← Back to home

Data Processing Agreement

Effective: April 20, 2026 · Last updated: April 20, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy and applies where Gest LLC ("Gest," "Processor") processes personal data on behalf of users ("Data Subjects") in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion. "Sub-processor" means a third party engaged by Gest to process Personal Data. Terms not defined here have the meanings given in the GDPR or the Terms of Service.

2. Scope and roles

For the purposes of data protection law, Gest acts as a Data Controller for account management, product analytics, and marketing, and as a Data Processor when processing user-generated content (messages, documents, AI conversations) on behalf of users. The categories of Personal Data processed, purposes of processing, and data subjects are described in the Privacy Policy.

3. Obligations of Gest

Gest shall:

Process Personal Data only in accordance with the Terms of Service, Privacy Policy, and applicable law. Not process Personal Data for any purpose other than providing the Service, unless required by law (in which case Gest will inform the Data Subject unless legally prohibited). Ensure that persons authorized to process Personal Data are bound by confidentiality obligations. Implement appropriate technical and organizational security measures, including encryption in transit and at rest, access controls, and regular security assessments. Assist Data Subjects in exercising their rights under applicable data protection law, including access, rectification, erasure, restriction, portability, and objection. Notify affected Data Subjects without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach likely to result in a risk to their rights and freedoms. Delete or return all Personal Data upon account deletion, in accordance with the retention schedule in the Privacy Policy.

4. Sub-processors

Gest uses the sub-processors listed in the Privacy Policy, Section 6. Gest will notify users of any new sub-processors at least 14 days before they begin processing Personal Data, by updating the Privacy Policy and notifying affected users by email. If a user objects to a new sub-processor, the user may terminate their account and receive a pro-rata refund of any prepaid subscription fees.

Gest ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA. Gest remains fully liable for the acts and omissions of its sub-processors.

5. International transfers

Personal Data is processed and stored in the United States. For transfers of Personal Data from the EEA or UK to the United States, Gest relies on the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs) adopted by the European Commission (Module 2: Controller to Processor, and Module 3: Processor to Processor, as applicable).

Copies of the applicable SCCs are available upon request by emailing hello@thegest.app.

6. Data subject rights

Gest supports Data Subject rights as required by the GDPR and UK GDPR. Users may exercise their rights by emailing hello@thegest.app or using the in-app account settings (once available). Gest will respond to verified requests within 30 days.

Where Gest acts as a Processor, it will promptly redirect data subject requests to the relevant Controller or assist the Controller in responding, as applicable.

7. Security measures

Gest implements the following technical and organizational measures:

Encryption of data in transit using TLS 1.2 or higher. Encryption of data at rest. Client-side encryption for sensitive documents in the document vault. Role-based access controls limiting employee access to Personal Data. Regular security assessments and vulnerability monitoring. Secure software development practices. Incident response procedures with defined escalation paths. Employee confidentiality agreements and data protection training.

8. Audits

Gest will make available to Data Subjects, upon reasonable written request, information necessary to demonstrate compliance with this DPA. Gest will cooperate with reasonable audit requests, subject to confidentiality protections and reasonable advance notice. Audits shall be conducted at the requesting party's expense and no more than once per 12-month period, unless required by a supervisory authority.

9. Term and termination

This DPA remains in effect for as long as Gest processes Personal Data on behalf of the Data Subject. Upon account deletion or termination of the Service, Gest will delete Personal Data in accordance with the retention schedule in the Privacy Policy, unless retention is required by applicable law.

10. Governing law

This DPA is governed by the laws of the State of Wyoming, United States, except that the data protection provisions shall be interpreted in accordance with the GDPR and UK GDPR where those laws apply to the processing. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

11. Contact

For questions about this DPA or to exercise data subject rights: hello@thegest.app.

Gest LLC · United States