Legal

Data Processing Addendum

Effective date: August 1, 2026 · Last updated: August 1, 2026

This Data Processing Addendum ("DPA") forms part of our Terms of Service between Digital Foundry, LLC ("Processor", "we", "us") and the Customer that accepts the Agreement ("Controller", "you"). It applies where Digital Foundry processes personal data on Customer's behalf — in particular the personal data of Captured Contacts (third parties who are not Account Holders). If there is a conflict between this DPA and the rest of the Agreement regarding the processing of personal data, this DPA prevails.

1. Roles and Scope of Processing

With respect to personal data that Digital Foundry processes on Customer's behalf (including Captured Contact data and Receiver Page submissions), Customer is the Controller (or Business) and Digital Foundry is the Processor (or Service Provider). Digital Foundry will process personal data only on Customer's documented instructions, including those in this DPA, the Agreement, and Customer's configuration of the Service, unless required by law. We will not sell or share personal data, or retain, use, or disclose it for any purpose other than performing the Service or as permitted by the CCPA.

2. Customer (Controller) Obligations

Customer warrants that it has a valid lawful basis under data-protection law for the processing instructed, including the capture and use of Captured Contact data and the sending of any introduction/follow-up emails through the Service. Customer is responsible for providing all required notices to, and obtaining all required consents from, data subjects, and for honoring opt-outs. We provide template microcopy, but Customer decides whether and how to use it.

3. Processor Obligations

Digital Foundry will process personal data only on documented instructions; ensure personnel are bound by confidentiality; implement the security measures described in Section 6 below; respect the sub-processor conditions in Section 4; assist Customer in responding to data-subject requests and in meeting its security and breach-notification obligations; on termination, delete or return personal data per Section 7; and make available information necessary to demonstrate compliance.

4. Sub-Processors

Customer authorizes Digital Foundry to engage the sub-processors listed below to process personal data. We impose on each sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remain liable to Customer for each sub-processor's performance. We will give Customer at least 30 days' prior notice before adding or replacing a sub-processor; if Customer reasonably objects on data-protection grounds within 14 days, the parties will work in good faith to resolve the concern, and if it cannot be resolved, Customer may terminate the affected part of the Service as its sole remedy.

Approved sub-processors:

  • Supabase — database, authentication, and storage hosting (United States, us-east-1)
  • Anthropic — AI structuring of voice/notes, zero-data-retention requested (United States)
  • SendGrid (Twilio) — transactional and notification email delivery (United States)
  • Stripe — payment processing / subscription billing (United States)
  • CRM providers — Affinity, Salesforce, HubSpot, Pipedrive, Copper, Attio, DealRecord — customer-directed synchronization (region depends on the CRM connected)
  • Vercel — web/front-end hosting, including the Receiver Page (United States)
  • Cloudflare — edge/CDN/DDoS and bot/abuse protection (global edge)
  • PostHog — product analytics for the web console and marketing site (United States)
  • Google — OAuth sign-in and customer-connected Calendar integration (United States / global)
  • Sentry — application error monitoring and crash diagnostics (United States)
  • Expo — mobile push-notification token delivery (United States)

This list is kept in sync with our Privacy Policy. Additional CRM connectors, when introduced, are added under the change-notice process before they process personal data — CRM synchronization is always customer-directed.

5. Data-Subject Requests

If Digital Foundry receives a request from a data subject to exercise rights relating to personal data processed for Customer, we will not respond directly (other than to confirm the request relates to Customer) and will promptly forward it to Customer. We will provide reasonable assistance, including appropriate technical and organizational measures, to help Customer respond within the timeframes required by law.

6. Security Measures

Digital Foundry maintains technical and organizational measures appropriate to the risk, including: TLS encryption in transit and encryption at rest where supported by underlying providers; role-based access control, least-privilege, and multi-factor authentication for administrative access, with access reviews at least annually; secure credential storage and session management; Cloudflare edge protection, WAF/DDoS mitigation, and rate-limiting; logical separation of Customer Data; zero-data-retention requested from our AI sub-processor; security and audit logging with anomaly/abuse detection; annual third-party penetration testing and continuous automated vulnerability scanning; regular backups on a rolling window of at least 7 days per our Point-in-Time Recovery configuration; and a documented incident-response process. We will not materially decrease the overall security of the Service during the term.

7. Breach Notification, Transfers, Audit, and Deletion

Digital Foundry will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer's personal data, including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken. Customer (as Controller) is responsible for notifying supervisory authorities and data subjects where required.

Where processing involves transfer of personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses are incorporated by reference into this DPA, with the UK International Data Transfer Addendum and Swiss amendments applying as relevant.

Digital Foundry will make available information reasonably necessary to demonstrate compliance with this DPA. Where that is insufficient, Customer may, no more than once per 12 months, conduct an audit on reasonable prior notice, during business hours, subject to confidentiality, and at Customer's cost.

On termination, and at Customer's choice, Digital Foundry will delete or return all personal data processed on Customer's behalf. Customer may export Customer Data before termination. Following a 30-day deletion/return window (matching our account-deletion grace period), personal data will be deleted from active systems, with backups expiring on the normal rotation cycle.

8. Liability, Term, and General

Each party's liability under this DPA is subject to the limitations in our Terms of Service, except where data-protection law or the SCCs require otherwise. This DPA takes effect on the effective date and continues for as long as Digital Foundry processes personal data on Customer's behalf. If any provision is invalid, the remainder continues in effect.

See also: Terms of Service · Privacy Policy · Acceptable Use Policy