Network segmentation and firewall rules
- Automated vulnerability scanning and patch management
- Comprehensive audit logging of all data access and administrative actions
Organizational Measures
- Security awareness training for all personnel
- Background checks for employees with access to Personal Data
- Documented incident response procedures
- Business continuity and disaster recovery plans
For a comprehensive overview of our security practices, see our Security page.
7. Security Incident Notification
In the event of a Security Incident, the Processor shall:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the incident.
- Provide the Controller with sufficient information to enable the Controller to meet its obligations under Data Protection Laws, including:
- The nature of the Security Incident, including the categories and approximate number of Data Subjects affected
- The likely consequences of the incident
- The measures taken or proposed to address the incident and mitigate its effects
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the incident.
- Not notify any third party of a Security Incident without prior written consent from the Controller, unless required by applicable law.
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Right of access — providing copies of Personal Data being processed
- Right to rectification — correcting inaccurate Personal Data
- Right to erasure — deleting Personal Data upon request
- Right to data portability — exporting Personal Data in a structured, machine-readable format
- Right to restriction — restricting processing under certain circumstances
- Right to object — ceasing processing where the Data Subject objects
IdeaLift provides a self-service Data Subject Access Request (DSAR) workflow. The Processor shall respond to Data Subject requests within 30 days.
9. International Data Transfers
Personal Data is processed and stored in the United States. Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that does not provide an adequate level of data protection, the Processor shall ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission
- UK International Data Transfer Addendum where applicable
- Supplementary measures as necessary to ensure the level of protection required by Data Protection Laws
10. Data Retention and Deletion
The Processor shall:
- Retain Personal Data only for as long as necessary to provide the Service or as required by applicable law.
- Upon termination of the Service, delete all Personal Data within 30 days at the Controller's request, unless retention is required by applicable law.
- Provide certification of deletion upon request.
- Ensure that Sub-processors delete Personal Data in accordance with the same terms.
11. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller.
- Audits shall be conducted with reasonable prior notice (at least 30 days) and during normal business hours.
- The Controller shall bear the costs of any audit unless the audit reveals a material breach of this DPA by the Processor.
- The Processor may satisfy audit requirements by providing SOC 2 Type II reports or equivalent third-party certifications.
12. Term and Termination
This DPA shall remain in effect for the duration of the Controller's use of the Service. The obligations of the Processor under this DPA shall survive termination to the extent necessary to complete the processing and deletion of Personal Data.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to conflict of law principles, except where Data Protection Laws require otherwise.
14. Contact
For questions about this DPA or to request a signed copy for your records: