Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between 38os ("Processor," "we," "our," or "us") and the entity agreeing to these terms ("Controller," "you," or "your") for the use of the 38os platform and related services (the "Service"). This DPA applies to the extent that 38os processes Personal Data on behalf of the Controller in connection with the provision of the Service.

This DPA is designed to meet the requirements of the European General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws. By using the Service, you agree to the terms of this DPA.

1. Definitions

• Controller: The entity that determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the customer using the 38os Service.
• Processor: The entity that processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is 38os.
• Data Subject: An identified or identifiable natural person whose Personal Data is processed under this DPA.
• Personal Data: Any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service.
• Processing: Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Service as described in the Terms of Service and as further instructed by the Controller. The nature, purpose, and duration of processing are as follows:

• Nature of Processing: Storage, retrieval, analysis, and AI-assisted processing of business and account data submitted by the Controller through the Service.
• Purpose: To provide the 38os marketing operating system features, including marketing audits, AI-powered recommendations, strategy generation, and related analytics.
• Duration: For the term of the agreement between the Controller and the Processor, plus any retention period required by applicable law.
• Categories of Data Subjects: Controller's employees, representatives, end users, and contacts whose data is submitted to the Service.
• Types of Personal Data: Names, email addresses, job titles, company information, business data entered into the platform, and usage metadata.

3. Obligations of the Processor

38os, as the Processor, shall:

3.1 Process Data on Documented Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

3.2 Ensure Confidentiality

Ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform their duties in connection with the Service.

3.3 Implement Appropriate Security Measures

Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 9 (Technical and Organizational Measures) of this DPA and on our Security page.

3.4 Assist with Data Subject Rights

Assist the Controller, by appropriate technical and organizational measures and insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law. This includes the right to access, rectification, erasure, restriction of processing, data portability, and the right to object.

3.5 Delete or Return Data on Termination

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data. Personal Data will be deleted within 30 days of account termination, except where retention is required by law.

3.6 Make Available Information for Audits

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection laws. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

4. Sub-processing

The Controller provides general authorization for the Processor to engage Sub-processors to process Personal Data in connection with the Service. A current list of Sub-processors is available on our Sub-processors page.

The Processor shall notify the Controller at least 30 days in advance before adding or replacing any Sub-processor, providing the Controller with an opportunity to object to such changes. If the Controller objects to a new Sub-processor on reasonable grounds related to data protection, the Processor shall use commercially reasonable efforts to make available an alternative arrangement or, if no alternative is feasible, the Controller may terminate the affected Service.

The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. The Processor shall remain liable for the acts and omissions of its Sub-processors.

5. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom. Where such transfers occur, the Processor shall ensure that appropriate safeguards are in place in accordance with applicable data protection laws.

The parties agree that the EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) are hereby incorporated by reference into this DPA and shall apply to transfers of Personal Data from the EEA to third countries that do not benefit from an adequacy decision. For transfers from the UK, the International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner) shall apply.

Where applicable, the Processor shall also implement supplementary measures (such as encryption and pseudonymization) to ensure an adequate level of protection for transferred Personal Data.

6. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's Personal Data. The notification shall include:

• A description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records affected.
• The name and contact details of the Processor's data protection contact point.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each personal data breach.

7. Duration and Termination

This DPA shall remain in effect for the duration of the agreement between the Controller and the Processor for the provision of the Service. Upon termination of the agreement, the Processor shall, at the Controller's election, return or delete all Personal Data in accordance with Section 3.5, subject to any legal obligation to retain such data.

The obligations of the Processor regarding confidentiality, data breach notification, and cooperation with the Controller shall survive termination of this DPA.

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that nothing in this DPA or the Terms of Service shall limit either party's liability for breaches of its obligations under applicable data protection laws where such limitation is not permitted.

9. Technical and Organizational Measures

The Processor implements and maintains the following technical and organizational measures to protect Personal Data:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption on Supabase-managed PostgreSQL databases hosted on AWS infrastructure.
• Encryption in Transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
• Access Control: Role-based access control with four permission levels (Owner, Admin, Member, Viewer) ensures users can only access data they are authorized to view. Internal access to production systems is restricted to essential personnel and protected by multi-factor authentication.
• Row Level Security (RLS): Every workspace is logically isolated at the database level using Supabase Row Level Security policies, ensuring data belonging to one workspace cannot be accessed by another.
• Automated Backups: Regular automated backups are maintained to prevent data loss and ensure recoverability. Backup data is encrypted and retained according to our data retention policy.
• AI Data Privacy: AI features are powered by Anthropic Claude via API. Data is processed in real time and is not retained by Anthropic beyond the API request. Anthropic does not use API inputs for model training.
• Secure Authentication: User authentication is handled through Supabase Auth with support for email/password and Google OAuth. Sessions use HTTP-only cookies with automatic token rotation.
• Monitoring and Logging: Security-relevant events are logged and monitored. Access logs are maintained for audit purposes.

For more details on our security practices, please visit our Security page.

10. Contact

For questions, concerns, or requests related to this Data Processing Agreement, or to exercise any rights under this DPA, please contact us at:

• Email: privacy@38os.com
• Subject Line: Data Processing Agreement Inquiry

We aim to respond to all DPA-related inquiries within 30 days of receipt.