This Data Processing Agreement ("DPA") forms part of the Terms of Service between Colorblend Consulting LLC ("Colorblend", the "processor") and the customer ("you", the "controller") for the use of Feedstick (the "Service"). It applies where Colorblend processes personal data of your end users on your behalf and data protection law — such as the GDPR — requires processor terms.
Scope and roles
This DPA covers the end-user personal data you submit to the Service through the feedback-ingest API and related features ("End-User Data"). For End-User Data, you are the controller and Colorblend is the processor. It does not cover data for which Colorblend is itself the controller — such as your account data — which is described in the Privacy Policy.
Details of processing
- Subject matter and duration. Processing of End-User Data to provide the Service, for as long as you maintain an account (plus a short deletion window after termination, described below).
- Nature and purpose. Hosting, storing, organizing, classifying, and displaying feedback; generating embeddings and AI-assisted grouping; securing and rate-limiting the ingest API; sending related transactional email.
- Categories of data. Feedback text, optional structured context you attach, optional submitter email addresses, IP addresses and browser user agents captured at submission, and embeddings derived from feedback content.
- Data subjects. Your end users and anyone else whose personal data appears in the feedback you submit.
Processing on your instructions
Colorblend will process End-User Data only on your documented instructions — which are, in the first instance, the Terms, this DPA, and your use of the Service's features — unless processing is required by law, in which case we will inform you unless the law prohibits it. Personnel authorized to process End-User Data are bound by confidentiality obligations.
Security
Colorblend implements technical and organizational measures appropriate to the risk, including encryption of data in transit, write-only rotatable and revocable ingest keys that cannot read data, role-based access control within the Service, rate limiting and abuse detection on the ingest API, and server-side request validation and size limits. Data at rest is protected by the security measures of our infrastructure providers.
Subprocessors
You authorize Colorblend to engage the following subprocessors to process End-User Data:
- Convex — application database, backend runtime, file storage, and vector search.
- Cloudflare — hosting, content delivery, and network security.
- Resend — delivery of transactional email.
- OpenAI — embeddings, classification, and feedback grouping (feedback content only; not used to train third-party models).
Colorblend remains responsible for its subprocessors' performance. We will update this page before adding or replacing a subprocessor and, where we have your contact details, provide notice. If you object on reasonable data protection grounds and we cannot accommodate the objection, you may terminate the affected service.
Assistance and breach notification
Taking into account the nature of the processing, Colorblend will assist you in responding to data-subject requests (access, correction, deletion, export) concerning End-User Data, and in meeting your security, breach-notification, and impact-assessment obligations. We will notify you without undue delay after becoming aware of a personal data breach affecting End-User Data.
Deletion and return
You can delete individual feedback items through the Service at any time. Upon termination of the Service, Colorblend will delete or de-identify End-User Data within a reasonable period (ordinarily within 30 days), unless law requires further retention. On request before termination, we will provide an export of your End-User Data.
International transfers
End-User Data may be processed in the United States and other countries. Where a cross-border transfer requires safeguards, the parties rely on the European Commission's Standard Contractual Clauses or an equivalent lawful transfer mechanism, which are incorporated by reference where required.
Audit and information
Colorblend will make available information reasonably necessary to demonstrate compliance with this DPA — primarily through documentation such as this page and the security documentation of our subprocessors — and will reasonably cooperate with audits you are legally required to conduct, at your expense and on reasonable notice.
Contact
Questions about this DPA, or need a signed copy for your records? Contact Colorblend Consulting LLC at support@clrblnd.co.