Data Processing Agreement

1. Definitions

• Controller — the operator who determines the purposes and means of processing personal data (you).
• Processor — SignalPipe, acting on the Controller's instructions.
• Personal Data — prospect handles (usernames, email addresses) and interaction signals submitted by the Controller to the backend.
• Processing — storing, retrieving, scoring, and generating outreach messages against Personal Data as instructed by the Controller.

2. Scope and nature of processing

3. Processor obligations

SignalPipe as Processor shall:

• Process Personal Data only on documented instructions from the Controller (i.e. API calls made using the Controller's operator key).
• Ensure personnel authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, or destruction.
• Not engage sub-processors without the Controller's general authorisation. The sub-processors listed in the Privacy Policy constitute that general authorisation.
• Assist the Controller in fulfilling data subject rights requests (access, erasure, portability) within a reasonable timeframe.
• Delete or return all Personal Data upon termination of the service, at the Controller's election, within 30 days.
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable notice.
• Notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach.

4. Controller obligations

The Controller shall:

• Ensure there is a lawful basis under GDPR Article 6 for submitting prospect Personal Data to the Processor.
• Provide data subjects with appropriate transparency notices about how their data is used.
• Not instruct the Processor to process data in a manner that would violate applicable law.
• Keep operator credentials confidential and notify SignalPipe immediately if a key is compromised.

5. Sub-processors

The current list of sub-processors is maintained in our Privacy Policy. We will provide at least 14 days' notice of any new sub-processor that handles Personal Data. The Controller may object within that period; if no resolution is reached, the Controller may terminate the service without penalty.

6. International transfers

The primary database (Supabase) is hosted in the EU (Frankfurt). Some sub-processors (Railway, Vercel, OpenAI, Anthropic) are based in the United States. For these transfers we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Article 46. Copies of applicable SCCs are available on request.

Important: Post text from public community platforms is sent to OpenAI and Anthropic for embedding and reply generation. Prospect handles and personally identifiable information are not included in these API calls.

7. Security measures

We maintain the following technical and organisational measures:

• Encryption in transit (TLS 1.2+) for all API communications.
• Encryption at rest for the Supabase database (AES-256).
• Operator keys stored as environment variables, not in the database.
• Access to production infrastructure restricted to the data controller (sole operator).
• Regular dependency audits to address known vulnerabilities.

8. Duration and termination

This DPA is effective for the duration of the service relationship and terminates automatically when the Terms of Service are terminated. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by law.

9. Contact and requests

For DPA-related requests, data subject rights assistance, or breach notifications, contact: contact@signalpipe.io