AttnSetter← Back to app
Template — not legal advice. This is a starting-point document generated for AttnSetter and must be reviewed and adapted by qualified legal counsel before you rely on it. Replace every [BRACKETED] placeholder (company name, addresses, governing law, dates).

Data Processing Addendum

Last updated: [DATE]

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between [COMPANY] (“Processor”) and the customer (“Controller”) and applies where the Processor processes personal data on the Controller’s behalf under the GDPR, UK GDPR, or comparable laws.

1. Roles

For Customer Data containing personal data of prospects, the Controller determines the purposes and means of processing and the Processor processes it only on the Controller’s documented instructions (including via use of the Service).

2. Details of processing

  • Subject matter & duration: provision of the Service for the term of the agreement.
  • Nature & purpose: storing, sending, tracking, and AI-assisting outreach to the Controller’s prospects.
  • Categories of data subjects: the Controller’s business prospects and contacts.
  • Categories of personal data: name, business email, phone, job title, company, engagement/event data, and any notes the Controller adds.

3. Processor obligations

The Processor will: process personal data only on documented instructions; ensure persons authorized to process are bound by confidentiality; implement appropriate technical and organizational security measures (Art. 32); assist the Controller with data-subject requests and with Arts. 32–36 obligations; and make available information necessary to demonstrate compliance.

4. Subprocessors

The Controller authorizes the Processor to engage subprocessors. Current subprocessors include: [Supabase] (database/hosting), [Render] (app hosting), [Anthropic] (AI processing), [Google] (Gmail API), [Twilio] (SMS), and [Stripe] (payments). The Processor will impose data-protection obligations on each subprocessor no less protective than this DPA and will notify the Controller of intended changes, allowing reasonable objection.

5. Security measures

Encryption in transit; access controls and least-privilege; tenant isolation; secrets management; logging and monitoring; and regular review. [Detailed measures — TO BE COMPLETED.]

6. Data-subject requests

The Processor will, taking into account the nature of processing, assist the Controller by appropriate measures (including Service tooling for suppression, erasure, and export) to fulfill the Controller’s obligation to respond to data-subject requests.

7. Personal-data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data, with information reasonably available to assist the Controller’s own obligations.

8. Audits

The Processor will make available information necessary to demonstrate compliance and allow for and contribute to audits, subject to reasonable confidentiality and frequency limits.

9. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum), incorporated by reference. [To be completed by counsel.]

10. Deletion or return

On termination, the Processor will, at the Controller’s choice, delete or return Customer Data and delete existing copies, except where storage is required by law; backups expire on a rolling basis.

11. Contact

[COMPANY], [ADDRESS]. Data-protection contact: [PRIVACY EMAIL].