Last updated: March 18, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Jetstream ("Processor") and the customer ("Controller") governing the provision of Jetstream services (the "Agreement") and applies to the processing of Personal Data by Processor on behalf of Controller.
For clarity, when you use Jetstream services, you (our customer) are considered the "Controller" of your data, and Jetstream is considered the "Processor" that processes data on your behalf.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Data Protection Laws" means all applicable laws and regulations regarding the processing of Personal Data, including, as applicable, the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA"), as amended from time to time.
"Processing" means any operation which is performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or otherwise making available.
"Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" means any processor engaged by the Processor who agrees to receive from the Processor Personal Data for processing on behalf of the Controller.
"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Processor on behalf of Controller.
The Processor shall process Personal Data solely for the purpose of providing, maintaining, supporting, and securing the Jetstream services to the Controller as described in the Agreement and in accordance with the Controller's documented instructions.
As outlined in our Privacy Policy, Jetstream does not store Salesforce record data except as directed by the Controller through use of the services. Jetstream may temporarily store limited metadata in logs for troubleshooting, security, and operational purposes, subject to applicable retention periods. If Controller enables features such as History Sync, Jetstream may store Salesforce metadata as necessary to provide the services. Such data is stored in a secure environment and processed only for the purposes of providing, maintaining, and supporting the services.
The Processor shall:
The Controller shall:
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to individuals, the Processor will implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Such measures may include, as appropriate:
The Processor shall ensure that any person acting under its authority who has access to Personal Data is bound by appropriate confidentiality obligations.
The Controller generally authorizes the Processor to engage Sub-processors for the processing of Personal Data. The Processor maintains an up-to-date list of Sub-processors at /subprocessors.
Jetstream will provide notice of material changes concerning the addition or replacement of Sub-processors by updating the Sub-processors page or by other reasonable means. If you have concerns about a new Sub-processor, contact us within 30 days of the update to discuss reasonable alternatives.
The Processor shall impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA, to the extent applicable to the services performed by the Sub-processor.
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, taking into account the nature of the processing. If a Data Subject contacts the Processor directly regarding Personal Data processed under this DPA, the Processor shall promptly forward the request to the Controller unless legally prohibited.
The Processor shall notify the Controller without undue delay, and in any event no later than 72 hours after becoming aware of a confirmed Security Incident affecting Personal Data processed on behalf of the Controller.
To the extent available, such notification will include relevant details regarding the nature of the Security Incident, the categories of Personal Data affected, and measures taken or proposed to address the Security Incident and mitigate its possible adverse effects.
Upon reasonable written request, and no more than once annually unless required by applicable law or following a Security Incident, the Processor shall provide reasonable information and documentation to demonstrate compliance with this DPA.
As a cloud-based service, audits may include:
The Controller shall provide at least 30 days' advance written notice for any audit request. Any audit activities shall be conducted in a manner that minimizes disruption to the Processor's operations and does not compromise the security, confidentiality, or privacy of other customers' data. Direct access to systems or infrastructure is not included in audit rights. Additional audit activities beyond the materials described above may be subject to reasonable fees.
The Processor shall not transfer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland unless it has implemented appropriate safeguards in accordance with applicable Data Protection Laws, including, where applicable, Standard Contractual Clauses or another lawful transfer mechanism.
This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Agreement.
Upon termination of the services, the Processor shall, at the choice of the Controller, delete or return Personal Data to the Controller and delete existing copies unless applicable law requires retention of the Personal Data.
Notwithstanding the foregoing, the Processor may retain limited Personal Data in backups, security logs, and other routine business records for a limited period where required by law or reasonably necessary for security, fraud prevention, dispute resolution, or compliance purposes, after which such retained data will be deleted in accordance with Processor's retention practices.
For clarity, when you delete your Jetstream account, data stored in Jetstream's core service database is deleted in accordance with Jetstream's applicable retention and deletion practices.
In case of conflict between this DPA and any other agreement between the parties, the provisions of this DPA shall prevail solely with respect to the parties' data protection obligations.
Except as otherwise expressly stated in this DPA, this DPA does not modify or supersede the limitations of liability set forth in the Agreement.
If any provision of this DPA is found by a court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions of this DPA, which shall remain in full force and effect.
For questions regarding this DPA, contact us at support@getjetstream.app.
Subject Matter: Processing of Personal Data in connection with the provision of Jetstream services.
Nature and Purpose of Processing: Processing necessary to provide, maintain, support, secure, and improve the services, including hosting, authentication, customer support, troubleshooting, analytics, and related operational functions.
Categories of Data Subjects: Controller's employees, contractors, end users, and other individuals whose Personal Data is included in Customer Data submitted to the services.
Categories of Personal Data: Identifiers, contact information, account information, authentication data, metadata, support data, system-generated logs, and any other Personal Data submitted by or on behalf of the Controller through use of the services.
Duration of Processing: For the term of the Agreement and for any additional period required to complete the return or deletion process, comply with applicable law, or maintain limited retained data as described in this DPA.