Data Processing Agreement

LAST UPDATED · 2026-05-12

Template — review with counsel before production use. The language below is a reasonable starting point for a B2B SaaS, not legal advice. Replace bracketed values, confirm jurisdiction, and have a lawyer review before relying on these terms in a customer contract.

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service between [Company Legal Name] ("Processor", "we", "us") and the workspace owner ("Controller", "Customer", "you"). It applies when the Service processes personal data on behalf of Customer.

1. Roles

Customer is the Controller of personal data uploaded to or generated within the Service (including prospect records, contacts, activity logs). We act as the Processor.

2. Subject matter and duration

Subject matter: the processing necessary to provide the Prospect Sentinel Service as described in the Terms of Service.

Duration: for the term of the Customer's active subscription, plus any data-retention period specified in the Privacy Policy.

3. Nature and purpose of processing

Storing and indexing Customer Data for retrieval within the workspace.
Generating AI-assisted outputs (call scripts, email drafts, summaries) using third-party AI providers.
Monitoring external data sources (industry news, regulatory feeds, public records) and surfacing relevant signals.
Operational support, debugging, security monitoring.

4. Categories of data subjects + personal data

Data subjects. Customer's employees and end users; business contacts at Customer's prospect organizations.

Personal data categories. Contact details (name, email, phone, title, LinkedIn URL), business addresses, notes and activity history about business contacts, IP addresses, and other technical metadata necessary to operate the Service.

5. Sub-processors

Customer authorizes the following sub-processors:

Provider	Purpose	Location
Supabase	Database, auth, file storage	United States
Vercel	Application hosting + edge	United States / Global
Anthropic	AI model processing	United States
Stripe	Payment processing	United States
Sentry	Error tracking + performance monitoring	United States
Railway	Python worker hosting	United States

We will notify Customer at least [30 days] before adding or replacing a sub-processor. Customer may object in writing within the notice period; if the objection cannot be resolved we will give Customer the option to terminate the affected portion of the Service.

6. Security measures

Transit encryption with TLS 1.2+.
Encryption at rest for production databases and storage buckets.
Workspace-scoped Row-Level Security on every tenant table.
Audit logging for sensitive operations (UPDATEs, deletes, permission changes).
Role-based access control within Customer's workspace (owner / manager / rep / viewer).
Least-privilege access for our team; access requires documented justification.
Regular security reviews and dependency vulnerability scanning.
Quarterly disaster-recovery drills.
Daily encrypted backups with [7-30 day] retention.

7. Breach notification

We will notify Customer without undue delay (and in any case within 72 hours) after becoming aware of a personal data breach affecting Customer Data. The notification will include:

The nature of the breach and the categories and approximate number of data subjects and records affected.
The likely consequences of the breach.
Measures taken or proposed to address the breach.
Contact information for our security team for follow-up.

8. Data subject requests

If we receive a request directly from a data subject (e.g. an access, deletion, or portability request), we will forward it to Customer without responding to the data subject directly, unless we are legally required to respond. We will assist Customer in responding to such requests within the timelines required by applicable law.

9. Audit rights

Customer may, at its expense and no more than once per twelve months (except where required by a supervisory authority), request information about our compliance with this DPA. Where appropriate we will provide third-party audit reports (e.g. SOC 2, ISO 27001) in lieu of an on-site audit.

10. Return or deletion of data

On termination of the Service, Customer Data is retained for export for [30 days], then permanently deleted from our production systems. Backups are retained per the schedule in Section 6 and are deleted on rotation.

11. International transfers

For transfers of personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the Standard Contractual Clauses as adopted by the European Commission, which are incorporated by reference.

12. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.

13. Contact

Data protection inquiries: privacy@example.com