Data Processing Agreement (DPA)
Version: 2026-01-13
This Data Processing Agreement (“DPA”) forms part of the Agreement between Excalidraw s.r.o. (“Processor”) and the customer using the Excalidraw+ Services (“Controller”).
This DPA applies solely to the hosted Excalidraw+ Services. It does not apply to the standalone open-source editor available at excalidraw.com.
1. Definitions
For purposes of this DPA:
- “Agreement” means the Excalidraw Terms of Service or other written or electronic agreement between the parties governing the use of the Services.
- “Controller” means the Customer as defined in the Agreement, acting as the controller of Customer Personal Data under Data Protection Laws.
- “Customer” means the entity or individual entering into the Agreement with the Processor.
- “Customer Personal Data” means any Personal Data Processed by the Processor on behalf of the Controller through the Services.
- “Data Protection Laws” means all laws applicable to the Processing of Personal Data under this DPA, including the EU GDPR, UK GDPR, and Swiss data protection law.
- “EEA” means the European Economic Area.
- “Personal Data”, “Processing”, “Process”, “Processes”, “Data Subject”, and “Supervisory Authority” have the meanings given in the GDPR.
- “Processor” means Excalidraw s.r.o., acting as the processor of Customer Personal Data under Data Protection Laws.
- “SCCs” means the Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.
- “Services” means the hosted Excalidraw+ subscription service and any related features, functionality, or support provided by the Processor under the Agreement.
“Subprocessor” means any third party engaged by the Processor to Process Customer Personal Data on behalf of the Controller.
2. Roles of the Parties
The Controller acts as the controller of Customer Personal Data.
The Processor acts as the processor of such data on behalf of the Controller under this DPA.
3. Instructions from the Controller
3.1 The Processor will Process Customer Personal Data solely on the Controller’s documented instructions, including as necessary to:
• provide, maintain, and secure the Services;
• deliver customer support;
• ensure service reliability;
• comply with legal obligations.
3.2 The Controller determines the accuracy, legality, and nature of Customer Personal Data submitted to the Services.
3.3 The Services are not intended for Processing special categories of Personal Data under Article 9 GDPR. The Processor does not monitor or access the content of drawings and Processes such content only incidentally and on behalf of the Controller.
4. Confidentiality and Access Controls
4.1 The Processor ensures that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations.
4.2 Access to Customer Personal Data is strictly limited to authorized personnel located within the European Union, and only where necessary to operate, support, or secure the Services.
4.3 Processor personnel located outside the EU do not have access to Customer Personal Data.
5. Security Measures
5.1 The Processor maintains appropriate technical and organizational measures (“TOMs”) designed to protect Customer Personal Data. A high-level description of these measures is available at https://trust.excalidraw.com.
5.2 These measures include, among others, access controls, encryption, monitoring, incident response, and secure development practices.
5.3 The Processor regularly reviews and updates these security measures.
6. Subprocessors
6.1 The Controller provides the Processor with general authorization to engage Subprocessors.
6.2 The Processor maintains an up-to-date list of Subprocessors at: https://trust.excalidraw.com/subprocessors
6.3 The Processor will notify the Controller of intended Subprocessor changes by email and by updating the list above.
6.4 Continued use of the Services after a Subprocessor update constitutes the Controller’s acceptance of the change.
6.5 The Controller does not have approval or objection rights regarding Subprocessors. If the Controller does not agree with a Subprocessor change, its sole remedy is to discontinue use of the Services and cancel its subscription.
6.6 The Processor remains responsible for each Subprocessor’s compliance with this DPA.
7. International Data Transfers
7.1 The Controller acknowledges that the Processor uses Subprocessors located outside the EEA, including in the United States.
7.2 The Processor ensures lawful international transfers through the EU Standard Contractual Clauses (SCCs), which are incorporated by reference: https://plus.excalidraw.com/legal/standard-contractual-clauses-sccs
7.3 For transfers subject to United Kingdom or Swiss Data Protection Laws, the SCCs apply together with the applicable international transfer addendum, as described at: https://plus.excalidraw.com/legal/international-transfer-addendum
7.4 The Processor applies supplementary measures, including encryption, strict access controls, and data minimization.
8. Assistance with Data Subject Rights
The Processor will reasonably assist the Controller in fulfilling its obligations to respond to Data Subject requests under Data Protection Laws.
The Processor will not respond directly to a Data Subject unless required by law.
9. Data Deletion and Return
9.1 Upon written request from the Controller, the Processor will delete or return Customer Personal Data in accordance with the Controller’s instructions and the Processor’s internal data retention and deletion procedures.
9.2 Cancellation of a subscription does not delete Customer Personal Data. Following cancellation, access to workspace content may be disabled. Customer Personal Data is retained and deleted in accordance with the Processor’s internal retention policies. Deletion of a workspace triggers the Processor’s deletion process.
9.3 User accounts are not deleted automatically and remain active until the user deletes them.
9.4 A high-level description of the Processor’s data retention and deletion approach is available at https://trust.excalidraw.com.
10. Personal Data Breaches
The Processor will notify the Controller without undue delay, and in accordance with Czech and EU law, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
11. Audits and Compliance Information
11.1 The Processor will provide information reasonably necessary to demonstrate compliance with this DPA, including documentation available through the Trust Center.
11.2 Formal audits may be conducted only if required by applicable law and subject to reasonable advance notice and coordination to minimize disruption.
12. Liability and Precedence
12.1 The Processor’s liability under this DPA is subject to the limitations set forth in the Agreement.
12.2 In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent required by Data Protection Laws.
13. Governing Law
This DPA is governed by the laws of the Czech Republic, without regard to conflict-of-laws rules.
14. Term
This DPA remains in effect for as long as the Processor Processes Customer Personal Data on behalf of the Controller.
Annexes
The following annexes form an integral part of this DPA: