Excalidraw

Annex I – Description of Processing

This Annex describes the Processing of Customer Personal Data by the Processor on behalf of the Controller, as required by Article 28 GDPR.

This Annex applies to the extent the Processor Processes Customer Personal Data through the Services.

1. Subject Matter of the Processing

The Processor provides a hosted collaboration and diagramming service Excalidraw+ enabling workspace creation, drawing, sharing, synchronization, export, and related functionality.

2. Duration of the Processing

For the duration of the Controller’s use of the Services and until deletion of Customer Personal Data in accordance with the DPA and the Processor’s internal retention policies.

3. Nature and Purpose of the Processing

The Processor Processes Customer Personal Data as necessary to provide, maintain, secure, and support the Services, including:

  • account creation and authentication,
  • workspace management,
  • storage, synchronization, and display of drawings,
  • access control and sharing features,
  • subscription and billing operations,
  • customer support,
  • service improvement, security, and reliability.

The Processor does not determine the content entered into drawings and does not access such content except incidentally when providing the Services or when required by law.

4. Types of Personal Data Processed

The Processor Processes the following categories of Customer Personal Data, as submitted by the Controller or its users:

  • account information (e.g., name, email address),
  • workspace membership and permissions,
  • usage and activity metadata,
  • billing-related information,
  • content created or uploaded in workspaces (including drawings and user-generated elements), which may incidentally contain Personal Data depending on the Controller’s use of the Services.

The Processor does not require or intentionally process special categories of Personal Data.

5. Categories of Data Subjects

Data Subjects may include:

  • workspace administrators,
  • workspace members,
  • invited guests (collaborators) or viewers,
  • individuals whose Personal Data is included in drawings or other workspace content by the Controller.

6. Obligations and Rights of the Controller

The obligations and rights of the Controller are set out in the Agreement and the DPA.