DPA
Last updated on March 17, 2026.
This Data Processing Agreement ("DPA"), including its Annexes, supplements and is subject to the terms of the agreement between Balsamiq Studios, LLC and its affiliates ("Balsamiq," "Processor") and the customer ("Customer," "Controller") governing Balsamiq's provision of the Services and Licensed Products (the "Agreement"), including the Terms of Service, EULA, and Privacy Policy. In the event of a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA shall control.
This DPA is incorporated by reference into the Agreement and applies to all customers. Customers on Enterprise plans who require a countersigned copy may request one by contacting us at support@balsamiq.com.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Agreement. The following terms apply to this DPA:
"Customer Personal Data" means Personal Data contained within Customer Data that is processed by Balsamiq on behalf of Customer in connection with the Services.
"Data Protection Laws" means all applicable data privacy, data protection, and cybersecurity laws, rules, and regulations to which Customer Personal Data is subject, including but not limited to: the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection ("Swiss FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act.
"Personal Data" has the meaning assigned to "personal data" or "personal information" under applicable Data Protection Laws.
"Process" or "Processing" means any operation or set of operations performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data to a country outside the European Economic Area not subject to an adequacy determination by the European Commission; (ii) where the Swiss FADP applies, a transfer of Personal Data to a country that has not been determined to have adequate data protection; or (iii) where the UK GDPR applies, a transfer of Personal Data to a country not subject to adequacy regulations under Section 17A of the UK Data Protection Act 2018.
"Standard Contractual Clauses" or "SCCs" means (i) the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914; (ii) where the Swiss FADP applies, the EU SCCs with the amendments required by the Swiss Federal Data Protection and Information Commissioner (FDPIC); and (iii) where the UK GDPR applies, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.
"Subprocessor" means any third party engaged by Balsamiq to process Customer Personal Data on behalf of Customer.
2. Scope and roles
2.1 Roles
When processing Customer Personal Data in the provision of the Services, Customer acts as the Controller (or "Business" under US Data Protection Laws) and Balsamiq acts as the Processor (or "Service Provider" under US Data Protection Laws).
Customer shall ensure that it has lawfully collected Customer Personal Data and that it may lawfully provide it to Balsamiq for the purposes contemplated by the Agreement.
2.2 Scope of processing
Balsamiq shall process Customer Personal Data only as necessary to provide the Services in accordance with the Agreement and Customer's documented instructions. The details of the processing activities are described in Annex A.
For Licensed Products, Customer Data is stored on Customer's own systems. Balsamiq's processing of Customer Personal Data under this DPA is limited to any data provided to Balsamiq through support interactions, feedback, or other direct contact.
2.3 Duration
This DPA will become effective upon the date the Agreement takes effect and will terminate automatically upon termination of the Agreement, except that each party's obligations under this DPA shall continue for as long as Balsamiq processes Customer Personal Data.
2.4 Balsamiq affiliates
Customer acknowledges that Balsamiq S.r.l., Balsamiq's software development affiliate, participates in the processing of Customer Personal Data as a Subprocessor under this DPA, and is held to the terms of this DPA.
3. Customer instructions
3.1 Processing instructions
Balsamiq shall process Customer Personal Data only on Customer's documented instructions, unless required to do so by applicable law. The Agreement (including this DPA), Customer's use of the Services or Licensed Products, and Customer's configuration of the Services constitute Customer's complete and final instructions to Balsamiq for the processing of Customer Personal Data.
Customer acknowledges that each time an Authorized User initiates an AI-powered feature within the Services, that action constitutes a documented instruction to Balsamiq to process the relevant Customer Personal Data (including prompts) via the applicable AI third-party provider (subprocessor).
3.2 Additional instructions
If Customer requires processing outside the scope of the Agreement, Customer and Balsamiq shall agree on such processing in writing.
3.3 Notification
If Balsamiq believes that an instruction from Customer infringes Data Protection Laws, Balsamiq will promptly notify Customer. Balsamiq is not obligated to independently assess whether Customer's instructions comply with Data Protection Laws.
4. Confidentiality
Balsamiq shall ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether by contract or statute. Access to Customer Personal Data is limited to Balsamiq personnel who require such access to perform the Services.
5. Security
5.1 Security measures
Balsamiq shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from unauthorized access, use, or disclosure. These measures are described in Annex B and include, at a minimum:
- Encryption of data in transit and at rest
- Logical data isolation
- Role-based access controls with multi-factor authentication
- Regular vulnerability scanning, penetration testing, and independent audits
- Documented incident response procedures
- SOC 2 Type II compliance
5.2 Updates to security measures
Balsamiq may update its security measures from time to time, provided that such updates do not materially decrease the overall level of protection afforded to Customer Personal Data.
6. Subprocessors
6.1 Authorization
Customer provides Balsamiq with general written authorization to engage Subprocessors to process Customer Personal Data in connection with the Services. The current list of Subprocessors is maintained at balsamiq.com/legal/subprocessors/.
6.2 Subprocessor obligations
Balsamiq shall: (i) enter into a written agreement with each Subprocessor that imposes data protection obligations consistent with this DPA; and (ii) remain responsible to Customer for each Subprocessor's compliance with the obligations of this DPA.
6.3 Notification of changes
Balsamiq will provide reasonable advance notice before engaging a new Subprocessor that processes Customer Personal Data. Balsamiq may provide this notice through any reasonable method, including but not limited to updating the subprocessor list page, by email to the Space Owner, or through in-product notification.
Balsamiq shall notify Customer if it makes a determination that it can no longer meet its obligations under US Data Protection Laws.
6.4 Right to object
Customer may object to the engagement of a new Subprocessor by notifying Balsamiq in writing within 30 days of receiving notice. Balsamiq will make commercially reasonable efforts to address Customer's objection, which may include offering an alternative configuration that avoids the use of the objected-to Subprocessor.
If Balsamiq is unable to resolve the objection to Customer's reasonable satisfaction, Customer may stop using the Licensed Products or Services and terminate the Agreement by cancelling their subscription within their billing settings. Termination and cancellation terms (including any applicable refunds) apply depending on the specific product or integration being used.
7. Data subject rights
7.1 Assistance
Balsamiq shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests from data subjects exercising their rights under applicable data protection and privacy laws.
7.2 Notification
If Balsamiq receives a data subject request relating to Customer Personal Data, Balsamiq will direct the data subject to the relevant Space Owner. Balsamiq will not fulfill or deny the request unless legally required to do so.
Data subjects may also exercise their rights directly through self-service tools as described in the Privacy Policy.
7.3 Assistance with data protection impact assessments
Balsamiq shall provide reasonable assistance to Customer with data protection impact assessments to the extent required by applicable data protection and privacy laws, taking into account the nature of the processing and the information available to Balsamiq.
8. Breach notification
8.1 Notification
Balsamiq shall notify Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data ("Data Breach").
8.2 Content of notification
The notification shall include, to the extent reasonably available: (i) a description of the nature of the Data Breach, including the categories and approximate number of data subjects and records concerned; (ii) the name and contact details of a point of contact; (iii) a description of the likely consequences of the Data Breach; and (iv) a description of the measures taken or proposed to be taken to address the Data Breach. For Balsamiq Cloud customers with an Enterprise Plan, Enterprise SLAs also apply.
8.3 Cooperation
Balsamiq shall cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation, and remediation of the Data Breach.
8.4 Limitation
Balsamiq's obligation to notify Customer of a Data Breach is not and shall not be construed as an acknowledgment of fault or liability by Balsamiq.
9. Data deletion and return
9.1 During the Agreement
Customer may export Customer Data (including Customer Personal Data) at any time during the term of the Agreement through the product's export functionality.
9.2 Upon termination
Upon expiry or termination of the Agreement, Balsamiq will delete Customer Personal Data within 60 days, except where Balsamiq is required to retain copies under applicable law. Where required by law, Balsamiq will isolate and protect retained Customer Personal Data from further processing except as required by applicable law.
Customer Data is available for export for 30 days after a Space is closed.
Upon request to support@balsamiq.com, we'll provide written confirmation that Customer Personal Data has been deleted.
9.3 Backups
Customer Personal Data may persist in encrypted backups for a limited period after deletion from production systems. Such backups are subject to the same security measures described in this DPA and will be deleted in accordance with Balsamiq's data retention schedule described in the Privacy Policy.
10. Audits
10.1 Audit reports
Balsamiq shall make available to Customer, upon request, its most recent SOC 2 Type II report and any other relevant audit reports or certifications. These reports are available through the Balsamiq Trust Center and are Balsamiq's Confidential Information.
10.2 Satisfaction of audit obligations
Customer agrees that the audit reports described in Section 10.1 shall satisfy Customer's audit rights under Article 28(3)(h) of the GDPR, except where an audit is specifically required by applicable law. Balsamiq does not otherwise offer on-site audit rights.
10.3 Supervisory authority audits
If a supervisory authority or applicable Data Protection Law requires an audit beyond what is provided under Section 10.1, Balsamiq shall cooperate with such audit to the extent required by law. Balsamiq may charge a reasonable fee for any assistance that is not included within the Services, except where the audit is necessitated by Balsamiq's own acts or omissions.
11. International data transfers
11.1 Transfer mechanisms
To the extent that the provision of the Services involves a Restricted Transfer, the parties agree to comply with the applicable Standard Contractual Clauses, which are hereby incorporated by reference. The SCCs are available at balsamiq.com/legal/standard-contractual-clauses/.
11.2 EU SCCs
For Restricted Transfers subject to the EU GDPR, the parties agree that:
- Module Two (Controller to Processor) of the EU SCCs shall apply.
- For the purposes of Clause 9 (Use of subprocessors), Option 2 (general written authorization) shall apply and the notification period shall be in accordance with Section 6.3 of this DPA.
- For the purposes of Clause 17 (Governing law), the SCCs shall be governed by the laws of Italy.
- For the purposes of Clause 18 (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Italy.
- The Annexes to the EU SCCs shall be populated with the information set out in Annexes A and B of this DPA.
11.3 UK transfers
For Restricted Transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) shall apply.
11.4 Swiss transfers
For Restricted Transfers subject to the Swiss FADP, the EU SCCs shall apply with the modifications required by the FDPIC.
11.5 Data Privacy Framework
To the extent that Balsamiq Studios, LLC has self-certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, Balsamiq may rely on the applicable DPF as a valid transfer mechanism. In the event that the DPF is invalidated or Balsamiq ceases to self-certify, the SCCs shall serve as the fallback transfer mechanism.
11.6 Conflict
In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12. US state data protection laws
12.1 Scope
This section applies to the extent that US Data Protection Laws (including the CCPA/CPRA) apply to Customer Personal Data.
12.2 Balsamiq as service provider
Balsamiq acts as a "Service Provider" (as defined by the CCPA) with respect to Customer Personal Data. Balsamiq shall not: (i) sell or share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than providing the Services as specified in the Agreement; or (iii) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Balsamiq and Customer; or (iv) combine Customer Personal Data with personal data received from other sources, except as permitted by applicable laws.
Balsamiq certifies that it understands these restrictions and will comply with them.
12.3 Assistance
Balsamiq will reasonably assist Customer with data subject access, deletion, opt-out, and correction requests under applicable US Data Protection Laws.
12.4 Conflict
In the event of any conflict between this DPA and the Agreement with respect to US Data Protection Laws, this section shall control.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.
14. General
14.1 Amendments
This DPA may not be modified except by a written amendment signed by both parties, or by Balsamiq updating the DPA in accordance with the Agreement's change provisions.
Balsamiq may update this DPA to reflect changes in applicable laws or its processing practices, provided that such updates do not materially reduce the protections afforded to Customer Personal Data.
14.2 Severability
If any provision of the DPA is invalid or unenforceable, it will be modified to the minimum necessary to make it valid; if that is not possible, it will be removed. The rest of the Terms remain in full force and effect.
14.3 Governing law
This DPA shall be governed by the same governing law as the Agreement, except to the extent that Data Protection Laws require otherwise.
Annex A: Processing details
| Item | Description |
| Subject matter | Balsamiq's provision and maintenance of the Services and Licensed Products for Customer. |
| Categories of data subjects | Customer's end users, including Space Owners, Billing Admins, and other Authorized Users. |
| Types of Personal Data | Name, email address, user ID, IP address, avatar photo, and any other Personal Data contained within Customer Data (including wireframes, prototypes, designs, comments, AI prompts, and AI outputs). |
| Nature and purpose | Processing of Customer Personal Data as necessary to provide the Services and Licensed Products, including storage, display, collaboration, AI feature processing, and related technical operations. |
| Duration | For the duration of the Agreement, plus the period until deletion of all Customer Personal Data in accordance with this DPA. Data retention and deletion are described in the Privacy Policy. |
| Analytics | Product analytics and session recordings for product improvement, security, and support. Sensitive inputs are masked and access is restricted to authorized staff. |
| Sensitive data | None. The Services are not designed to process sensitive personal data or special categories of data. |
Customer represents and warrants that it will not instruct its Users to input sensitive data into the Services, and acknowledges that Balsamiq does not monitor Customer Data for the presence of such information.
Annex B: Technical and organizational security measures
Balsamiq implements and maintains the following security measures to protect Customer Personal Data:
- Access controls
- Industry-standard encryption
- Infrastructure security
- Monitoring, logs, on-call staff, and automated alerts
- Vulnerability management and remediation timelines
- Incident response procedures
- Personnel security controls
- Confidentiality agreements
- Business continuity plans
- Backup procedures
- Compliance certifications and attestations
These measures are subject to ongoing improvement and may be updated from time to time, provided the overall level of protection is not materially decreased.
Detailed specifications of Balsamiq's current security measures, including our Soc 2 Type II report, is available in the Balsamiq Trust Center.
Annex C: Subprocessor list
The current list of Subprocessors is maintained at balsamiq.com/legal/subprocessors/.
Annex D: Standard Contractual Clauses
The Standard Contractual Clauses applicable to this DPA.