Last updated: January 20, 2025

Data Processing Addendum (DPA)

Use this overview to understand how Conductor processes customer data when acting as a processor under GDPR, CCPA, or similar frameworks. The signed DPA is available to customers on paid plans.

1. Roles

You are the data controller; Conductor is the processor. We only process personal data on documented instructions provided via the product or written agreements.

2. Subprocessors

We maintain a list of subprocessors (hosting, auth, email). Customers receive notice before material changes and may object if a change creates a legitimate concern.

3. International transfers

Conductor relies on Standard Contractual Clauses (SCCs) for data transfers from the EEA/UK to the United States. Supplemental measures include encryption at rest/in transit and strict access controls.

4. Security measures

Technical and organizational controls include TLS 1.2+, encryption at rest, least privilege access, logging, and employee security training.

5. Data subject rights

We help you fulfill data subject access requests (DSARs) by exporting or deleting relevant records within agreed SLAs (typically 7 days).

6. Request the signed DPA

Paid customers can request the full DPA by emailing legal@conductorgtm.com with their account email and company name.