Data Processing Agreement
Linkd HQ — A product of DesignedIT Inc.
Effective March 15, 2026 — Version 1.0
Acceptance — This DPA is incorporated into and accepted alongside the Linkd Terms of Service upon account creation. Customers requiring a countersigned copy for compliance records may contact contact@designedit.org.
1. Parties and Scope
This DPA is entered into between DesignedIT Inc., operating as Linkd HQ (“Processor”), and the organization creating a Linkd account (“Controller,” “Customer”). This DPA applies where Linkd processes personal data on behalf of the Customer subject to GDPR, UK GDPR, PIPEDA, Quebec Law 25, or equivalent data protection laws.
2. Nature and Purpose of Processing
Subject matter — AI chatbot services for healthcare and service-based businesses.
Duration — the term of the Services agreement.
Nature — collection, storage, retrieval, use, and deletion of personal data through chatbot interactions, forms, and lead capture.
Purpose — providing AI-powered chatbot responses, lead capture, appointment support, and analytics.
Data types — names, email addresses, phone numbers, inquiry content, form submissions, session metadata.
Data subjects — end users and patients interacting with the Customer's chatbot.
3. Processor Obligations
Linkd will:
- Process personal data only on documented Customer instructions.
- Ensure all personnel with data access are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures.
- Assist the Customer in fulfilling data subject rights requests within applicable legal timeframes.
- Assist with security, breach notification, impact assessment, and prior consultation obligations.
- Delete or return all personal data at the end of the Services.
- Make available all information necessary to demonstrate compliance.
- Not engage sub-processors without prior Customer authorization.
4. Controller Obligations
Customers agree to:
- Ensure a lawful basis exists for all personal data processed through the Services.
- Provide appropriate privacy notices and obtain necessary consents from data subjects.
- Ensure instructions to Linkd comply with applicable law.
- Not instruct Linkd to process data in violation of applicable law.
- Be responsible for the accuracy, quality, and legality of personal data submitted.
5. Sub-processors
The Customer grants general authorization for Linkd to engage the following sub-processors. Current list maintained at linkdhq.com/subprocessors. Linkd will notify the Customer at least 30 days before engaging new sub-processors that handle personal data.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Google Cloud Platform | Infrastructure, database, storage | All customer and end-user data | US |
| OpenAI | AI inference | Query text only — ephemeral, zero retention | US |
| Clerk | Authentication | Name, email, login events | US |
| Stripe | Payment processing | Billing data only | US |
| Pinecone | Vector database for semantic search | Vector embeddings of Customer Content only | US |
6. International Data Transfers
All customer data is stored in Google Cloud US regions by default.
EU/EEA transfers — governed by EU Standard Contractual Clauses (Commission Implementing Decision 2021/914). By accepting this DPA the Customer and Linkd are deemed to have entered into the applicable SCCs. A copy is available upon request.
UK transfers — governed by the UK International Data Transfer Addendum as issued by the ICO (version in force from March 21, 2022), incorporated into this DPA by reference. A copy is available upon request.
Canada — PIPEDA governs federal-level transfers. Canada has adequacy status with the EU. For Ontario customers, data handling is consistent with PHIPA requirements.
7. Security Measures
Linkd maintains:
- Encryption at rest using AES-256-GCM via Google Cloud.
- Encryption in transit using TLS 1.3.
- Role-based access controls limiting data access to authorized personnel.
- Multi-factor authentication via Clerk.
- Logical tenant isolation.
- Automated security monitoring.
- Incident response procedures with 24-hour customer notification.
- 30-day auto-deletion of conversation logs via Firestore TTL policy.
- Conversation logging disabled by default with automated sensitive information detection when enabled.
8. Data Subject Rights
Linkd will assist the Customer in responding to data subject requests within 30 days. Where Linkd receives a data subject request directly it will forward to the Customer within 5 business days without responding to the data subject unless legally required. Most requests can be fulfilled via the self-service dashboard.
9. Breach Notification
Linkd will notify the Customer within 24 hours of becoming aware of a personal data breach with the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed.
Regulatory timelines — GDPR: 72 hours. UK GDPR: 72 hours. HIPAA: 60 days. PHIPA: without undue delay. PIPEDA: if real risk of significant harm. Quebec Law 25: 72 hours.
10. Audit Rights
Upon reasonable written notice, Linkd will make available all information necessary to demonstrate compliance and support audits by the Customer or a mandated auditor. In lieu of on-site audit, Linkd may provide a completed security questionnaire or third-party assessment results.
11. Term and Termination
Effective for the duration of the Services agreement. Upon termination, Linkd will delete all personal data within 30 days. Written confirmation of deletion available upon request.
12. Governing Law
Governed by the laws of the Province of Ontario and the federal laws of Canada. Interpreted consistently with GDPR for EU customers and UK GDPR for UK customers.
Questions and countersigned copy requests — contact@designedit.org with subject “DPA Request”