Skip to content
Toado
Log in Start free
Legal

Data Processing Addendum

Last updated: 2026-04-24

1. Purpose and scope

This Data Processing Addendum (“DPA”) forms part of the agreement between the Customer (“Controller”) and JH Media Group, LLC, a Wyoming limited liability company, d/b/a Toado (“Processor,” “we,” “us”) under which Customer subscribes to the Toado services (the “Service”). It governs the Processing of Personal Data on behalf of the Controller and is incorporated into the Toado Terms of Service.

To the extent of any conflict between this DPA and the Terms of Service, this DPA controls with respect to the Processing of Personal Data.

2. Definitions

Capitalized terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, or the California Consumer Privacy Act / California Privacy Rights Act (collectively, “Data Protection Laws”), as applicable.

3. Roles of the parties

For Personal Data Customer submits to or generates within the Service, Customer is the Controller (or where applicable, a Processor acting on behalf of a third-party Controller) and Toado is the Processor. Toado will Process Personal Data only on documented instructions from Customer, including those set forth in the Terms of Service and this DPA, unless required to do so by applicable law.

4. Subject matter, duration, nature, and purpose

  • Subject matter: Provision of the Toado services to Customer.
  • Duration: The term of the underlying agreement, plus a 30-day post-termination export window and any retention required by law.
  • Nature and purpose: Hosting, storage, transmission, processing, and display of Personal Data as needed to operate the Service.

5. Categories of data subjects and Personal Data

Data subjects may include: Customer’s authorized users, Customer’s end-users (where their data appears in captures), and any other individuals whose data Customer chooses to process via the Service.

Categories of Personal Data typically include:

  • Identity and contact data (name, email, account metadata, profile info);
  • Authentication data (hashed credentials, session tokens);
  • Bug capture content (screenshots, console logs, network requests, DOM snapshots, URLs, annotations); this content may incidentally include Personal Data depending on what was on the page when captured;
  • Usage and diagnostic data (feature usage, error logs, IP addresses, user agents);
  • Communications between Customer’s users (comments, mentions).

Customer is responsible for ensuring that any Personal Data submitted to the Service is collected and processed lawfully, and for using the Service’s built-in PII redaction tools to remove sensitive content before upload.

6. Subprocessors

Customer authorizes Toado to engage subprocessors to provide the Service. The current list of subprocessors is published on the Security page. Toado will provide Customer with at least 30 days’ prior written notice (or in-product notification) before engaging any new subprocessor that processes Personal Data, during which Customer may object on reasonable grounds. If the parties cannot resolve the objection within 30 days, Customer may terminate the affected portion of the Service for material breach.

Toado will impose data-protection obligations on each subprocessor that are materially equivalent to those in this DPA, and Toado remains liable to Customer for the performance of each subprocessor.

7. International data transfers

Toado’s primary infrastructure is located in the United States. For transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to third countries that have not received an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK Addendum and Swiss equivalents are incorporated by reference, with Customer as data exporter and Toado as data importer.

8. Confidentiality

Toado will ensure that personnel authorized to Process Personal Data are subject to written confidentiality obligations or appropriate statutory obligations of confidentiality.

9. Security measures

Toado will implement appropriate technical and organizational measures to protect Personal Data, including those described on our Security page. These include encryption in transit (TLS 1.2+), encryption at rest, role-based access control, audit logging, rate limiting, secure development practices, and least-privilege access for our team. Specific measures are detailed in Annex II of the Standard Contractual Clauses where applicable.

10. Personal Data breach notification

Toado will notify Customer without undue delay (and, where feasible, within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include reasonably available information to assist Customer in meeting its own notification obligations.

11. Data subject requests

Toado will provide reasonable assistance to Customer in responding to data subject access, correction, erasure, restriction, portability, and objection requests, taking into account the nature of the Processing and the information available. Customer can self-serve export and deletion of its data from account settings. For requests that require Toado’s direct assistance, Customer should contact security@toado.dev.

12. Data Protection Impact Assessments

Toado will provide reasonable cooperation to Customer in carrying out Data Protection Impact Assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and information available to Toado.

13. Audits

Toado will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior notice (and no more than once per year, except after a Personal Data Breach), Customer or its authorized auditor may conduct an audit of Toado’s compliance, subject to confidentiality obligations and Toado’s reasonable security procedures. Customer agrees that audits performed under SOC 2 or equivalent frameworks satisfy this obligation when corresponding reports are made available.

14. Return and deletion

On termination of the Service, Customer may export Personal Data for 30 days, after which Toado will delete or anonymize Customer Personal Data within 90 days, unless retention is required by applicable law. Backup copies will be deleted in accordance with Toado’s ordinary backup retention schedule.

15. CCPA / CPRA terms

To the extent the CCPA / CPRA applies, Toado is a “service provider” processing Personal Information on behalf of Customer. Toado will not sell or share Personal Information, will not retain, use, or disclose it outside the direct business relationship with Customer, and will not combine it with Personal Information from other sources except as permitted by 11 CCR § 7050(b).

16. Liability

Each party’s liability arising out of or related to this DPA is subject to the liability limitations in the underlying Terms of Service.

17. Signed DPA

Enterprise customers who require a counter-signed DPA may request one by contacting security@toado.dev. We typically execute on Toado’s template; bespoke amendments may require additional legal review.

18. Order of precedence

In case of conflict among these documents, the order of precedence is: (1) any countersigned, executed DPA between the parties; (2) this DPA; (3) the Terms of Service.

19. Notices and contact

Notices under this DPA may be sent to security@toado.dev.
Postal: JH Media Group, LLC, Attn: DPA Inquiries, 1740 Dell Range Blvd Ste H 13-84075, Cheyenne, WY 82009, USA.