Last Updated: September 19, 2025
1. Definitions
- "Controller": The Customer who determines the purposes and means of processing
- "Processor": PM33, which processes data on behalf of the Controller
- "Personal Data": Any information relating to identified or identifiable persons
- "Processing": Any operation performed on Personal Data
2. Scope and Application
This DPA applies to all Personal Data processed by PM33 on behalf of Customer in connection with the Service.
3. Processing Instructions
3.1 PM33 shall:
- Process Personal Data only on documented instructions from Customer
- Ensure persons processing data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures
- Assist Customer in responding to data subject requests
3.2 Customer shall:
- Ensure lawful basis for processing
- Provide necessary instructions for processing
- Ensure accuracy of Personal Data
- Comply with applicable data protection laws
4. Sub-processors
4.1 Authorized Sub-processors:
- Amazon Web Services (Infrastructure)
- Supabase (Database)
- Stripe (Payments)
- OpenAI (AI Processing)
- Anthropic (AI Processing)
- Together AI (AI Processing)
- Pinecone (Vector Storage)
- Railway (Compute)
- PostHog (Analytics)
- Resend (Email)
4.2 New Sub-processors:
PM33 will notify Customer of new sub-processors with 30 days to object.
5. Security Measures
PM33 implements measures including:
- Pseudonymization and encryption
- Ensuring confidentiality, integrity, and availability
- Regular testing of security measures
- Ability to restore data after incidents
6. Data Subject Rights
PM33 will assist Customer in fulfilling obligations regarding:
- Access requests
- Rectification or erasure
- Data portability
- Objection to processing
- Automated decision-making
7. Breach Notification
PM33 will notify Customer without undue delay upon becoming aware of a Personal Data breach, including:
- Nature of the breach
- Categories and numbers of affected individuals
- Likely consequences
- Measures taken to address the breach
8. Data Deletion and Return
Upon termination, PM33 will:
- Delete or return all Personal Data
- Delete existing copies unless legally required to retain
- Provide certification of deletion
9. Audit Rights
Customer may audit PM33's compliance:
- Once per year with 30 days notice
- Using PM33's security certifications
- At Customer's expense
- Subject to confidentiality agreements
10. International Transfers
For transfers outside the EEA:
- Standard Contractual Clauses apply
- Appropriate safeguards are implemented
- Transfer impact assessments available upon request
11. Limitation of Liability
Liability is governed by the Terms of Service, except as required by applicable data protection law.
12. Term and Termination
This DPA remains in effect for the duration of the Service agreement.