Data processing

Last updated: 2026-04-11 • ← Privacy

Roles

• Data Processor — customer data: Gable Digital Solutions, Inc. acts as a processor for the personal data that customers and their end users submit to the Backbuild platform in the course of using the service. Processing is carried out on the documented instructions of the customer, who is the controller of that data.
• Data Controller — operational data: Gable Digital Solutions, Inc. acts as a controller for the personal data it collects directly in order to operate the business. This includes account information about the customer's administrative users, billing and invoicing records, and marketing communications sent with explicit consent.

Lawful bases for processing

Under GDPR Article 6, Gable Digital Solutions, Inc. relies on the following lawful bases for the processing it performs as a controller:

• Performance of a contract: processing necessary to provide the service to the customer, including account management, billing, and support.
• Legitimate interests: processing necessary for operating the service securely and reliably, such as abuse prevention, fraud detection, audit logging, and platform analytics. Legitimate interest is assessed with a documented balancing test.
• Consent: processing that requires explicit consent, including non-essential marketing communications and optional cookies. Consent is freely given, specific, informed, and revocable.
• Legal obligation: processing required to comply with applicable law, such as retention of tax and financial records.

When Gable Digital Solutions, Inc. acts as a processor, the lawful basis for processing customer data is the customer's controller relationship with its end users. The customer is responsible for identifying and documenting that lawful basis.

Categories of personal data

Gable Digital Solutions, Inc. processes the following categories of personal data through the Backbuild platform — some as a controller and some as a processor on behalf of customers:

• Account information: name, email address, organization affiliation, role, preferred language and time zone. Role: controller.
• Authentication data: identity provider identifiers, hashed credentials where applicable, session identifiers, MFA assertion context. Role: controller.
• Usage logs: records of API calls, feature usage, timestamps, source IP, and user agent, used for security and service improvement. Role: controller.
• Support communications: messages submitted through support channels and their attachments. Role: controller.
• Billing information: customer billing contact, invoicing history, and tokenized payment method references. Payment card data is handled by the payment processor and is not stored by Gable Digital Solutions, Inc. Role: controller.
• Customer-submitted content: whatever the customer chooses to process through the platform, which may include personal data about the customer's end users. Role: processor (Gable Digital Solutions, Inc. processes on the customer's documented instructions).

Purposes of processing

• Service delivery: providing the features of the platform to the customer.
• Security and abuse prevention: protecting the platform and its users from unauthorized access, abuse, and fraud.
• Legal and regulatory compliance: meeting obligations under applicable law.
• Product improvement: aggregated and privacy-preserving analysis of usage patterns. Customers may opt out of non-essential product analytics.
• Customer support: responding to support requests and maintaining a record of interactions.
• Billing and account management: generating invoices, processing payments, and managing account lifecycle.

Data Processing Agreement

A standard Data Processing Agreement is available to all customers and is offered for execution as part of the onboarding process or upon request. See the DPA page for details on how to obtain and execute the agreement.