Data Processing Agreement
Between Pikaboo Enterprises ("Processor") and the Client Organisation ("Controller") | Last updated: March 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the service agreement between Pikaboo Enterprises ("Processor", "we", "us") and the organisation using the Pikaboo platform ("Controller", "Client", "you"). It sets out the terms under which we process personal data on your behalf, in accordance with the UK GDPR, EU GDPR, and the Data Protection Act 2018.
2. Definitions
- Personal Data - any information relating to an identified or identifiable natural person, as defined by Article 4(1) of the GDPR.
- Processing - any operation performed on personal data, including collection, storage, retrieval, use, and deletion.
- Data Subject - the individual whose personal data is being processed (i.e. your users).
- Sub-processor - a third party engaged by Pikaboo Enterprises to process personal data on behalf of the Controller.
3. Scope of Processing
3.1 Subject Matter and Purpose
We process personal data solely to provide the Pikaboo video calling platform to your organisation. This includes user authentication, session management, and signaling for peer-to-peer calls.
3.2 Categories of Data Subjects
- Staff, volunteers, and beneficiaries of the Client organisation who are authorised to use the platform.
3.3 Types of Personal Data Processed
| Data Type | Purpose |
|---|---|
| Usernames | User identification and authentication |
| TOTP secrets | Authenticator-based login verification |
| Session tokens | Maintaining authenticated state (30-minute TTL) |
| IP addresses (in memory only) | Rate limiting to prevent abuse |
3.4 Data We Do Not Process
We do not process, access, store, or transmit:
- Call audio or video content (peer-to-peer, never touches our server)
- Chat messages (peer-to-peer via WebRTC data channels)
- Files transferred between users (peer-to-peer via WebRTC data channels; TURN relay disabled for file transfer to prevent third-party handling)
- Live caption text or audio (captions are generated on-device via Sherpa-ONNX; no audio leaves the browser)
- Email addresses, phone numbers, or real names (unless used as usernames)
- Cookies, analytics, or tracking data
4. Obligations of the Processor
Pikaboo Enterprises shall:
- Process on instructions only - process personal data only on documented instructions from the Controller, unless required by law.
- Ensure confidentiality - ensure that persons authorised to process personal data are bound by obligations of confidentiality.
- Implement security measures - maintain appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at-rest (Upstash Redis encryption)
- Per-tenant data isolation via Redis key prefixing
- SSH key-only server access (password authentication disabled)
- Firewall restricting access to ports 22, 80, 443 only
- Docker container isolation with memory and CPU limits
- TOTP-based authentication (no passwords)
- Rate limiting on all API endpoints
- Automated daily security patching
- Docker log rotation (10 MB x 3 files per container)
- 30-minute session expiry with replay protection
- Sub-processor management - not engage another processor without prior written authorisation from the Controller. A current list of sub-processors is maintained in Section 6.
- Assist with data subject rights - assist the Controller in responding to data subject requests (access, rectification, erasure, etc.) within reasonable timeframes.
- Data breach notification - notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach, providing:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to mitigate
- Deletion on termination - upon termination of the service, delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by law.
- Audit rights - make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits with reasonable notice.
5. Obligations of the Controller
The Controller shall:
- Ensure there is a valid lawful basis for the processing of personal data.
- Inform data subjects about the processing in accordance with GDPR Articles 13 and 14.
- Manage user accounts via the admin panel (adding/removing users, resetting TOTP).
- Notify Pikaboo Enterprises of any data subject requests that require our assistance.
- Not upload or configure the platform to collect data beyond what is described in this DPA.
6. Sub-processors
We use the following sub-processors. The Controller is deemed to have given general written authorisation for these sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | Germany (EU) |
| Upstash Inc. | Redis database (auth data) | EU region |
| Cloudflare Inc. | DNS, TLS certificates, TURN relay | Global |
We will notify the Controller at least 14 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.
7. International Transfers
All stored personal data is processed within the EU (Hetzner Germany, Upstash EU).
Cloudflare processes data globally as part of its anycast network for DNS resolution and TURN relay. Cloudflare's processing is covered by:
- EU Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreement (IDTA)
- Cloudflare's DPA and privacy commitments
No personal data is transferred to countries without adequate protection unless appropriate safeguards are in place.
8. Data Retention
| Data | Retention |
|---|---|
| Usernames | Until removed by Controller's admin |
| TOTP secrets | Until reset or user removed by admin |
| Session tokens | Auto-deleted after 30 minutes |
| IP addresses | In-memory only, cleared after 60 seconds |
No call content, chat messages, or call metadata is ever stored.
9. Term and Termination
This DPA is effective for the duration of the service agreement. Upon termination:
- We will cease processing personal data on behalf of the Controller.
- All tenant data (usernames, TOTP secrets, sessions) will be deleted from Redis within 30 days.
- The tenant's Docker container and configuration files will be removed from the VPS.
- We will provide written confirmation of deletion upon request.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the main service agreement. Nothing in this DPA limits liability for breaches of data protection law where such limitation is not permitted.
11. Governing Law
This DPA is governed by the laws of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
12. Contact
For questions about this agreement:
Pikaboo Enterprises
Email: privacy@pikaboo.app
Country: United Kingdom