Impactean
Trust Center
Trust CenterData Processing Addendum (DPA)

Data Processing Addendum (DPA)

Last updated: 2026-05-19.md

GDPR Article 28 Data Processing Addendum for business customers, with EU SCCs Module 2 and 72-hour breach notification.

Last updated: 19 May 2026

If you use Impactean to process personal data on behalf of an organisation — for example, employees on a Business plan — you (the customer) act as the data controller and Valenyr (Impactean brand) acts as the data processor under Article 28 GDPR. This page summarises our DPA. Once agreed in writing between the parties, it forms part of the agreement between us.

  • Subject matter: provision of the Impactean Services as described in our Order Form / online subscription.
  • Duration: while the agreement is in force, plus the retention and deletion schedule in our Privacy Policy §9 (including inactive-account and backup windows).
  • Nature and purpose: hosting an account, delivering the assessment, generating reports, providing AI coaching, tracking commitments, sending transactional email, billing.
  • Data subjects: customer's authorised users (employees, members, programme participants).
  • Data categories: as listed in the Privacy Policy, Section 2.
  • Sub-processors: as listed at /legal/sub-processors. Customer authorises the use of all sub-processors listed there. We will give 30 days' written notice of additions or replacements.
  • International transfers: governed by EU Standard Contractual Clauses (Module 2) where applicable, plus our Transfer Impact Assessment.
  • Security measures: as described at /security.
  • Audits: customer may audit no more than once per 12 months on 30 days' notice, or accept the audit reports of our sub-processors (SOC 2, ISO 27001).
  • Data subject requests: we will assist customer in responding to data subject requests within statutory timeframes.
  • Data breach notification: we will notify customer without undue delay and within 72 hours of becoming aware.
  • Return / deletion: on termination, customer may export data for 30 days; thereafter we delete or anonymise per Privacy Policy §9, except where law requires retention. Sub-processor deletion aligned with /legal/sub-processors.

Email legal@impactean.com from your organisation's authorised signatory to request a countersigned DPA. We typically respond within 5 business days. Enterprise customers may request reasonable redlines.

Where personal data is transferred outside the EEA, the EU Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor), are incorporated by reference. The clauses prevail over any conflicting term.

For organisational customers, the following applies in addition to the Privacy Policy:

  • Prohibited uses: Impactean is for leadership and personal development. It must not be used as occupational-health screening, clinical mental-health treatment, or automated employment decisions.
  • Coaching confidentiality: Employee coaching chat transcripts are not available to customer administrators. Programme-level analytics (e.g. assessment scores, commitment text summaries, session counts) may be available as described in the order form and DPA.
  • Crisis and safeguarding: Impactean is not an emergency or crisis service and does not provide real-time human monitoring. Customer administrators remain responsible for their own workplace safeguarding policies. Users in immediate danger should be directed to local emergency services and qualified crisis helplines.
  • Escalation: If a customer becomes aware of a credible imminent risk of serious harm involving a user, contact privacy@impactean.com and support@impactean.com promptly. We will act in line with applicable law and the confidentiality limits in our Privacy Policy.
  • Local resources: Customers should communicate appropriate local emergency numbers and employee-assistance resources to their workforce.

legal@impactean.com