Legal

Data Processing Addendum

This DPA applies when an OhMyDesk customer — a coworking space operator — processes personal data about its own members, visitors, and leads through OhMyDesk. In that relationship the operator is the controller and OhMyDesk is the processor. It forms part of our Terms of Service.

Last updated:

1. Definitions

Terms such as “personal data”, “controller”, “processor”, “data subject”, and “processing” have the meaning given in the EU General Data Protection Regulation (GDPR). “Customer” means the operator using OhMyDesk. “OhMyDesk” means the OhMyDesk service, available at ohmydesk.app.

2. Roles

3. Scope of processing

Subject matter Provision of the OhMyDesk coworking management service
Duration For the term of the Customer’s account
Nature & purpose Storing and managing members, bookings, invoices, leads, and tasks; generating AI concierge replies; sending notifications
Types of data Names, e-mail addresses, phone numbers (where the Customer enters them), booking history, billing details, message content, lead notes
Categories of data subject The Customer’s members, prospective members, visitors, and contacts
Special category data Not intended; the Customer must not upload special-category data unless agreed in writing

4. OhMyDesk’s obligations

OhMyDesk will:

  1. process Customer Personal Data only on the Customer’s instructions, unless required by law;
  2. ensure persons authorized to process the data are bound by confidentiality;
  3. implement appropriate technical and organizational security measures (see Section 7);
  4. engage sub-processors only under the conditions in Section 5;
  5. assist the Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting its obligations on security, breach notification, and data protection impact assessments;
  6. notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data;
  7. at the Customer’s choice, delete or return Customer Personal Data at the end of the service, unless retention is required by law;
  8. make available information necessary to demonstrate compliance and allow for reasonable audits.

5. Sub-processors

The Customer authorizes OhMyDesk to use the sub-processors below. OhMyDesk imposes data-protection obligations on each sub-processor and remains responsible for their performance. We will give notice of new sub-processors with a reasonable opportunity to object.

Sub-processor Purpose Location / safeguard
Supabase Database, authentication, and file storage EU region
Cloudflare Website and application hosting / content delivery Global network (SCCs)
Resend Transactional and notification e-mail EU / US (SCCs)
Stripe Payment processing & subscription billing EU / US (SCCs)
Google (Gemini API) AI concierge reply generation EU / US (SCCs)
Telegram Optional concierge & notification messaging International

6. International transfers

Where Customer Personal Data is transferred outside the EU/EEA, OhMyDesk relies on appropriate safeguards such as the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

7. Security measures

OhMyDesk maintains measures including: encryption in transit (HTTPS/TLS); hashed passwords; database row-level security; role-based access control; rate limiting and abuse protection; least-privilege service credentials; and logical separation of each Customer’s data by organization.

8. Data-subject requests

If OhMyDesk receives a request directly from a data subject relating to Customer Personal Data, it will refer that person to the Customer and assist the Customer in responding.

9. Liability and term

This DPA is subject to the liability provisions of the Terms of Service and remains in force as long as OhMyDesk processes Customer Personal Data.

10. Contact

Data-protection matters? Email [email protected].