Data Processing Agreement

Preamble

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between OpBot (“Processor” or “OpBot”) and the Coach (“Controller” or “you”) who uses the OpBot platform. This DPA applies to the extent that OpBot processes Personal Data on the Controller’s behalf in connection with the Service.

This DPA is designed to comply with the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection legislation. Where there is any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

1. Definitions

• “Controller” means the Coach who determines the purposes and means of processing Personal Data collected through their funnel pages.
• “Processor” means OpBot, which processes Personal Data on the Controller’s behalf.
• “Sub-Processor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Subject” means an identifiable natural person whose Personal Data is processed under this DPA (primarily leads who submit information through the Controller’s funnel pages).
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, and destruction.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• “SCCs” means the Standard Contractual Clauses approved by the European Commission for the transfer of Personal Data to third countries.

2. Scope & Roles

This DPA applies to the processing of Personal Data that OpBot performs on behalf of the Controller in connection with the following platform features:

• Lead data collection via qualification forms.
• CRM pipeline management and lead stage tracking.
• Booking system (calendar, availability, scheduling).
• Email delivery (automated sequences and broadcasts).
• SMS message delivery (automated sequences, broadcasts, and booking notifications).
• Analytics event processing (page views, form submissions, booking events).

The Controller determines the purposes and means of processing. The Processor processes Personal Data only on the Controller’s documented instructions as expressed through the platform’s features and this DPA.

Annex 1: Processing Details

3. Processing Instructions

The Processor shall process Personal Data only on the Controller’s documented instructions, which include:

• The instructions set out in this DPA and the Terms of Service.
• Instructions expressed through the Controller’s use of platform features (e.g., configuring form questions, enabling email sequences, setting pipeline stages, importing leads).
• Any additional written instructions agreed upon by the parties.

If the Processor believes an instruction from the Controller infringes applicable data protection law, the Processor shall promptly inform the Controller and may suspend performance of the relevant instruction until the Controller confirms or modifies it.

4. Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require it to perform the Service, and is controlled through role-based access controls and Supabase Row Level Security policies.

Annex 2: Technical & Organizational Security Measures

The Processor implements the following measures to protect Personal Data:

• Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher. All internal service-to-service communication uses encrypted channels.
• Encryption at rest: Database storage is encrypted using AES-256 via the underlying cloud infrastructure (Supabase on AWS). Backups are encrypted using the same standard.
• Row Level Security (RLS): Every database query is scoped by business_id at the database level using Supabase RLS policies, ensuring strict tenant isolation. No Coach can access another Coach’s data through the application.
• Authentication & access control: Supabase Auth with secure session management and PKCE flow. Role-based access within teams (5 roles: coach, closer, setter, operator, admin). Service-role access is used only for specific server-side operations and is scoped by business_id.
• Signed tokens: Lead booking access and email unsubscribe links use HMAC-SHA256 signed tokens with time-based expiry (2 hours for booking tokens) to prevent unauthorized access.
• Rate limiting: Public-facing endpoints are rate-limited (qualification forms: 5/min, bookings: 3/min, analytics: 10/min) to prevent abuse and brute-force attacks.
• Webhook verification: Stripe webhook payloads are verified using cryptographic signatures before processing.
• Automated backups: Database backups are performed automatically by Supabase with point-in-time recovery. Backup retention period: 90 days.
• Logging & monitoring: Server logs, access logs, and error logs are maintained for security monitoring and incident response. Logs are retained for 90 days.
• Email deduplication: Automated email systems use deduplication tables with unique constraints to prevent duplicate sends and ensure race-safe operation.

5. Sub-Processors

The Controller provides general written authorization for the Processor to engage Sub-Processors, subject to the following conditions:

• The Processor shall provide the Controller with at least 30 days’ advance notice before adding or replacing a Sub-Processor, via email to the address associated with the Controller’s account.
• The Controller may object to a new Sub-Processor within the 30-day notice period by contacting support@opbot.io. If the Controller’s objection is not resolved to mutual satisfaction, the Controller may terminate the DPA and the associated subscription.
• The Processor shall impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA.
• The Processor remains fully liable to the Controller for the performance of each Sub-Processor’s obligations.

Annex 3: Authorized Sub-Processors

As of the date of this DPA, the following Sub-Processors are authorized:

6. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) by:

• Providing tools for the Controller to view and edit lead data within the dashboard, and fulfilling data export requests upon the Controller’s request to support@opbot.io.
• Responding promptly to the Controller’s requests for technical assistance in fulfilling complex data subject requests.
• Forwarding any data subject requests received directly by the Processor to the Controller without undue delay.

The Controller is responsible for responding to data subject requests within the timeframes required by applicable law (30 days under GDPR). The Processor will provide reasonable assistance at no additional charge.

7. Data Protection Impact Assessment Assistance

Where the Controller is required to carry out a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR, the Processor shall provide reasonable assistance by supplying information about the processing operations, security measures, and Sub-Processors described in this DPA. The Processor shall also assist with any prior consultation with a supervisory authority under Article 36 where required.

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA:

• The Processor shall notify the Controller by email without undue delay and in any event within 48 hours of becoming aware of the breach.
• The initial notification shall include, to the extent available:
  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
  • The name and contact details of the Processor’s point of contact for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach and mitigate its effects.
• If all information is not available within 48 hours, the Processor shall provide information in phases without further undue delay.
• The Processor shall cooperate with the Controller to enable the Controller to fulfill its breach notification obligations to supervisory authorities (within 72 hours per GDPR Article 33) and to Data Subjects (per GDPR Article 34).
• The Processor shall take immediate steps to contain, investigate, and remediate the breach.

9. International Data Transfers

OpBot is based in the United States. Where Personal Data originating from the EU/EEA or UK is transferred to the US or other third countries, the following safeguards apply:

• EU/EEA transfers: Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914, Module 2 (Controller-to-Processor). The SCCs are hereby incorporated by reference into this DPA.
• UK transfers: The International Data Transfer Agreement (IDTA) as approved by the UK ICO, or the UK Addendum to the EU SCCs, as applicable.
• Transfer impact assessment: The Processor has assessed the legal framework of the United States and has implemented supplementary measures (encryption, access controls, contractual commitments) to ensure an essentially equivalent level of protection.

The Processor shall ensure that all Sub-Processors that process Personal Data outside the EU/EEA or UK are bound by equivalent transfer mechanisms.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection law. Audit provisions:

• The Controller may conduct audits (or appoint a qualified third-party auditor) no more than once per 12-month period, with at least 30 days’ prior written notice.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor’s operations.
• As an alternative to on-site audits, the Processor may provide the Controller with a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party audit report. Such reports shall be treated as confidential.
• The Controller shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by the Processor.

11. Data Return & Deletion on Termination

Upon termination of the Controller’s subscription or upon the Controller’s written request:

• Data export: The Controller may request an export of all lead data by contacting support@opbot.io at any time before or during the 30-day post-termination period.
• Deletion from production: The Processor shall delete all Personal Data from production systems within 30 days of account closure, unless retention is required by applicable law.
• Backup purge: Personal Data contained in encrypted backups shall be purged within 90 days of production deletion as backups rotate through their retention cycle.
• Certification: Upon request, the Processor shall provide written confirmation that Personal Data has been deleted in accordance with this section.

12. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability for: (a) breaches of confidentiality obligations; (b) either party’s indemnification obligations; or (c) liability that cannot be limited under applicable law, including liability for willful misconduct.

13. Term & Termination

This DPA takes effect when the Controller agrees to the Terms of Service and continues for the duration of the Controller’s use of the Service. This DPA automatically terminates when the Terms of Service terminate, subject to the data deletion obligations in Section 11 above. Provisions that by their nature should survive termination (including confidentiality, liability, and data deletion obligations) shall survive.

14. Governing Law

This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles, except where mandatory data protection law requires otherwise (e.g., GDPR-related provisions are governed by the law of the EU Member State where the Controller is established, or by Irish law where the Controller is outside the EU and the SCCs apply).