Request Access
Legal

Data Processing Addendum

Last updated: July 3, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer", "Controller") and Designless Private Limited, a private limited company incorporated in India under the Companies Act, 2013 (CIN: U62011KA2026PTC219644), headquartered in Bengaluru, Karnataka, India ("Designless", "Processor", "we", "us", or "our"), for the provision of the Designless platform and services (the "Agreement"). It governs the processing of personal data that Designless carries out on the Customer's behalf as a processor, and it gives effect to the requirements of Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and equivalent obligations under the UK GDPR.

This DPA applies where, and to the extent that, Designless processes Customer Personal Data as a processor in the course of providing the services. It is distinct from our Privacy Policy, which governs Designless as a controller of its own users' account data.

Scope note. Designless acts as a processor under this DPA primarily where the Customer enables features that capture, render, or otherwise process the Customer's own end users' personal data, such as authenticated review of the Customer's application interfaces. Where the Customer uses the platform only for its own account data and content, Designless acts as a controller under the Privacy Policy and this DPA does not apply.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR or the Agreement.

  • Customer Personal Data means personal data that Designless processes on behalf of the Customer under the Agreement, as described in Annex 1.
  • Data Protection Laws means all laws applicable to the processing of personal data under the Agreement, including the GDPR, the UK GDPR, India's Digital Personal Data Protection Act, 2023, and, where applicable, the California Consumer Privacy Act as amended (the "CCPA").
  • Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach, and Supervisory Authority have the meanings given in the GDPR.
  • Sub-processor means any third party engaged by Designless to process Customer Personal Data.
  • Standard Contractual Clauses or SCCs means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, and, for UK transfers, the UK International Data Transfer Addendum.

2. Roles and scope of processing

As between the parties, the Customer is the controller and Designless is the processor of Customer Personal Data. The Customer is responsible for the lawfulness of the personal data it provides and of the processing instructions it gives. Designless processes Customer Personal Data only as a processor on behalf of the Customer.

The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1.

3. Processing on documented instructions

Designless processes Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law that applies to Designless. The Agreement, this DPA, and the Customer's configuration and use of the services constitute the Customer's complete documented instructions. If Designless is required by law to process Customer Personal Data beyond these instructions, it will inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

Designless will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

Designless ensures that persons authorized to process Customer Personal Data are bound by an appropriate obligation of confidentiality, whether contractual or statutory, and that access is limited to personnel who need it to provide the services.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, Designless implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. A summary of those measures is set out in Annex 2.

6. Sub-processors

The Customer grants Designless a general authorization to engage sub-processors to process Customer Personal Data. Designless maintains a current list of its sub-processors, together with their function and location, at designless.io/subprocessors.

Designless imposes on each sub-processor data protection obligations that are, in substance, no less protective than those set out in this DPA, and remains responsible to the Customer for the performance of each sub-processor's obligations.

Designless will give the Customer at least 30 days' notice before adding or replacing a sub-processor that processes Customer Personal Data, by updating the sub-processor list and, for Customers who have subscribed to notifications, by a further reasonable means. The Customer may object to a new sub-processor on reasonable data protection grounds within that notice period, in which case the parties will work in good faith to resolve the objection.

7. Assistance with data subject rights

Taking into account the nature of the processing, Designless assists the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (including access, rectification, erasure, restriction, portability, and objection). If Designless receives such a request directly from a data subject in relation to Customer Personal Data, it will, unless legally prohibited, promptly forward the request to the Customer and will not respond directly except on the Customer's documented instructions.

8. Assistance with security, breach notification, and impact assessments

Designless assists the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Designless. This includes assistance with data protection impact assessments and prior consultation with a supervisory authority where required.

Designless notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides the Customer with information reasonably available to it to assist the Customer in meeting its own breach notification obligations.

9. Deletion or return of data

On termination or expiry of the services, and at the Customer's choice, Designless deletes or returns all Customer Personal Data and deletes existing copies, unless applicable law requires continued storage. Where deletion applies, Designless carries it out within a commercially reasonable period consistent with the retention practices described in the Privacy Policy, and residual copies held in routine backups are deleted in the ordinary course of the backup cycle.

10. Audits and information

Designless makes available to the Customer information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. To the extent available, Designless may satisfy an audit request by providing relevant third-party certifications, reports, or a completed security questionnaire. On-site inspections are limited to reasonable frequency and scope, on reasonable prior notice, during business hours, and subject to confidentiality obligations.

11. International transfers

Designless is established in India, which has not received an adequacy decision from the European Commission. Accordingly, where the provision of the services involves a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to Designless in India, or onward to a sub-processor in a country without an adequacy decision, the parties agree that the Standard Contractual Clauses apply and are incorporated into this DPA by reference. For such transfers, the Customer acts as data exporter and Designless (or the relevant sub-processor) acts as data importer, using Module Two (controller to processor) and, for onward transfers to sub-processors, Module Three (processor to processor). The docking clause is selected, and the annexes to the Standard Contractual Clauses are completed by reference to Annex 1, Annex 2, and the sub-processor list of this DPA. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum applies to the Standard Contractual Clauses. Where there is a conflict between this DPA and the Standard Contractual Clauses in respect of such transfers, the Standard Contractual Clauses prevail.

12. Liability and relationship to the Agreement

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA supplements the Agreement. In the event of a conflict between this DPA and the Agreement in respect of the processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail as set out in Section 11.

13. California Consumer Privacy Act

To the extent the CCPA applies to Customer Personal Data, Designless acts as a "service provider" (as defined in the CCPA) with respect to that data. Designless will not sell or share Customer Personal Data; will not retain, use, or disclose it for any purpose other than performing the services under the Agreement or as otherwise permitted by the CCPA; and will not retain, use, or disclose it outside the direct business relationship between the parties. Designless certifies that it understands and will comply with these restrictions, and will notify the Customer if it determines that it can no longer meet its obligations under the CCPA.

14. Governing law

For Customers established in the European Economic Area, the United Kingdom, or Switzerland, this DPA is governed by the laws of Ireland, and the courts of Ireland have jurisdiction, without prejudice to the rights of data subjects or the competence of supervisory authorities under Data Protection Laws. For all other Customers, this DPA is governed by the laws of India, and the courts of Bengaluru, Karnataka have jurisdiction. In each case, the Standard Contractual Clauses are governed by the law they specify and prevail over this Section for the transfers they cover, and nothing in this Section limits any mandatory rights of data subjects. Where the Agreement specifies a governing law, it applies to the Agreement generally, while this Section governs the processing of Customer Personal Data under this DPA.

Annex 1: Details of processing

Roles Customer is the controller; Designless is the processor.
Subject matter Provision of the Designless platform and services under the Agreement.
Duration For the term of the Agreement, plus the period until deletion or return of Customer Personal Data under Section 9.
Nature and purpose Hosting, storing, capturing, rendering, and processing Customer Personal Data as necessary to provide the services the Customer enables, including AI-assisted design and visual expression features and, where the Customer enables it, review and rendering of the Customer's designated application interfaces.
Types of personal data Personal data contained in the Customer's content and application interfaces that the Customer chooses to process through the services. This may include identifiers, account and profile data, and any personal data present in interfaces the Customer designates for capture. The Customer controls and is responsible for the categories of personal data it submits. Special categories of personal data (Article 9) are not required for the services and should not be submitted unless separately agreed in writing.
Categories of data subjects The Customer's authorized users and the individuals whose personal data appears in the content or application interfaces the Customer processes through the services.
Frequency of transfer Continuous, for the duration of the Agreement, as determined by the Customer's use of the services.

Annex 2: Technical and organizational measures

Designless maintains technical and organizational measures appropriate to the risk, including the following. These measures may be updated over time, provided the level of security is not materially reduced.

  • Access control: role-based access to systems and data on a need-to-know basis, with authentication and least-privilege principles.
  • Encryption: encryption of personal data in transit, and encryption at rest for data stored in our primary infrastructure.
  • Segregation and isolation: logical separation of customer data, with authorization checks enforced at the data tier.
  • Resilience: managed, backed-up infrastructure with measures to restore availability and access to personal data after an incident.
  • Incident response: documented incident response and breach notification procedures.
  • Data minimization by design: capture and processing are scoped to what the Customer enables, with mechanisms to reduce the persistence of unnecessary personal data.
  • Vendor management: sub-processors are subject to written data protection obligations and are listed at designless.io/subprocessors.

Annex 3: Sub-processors

The current list of sub-processors, including function and location, is maintained at designless.io/subprocessors and is incorporated into this DPA by reference.

How to execute this DPA

This DPA is incorporated into the Agreement and applies automatically where Designless processes Customer Personal Data as a processor. No separate signature is required for it to take effect.

Customers who prefer a signed instrument have two options:

  • Accept online: review and accept this DPA electronically through the enterprise onboarding flow. Online acceptance by an authorized representative of the Customer has the same effect as a signed copy.
  • Request a countersigned copy: request a countersigned copy, a completed set of Standard Contractual Clauses, or a security questionnaire from our Data Protection Officer.

For general privacy inquiries, contact our privacy team.

Expression Infrastructure for AI Agents
Home About Terms Privacy DPA Contact
© 2026 Designless™ · Designless Private Limited · CIN: U62011KA2026PTC219644 · Headquartered in Bengaluru, Karnataka, India