Data Processing Agreement (DPA)

1. Definitions

Controller: The entity determining the purposes and means of personal data processing.

Processor: The entity processing personal data on behalf of the Controller.

Personal Data: Any information relating to an identified or identifiable natural person.

Data Subject: The individual whose personal data is processed.

Sub-Processor: Any third party engaged by Processor to process personal data.

2. Scope & Roles

The Processor will only process Personal Data on documented instructions from the Controller. Processing activities are strictly limited to providing the RecuroAI services (subscription audit, analytics, alerts).

3. Obligations of the Processor

• Process Personal Data only for the purposes set out in this DPA.
• Implement appropriate technical and organizational security measures (encryption, RLS, access controls, audit logs).
• Ensure staff are bound by confidentiality.
• Maintain records of processing activities as required by GDPR Art. 30.
• Notify Controller without undue delay of any data breach.
• Assist Controller with Data Subject rights requests (access, rectification, deletion, portability).

4. Sub-Processors

Processor may engage Sub-Processors (e.g., Supabase, Stripe, Smartlead, Replit, Postmark).

A current list of Sub-Processors will be maintained and made available on request.

Processor shall ensure all Sub-Processors are bound by obligations no less protective than this DPA.

5. International Transfers

Processor is based in the United States. Where Personal Data is transferred outside the EEA, Processor shall ensure adequate safeguards (e.g., Standard Contractual Clauses).

6. Security

Processor shall implement at minimum:

• Encryption in transit and at rest.
• Role-based access controls (RLS policies in Supabase).
• Regular security audits and monitoring.
• Backup and disaster recovery processes.

7. Audit Rights

Controller may audit Processor's compliance with this DPA once per year upon reasonable notice, subject to confidentiality.

8. Liability

Each party's liability under this DPA is subject to the liability limitations in the main Service Agreement.

Processor shall not be liable for breaches resulting from Controller's instructions or misuse of the Services.

9. Term & Termination

This DPA remains in effect as long as Processor processes Personal Data on behalf of Controller.

Upon termination, Processor shall delete or return Personal Data within 30 days, unless legally required to retain it.

10. Governing Law

This DPA is governed by the laws of the Commonwealth of Virginia, USA, unless superseded by mandatory EU/EEA law.

Annex I: Processing Details

Nature & Purpose: SaaS platform providing subscription management and cost optimization.

Types of Data: Names, emails, business contact details, subscription/payment data.

Data Subjects: Customer employees, contractors, or account holders.

Duration: For the duration of the service agreement.

Annex II: Security Measures

• Database protected by Supabase RLS.
• Service keys restricted to server-side.
• Cloudflare for SSL/DDoS.
• Stripe for PCI-compliant payments.
• Audit logs for sensitive operations.