Data Processing Addendum
This Data Processing Addendum ("DPA") describes how Belt processes personal data on behalf of its customers as a processor. It supplements and forms part of the agreement between Belt and the customer for use of the Services.
Last updated: June 21, 2026
This DPA is incorporated into and governed by the Belt Terms of Service or the customer's signed Master Services Agreement. Capitalized terms not defined here have the meaning given in those documents and in applicable data protection law (including the GDPR, UK GDPR, and CCPA/CPRA).
1. Roles & definitions
For Customer Data processed through the Services, the customer is the controller (or "business") and Belt is the processor (or "service provider"). Where the customer acts as a processor for its own customers, Belt acts as a sub-processor. Belt processes personal data only to provide the Services and on the customer's documented instructions.
"Personal data," "processing," "controller," "processor," and "data subject" have the meanings given under applicable data protection law.
2. Subject matter & details of processing
| Subject matter | Provision of the Belt Services (desktop applications and single-tenant cloud). |
|---|---|
| Duration | The term of the customer's agreement, plus any retention period required by law. |
| Nature & purpose | Hosting, storage, processing, and transmission of Customer Data to deliver, support, and secure the Services, including AI features the customer enables. |
| Categories of data subjects | The customer's Authorized Users and any individuals referenced within Customer Data. |
| Categories of personal data | Identification and contact data, account/SSO profile data, and any personal data contained in content the customer chooses to process. |
| Special categories | Not intentionally collected by Belt; the customer controls what it submits and is responsible for any special-category data. |
3. Processing instructions
Belt will process personal data only on the customer's documented instructions, including those set out in the agreement and the customer's configuration of the Services, unless required by law (in which case Belt will, where permitted, inform the customer). Belt will inform the customer if, in its opinion, an instruction infringes applicable data protection law. Belt does not sell personal data and does not use Customer Data to train AI models or for any purpose other than providing the Services.
4. Confidentiality
Belt ensures that personnel authorized to process personal data are bound by appropriate obligations of confidentiality and are trained on their data protection responsibilities. Access is granted on a need-to-know, least-privilege basis.
5. Security measures
Belt implements and maintains appropriate technical and organizational measures designed to protect personal data, including:
- End-to-end encryption, plus encryption in transit (TLS) and at rest;
- single-tenant database isolation — each customer's cloud data is logically and physically separated, not stored in a shared multi-tenant database;
- least-privilege access controls, authentication, and SSO support (Google, Microsoft 365);
- logging, monitoring, and alerting;
- vulnerability management, secure development practices, and change control; and
- backup, resilience, and incident response procedures.
A fuller description is available on our Security page. Belt aligns its control environment to recognized frameworks including SOC 2.
6. Sub-processors
The customer authorizes Belt to engage sub-processors to provide the Services. Belt imposes data protection obligations on each sub-processor no less protective than those in this DPA and remains responsible for their performance. Belt will provide notice of intended changes to sub-processors and an opportunity to object on reasonable data protection grounds.
Current categories of sub-processors:
| Category | Purpose |
|---|---|
| Cloud infrastructure / hosting | Hosting of single-tenant databases and application services. |
| AI model providers (cloud) | Cloud inference for AI features the customer enables. Not used when local models are selected. |
| Identity providers | Single sign-on via Google and Microsoft 365. |
| Operational tooling | Billing, communications, support, and monitoring. |
A current, named list of sub-processors is available on request via our contact page.
7. International transfers
Where Belt transfers personal data outside the EEA, UK, or Switzerland, it relies on a valid transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), which are incorporated into this DPA by reference where applicable, together with appropriate supplementary measures. Where offered, customers may select a data residency region for their single-tenant environment.
8. Data subject & compliance assistance
Taking into account the nature of the processing, Belt will provide reasonable assistance to enable the customer to: (a) respond to data subject requests to exercise their rights; (b) conduct data protection impact assessments; and (c) consult with supervisory authorities. If Belt receives a request directly from a data subject, it will, where lawful, direct the request to the customer rather than respond.
9. Personal data breach notification
Belt will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to assist the customer in meeting its notification obligations. Belt will take reasonable steps to mitigate and remediate the breach.
10. Audits
Belt will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including by providing relevant third-party reports and certifications (such as SOC 2). On-site audits, where applicable, are subject to reasonable notice, scope, frequency, and confidentiality conditions, and may be conducted by an independent auditor.
11. Return & deletion of data
Upon termination or expiry of the agreement, Belt will, at the customer's choice, delete or return Customer Data and delete existing copies within a commercially reasonable period, unless retention is required by law. Deletion of data in the customer's single-tenant environment is performed as part of off-boarding.
12. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service or the customer's signed agreement. Questions about this DPA? Contact the Belt team.