Data Processing Addendum

1.1 This DPA applies when Processor processes Personal Data on behalf of Controller in connection with the Services.

1.2 Roles.Controller is the data controller; Processor is the data processor. Each party complies with applicable Data Protection Laws (“DPL”) in their respective roles.

1.3 Definitions. “Personal Data,” “Processing,” “Data Subject,” “Personal Data Breach,” and “Sub-processor” have the meanings given in applicable DPL, including the GDPR, UK GDPR, and CCPA/CPRA.

2.1 Subject Matter. Provision of the Services as described in the Agreement.

2.2 Duration. The term of the Agreement plus any applicable retention period in the Privacy Policy.

2.3 Nature and Purpose. Hosting, storing, transmitting, and analyzing Personal Data to provide the Services, including AI processing where Controller selects AI features.

2.4 Categories of Personal Data: contact details (name, email, phone), profile information, business data, communications content, end-user data provided by Controller, technical/usage data.

2.5 Categories of Data Subjects: Controller’s personnel, Controller’s end users, prospects, leads, customers of Controller.

3.1 Processor shall:

• process Personal Data only on documented instructions from Controller, including those set forth in the Agreement and as needed to provide the Services;
• ensure persons authorized to process Personal Data are bound by confidentiality;
• implement technical and organizational measures appropriate to the risk (see Annex 2);
• assist Controller in responding to Data Subject requests, taking into account the nature of the processing;
• assist Controller with data protection impact assessments and consultations with supervisory authorities, where required;
• at Controller’s choice, delete or return all Personal Data after end of Services, unless retention is required by law;
• make available information necessary to demonstrate compliance with this DPA.

3.2 Processor shall notify Controller without undue delay if, in Processor’s opinion, an instruction from Controller infringes DPL.

4.1 Authorization. Controller authorizes Processor to engage the sub-processors listed in Annex 1, and additional sub-processors subject to Section 4.2.

4.2 New Sub-processors. Processor will notify Controller of new sub-processors at least 15 days before granting them access to Personal Data. Controller may object on reasonable data protection grounds within that period. If the parties cannot resolve the objection, Controller may terminate the affected Services and receive a pro-rata refund of prepaid unused fees.

4.3 Sub-processor Terms. Processor shall impose data protection obligations on sub-processors that are no less protective than this DPA.

4.4 Liability.Processor remains responsible for sub-processors’ performance of data protection obligations.

5.1 Processor implements the technical and organizational measures described in Annex 2. Processor may update measures provided that the overall level of security is not reduced.

6.1 Processor shall notify Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Controller’s data. Notification shall include, where known: nature of the breach, categories and approximate number of Data Subjects and records, likely consequences, and measures taken or proposed.

6.2 Processor shall provide reasonable cooperation and information to assist Controller in meeting Controller’s notification obligations.

7.1 Where a Data Subject contacts Processor directly, Processor will forward the request to Controller and not respond unless authorized.

7.2 Processor shall provide reasonable assistance, by appropriate technical and organizational measures, for Controller to fulfill Data Subject requests, taking into account the nature of the processing.

8.1 Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States or other third countries, the parties agree the Standard Contractual Clauses (Module Two: Controller to Processor), as published by the European Commission and adopted by the UK ICO and Swiss FDPIC, are incorporated by reference and form part of this DPA.

8.2 For purposes of the SCCs:

• Module: Controller to Processor;
• Clause 7 (docking clause): not used;
• Clause 9 (sub-processors): Option 2 (general authorization), 15 days;
• Clause 11 (redress): independent dispute resolution body — not opted in;
• Clause 17 (governing law): law of Ireland;
• Clause 18 (forum): courts of Ireland;
• Annex I.A: parties identified in the Agreement;
• Annex I.B: as in Section 2 of this DPA;
• Annex I.C: Irish Data Protection Commission;
• Annex II: Section 5.1 of this DPA and Annex 2 of this DPA;
• Annex III: Annex 1 of this DPA.

9.1 Processor shall make available, on Controller’s reasonable request and no more than once per twelve-month period, information necessary to demonstrate compliance with this DPA. This includes summaries of Processor’s audit reports and security questionnaires.

9.2 On-site audits are permitted only if: (a) required by Controller’s supervisory authority; (b) Controller bears reasonable costs; (c) the audit is conducted during business hours with reasonable notice.

10.1 Liability under this DPA is subject to the limitations in the Agreement, including caps on liability and exclusions of indirect damages, to the maximum extent permitted by law.

11.1 This DPA terminates with the Agreement.

11.2 Within 60 days after termination, Processor shall delete or, on Controller’s written request, return Personal Data, except where retention is required by law.

• Supabase — database, authentication;
• OpenAI L.L.C. (United States) — AI inference;
• Stripe, Inc. (United States) — payment processing;
• Resend (United States) — transactional email;
• Vercel, Inc. (United States) — hosting;
• Cal.com (United States) — appointment booking;
• Google LLC (United States) — operational email (Google Workspace).

Updates published at codeova.ai/legal/dpa.

• Encryption: TLS in transit; AES-256 at rest (provided by Supabase, Vercel, Stripe);
• Access Control: role-based access; principle of least privilege; administrative actions require two-factor authentication;
• Tenant Isolation: row-level security policies enforced at database level;
• Audit Logging: append-only audit log with database-level UPDATE/DELETE/TRUNCATE protection;
• Backup and Recovery: point-in-time recovery enabled (Supabase Pro tier);
• Network Security: secrets stored in encrypted environment variables; no secrets in client-side code;
• Incident Response: documented breach notification runbook;
• Personnel: confidentiality obligations on all personnel; security awareness training;
• Sub-processor Management: contractual obligations imposed on all sub-processors;
• Vulnerability Management: monitoring of dependencies and security advisories.