Legal
Data Processing Agreement
Last updated: April 27, 2026
1. Parties and Background
This Data Processing Agreement ("DPA") forms part of the Terms of Service between DropFix ("Processor") and the customer ("Controller") (collectively, the "Parties"). This DPA governs the processing of personal data in connection with the DropFix SaaS platform and services.
Controller: The customer using DropFix services
Processor: DropFix
Effective Date: Same as the Terms of Service
2. Definitions
For the purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Subject" means the individual whose Personal Data is processed
- "Sub-processor" means any third party engaged by Processor to process Personal Data
- "GDPR" means General Data Protection Regulation (EU) 2016/679
- "CCPA" means California Consumer Privacy Act
- "DPDP Act" means the Digital Personal Data Protection Act 2023 (India)
3. Scope and Purpose of Processing
3.1 Subject Matter
The processing of Personal Data relates to the provision of churn detection, customer retention intelligence, and automated communication services through the DropFix platform.
3.2 Nature and Purpose
Processor shall process Personal Data for the following purposes:
- User authentication and account management
- Behavioral signal detection and analysis
- AI-powered email draft generation
- Daily digest and weekly summary delivery
- Analytics and reporting
- Service improvement and optimization
- Communication related to the Service
3.3 Categories of Data Subjects
The Personal Data processed may include:
- Controller's end users/customers
- Controller's team members with access to DropFix
- Any individuals identified through tracking and analytics
3.4 Types of Personal Data
Types of Personal Data processed may include:
- Contact information (name, email, phone)
- Usage data and behavior patterns
- Device and browser information
- Payment information (processed by Stripe)
- Communication preferences
- Customer health scores and signals
4. Processor Obligations
Processor shall:
- Process Personal Data only on documented instructions from Controller
- Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage Sub-processors without prior written authorization
- Assist Controller in fulfilling data subject rights requests
- Notify Controller of any Personal Data breach within 72 hours
- Delete or return all Personal Data upon termination of services
- Make available all information necessary to demonstrate compliance
5. Controller Obligations
Controller shall:
- Provide accurate and complete information about data subjects
- Obtain all necessary consents and permissions for data processing
- Ensure processing is conducted in accordance with applicable laws
- Maintain records of processing activities
- Promptly notify Processor of any data subject complaints
- Provide timely instructions to Processor regarding data handling
6. Security Measures
Processor shall implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit using TLS/SSL
- Encryption of sensitive Personal Data at rest
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Incident response and breach notification procedures
- Employee security training and awareness programs
- Secure infrastructure hosted with Supabase
- Backup and disaster recovery procedures
- Monitoring and logging of access and activities
7. Sub-processors
Controller authorizes Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Country |
|---|---|---|
| Supabase | Database and authentication infrastructure | Global (US/EU) |
| Anthropic (Claude API) | AI-powered email draft generation — anonymised behavioural data only, no personal identifiers transmitted | United States |
| Stripe | Payment processing | United States |
| Vercel | Hosting and CDN | United States |
| Resend | Transactional email delivery | United States |
| Fly.io | Infrastructure hosting | United States |
| Gmail OAuth integration for email sending | United States | |
| Slack | Optional digest delivery integration | United States |
Processor shall notify Controller of any intended changes to Sub-processors. Controller may object to such changes within 30 days of notification.
8. Data Subject Rights
Processor shall, taking into account the nature of processing, assist Controller in fulfilling the following data subject rights:
- Right of Access: Provide information about Personal Data processing
- Right to Rectification: Correct inaccurate Personal Data
- Right to Erasure: Delete Personal Data upon request
- Right to Restrict Processing: Limit processing activities
- Right to Data Portability: Provide data in machine-readable format
- Right to Object: Stop processing based on legitimate interests
- Rights related to Automated Decision-Making: Not subject individuals to solely automated decisions
Requests should be directed to Controller. Processor will provide reasonable assistance within 30 days of request.
9. Data Breach Notification
In the event of a Personal Data breach, Processor shall:
- Notify Controller without undue delay, and in any event within 72 hours of becoming aware
- Provide details of the nature, categories, and approximate number of affected data subjects
- Describe the likely consequences of the breach
- Describe measures taken or proposed to address the breach
- Cooperate with Controller in investigating and mitigating the breach
Notification shall be sent to the email address on file for Controller.
10. Data Retention and Deletion
Processor shall retain Personal Data only for as long as necessary to provide the Service:
- Account data: Retained while account is active, deleted within 30 days of termination
- Usage data: Retained for 12 months for analytics purposes
- Logs: Retained for 90 days for security and debugging
- Backup copies: Deleted within 30 days of backup rotation
Upon termination of the Terms, Processor shall delete or anonymize all Personal Data within 30 days, except where retention is required by law.
11. Audit Rights
Controller may audit Processor's compliance with this DPA by:
- Requesting copies of sub-processor security certifications (e.g. Supabase SOC 2)
- Requesting summaries of security assessments and penetration tests
- Requesting information about data processing activities
Processor shall make available all necessary information for Controller to verify compliance. Audits shall be scheduled with reasonable advance notice and conducted during business hours.
12. International Data Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). When transferring Personal Data internationally, Processor ensures:
- Adequacy decisions or appropriate safeguards are in place
- Standard Contractual Clauses (SCCs) are used where required
- Data subjects' rights are protected under applicable data protection laws
- Sub-processors in the US are certified under the Data Privacy Framework
13. Liability
Processor's liability for breaches of this DPA shall be subject to the limitations set out in the Terms of Service. In no event shall Processor's total liability exceed the fees paid by Controller in the twelve months preceding the claim.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the jurisdiction in which DropFix operates, consistent with the governing law provisions in the Terms of Service.
15. Contact
For questions about this DPA or to exercise data subject rights, please contact us:
DropFix
Data Protection Officer
Email: dpo@dropfix.io
Privacy inquiries: privacy@dropfix.io
Website: dropfix.io