Data Processing Addendum
This DPA forms part of the agreement between <<COMPANY_LEGAL_NAME>>
("Processor") and the customer identified on the executed order form
("Controller") for the provision of Time Manager. It gives effect to Article 28 of
the EU GDPR and the UK GDPR in respect of Customer Personal Data.
1. Roles and subject-matter
1.1 The Customer is the Controller of Customer Personal Data; Company is the Processor, except in respect of account administration, billing and security-monitoring data where Company acts as an independent Controller.
1.2 Subject-matter: provision of the Time Manager Service — time-bound AI scheduling, calendar integration, reminder delivery, webhooks, API.
1.3 Duration: the term of the Agreement, plus the deletion/return period in §10.
1.4 Nature and purpose: storing, organizing, analyzing and transmitting Customer Personal Data to deliver the scheduling, reminder and integration features of the Service.
2. Categories of data and data subjects
2.1 Data subjects: Customer's authorized users, their AI agents operating under delegated accounts, calendar invitees whose identifiers are shared with the Service, and webhook-target operators Customer designates.
2.2 Categories of personal data: account identifiers; authentication credentials (tokens); usage metadata; routine-task text; calendar content (titles/times/attendees, as authorized); LLM prompts & responses; reminder-delivery data; support data.
2.3 Special categories: the Service is not designed to process Article 9 special-category data. Customer agrees not to submit such data.
3. Processor obligations
3.1 Documented instructions. Company processes Customer Personal Data only on Customer's documented instructions, including the Agreement, the Service's UI/API, and written direction from Customer representatives.
3.2 Lawful instructions. Company will inform Customer if an instruction infringes applicable data-protection law.
3.3 Confidentiality. Personnel are under appropriate confidentiality obligations.
3.4 Security. Company implements the TOMs described in Annex II (§9).
3.5 Assistance. Company will assist Customer with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation) and Articles 12–23 (data-subject rights).
4. Sub-processors
4.1 General authorization. Customer grants general authorization for Company to engage sub-processors subject to this §4.
4.2 Current list. Key sub-processors:
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic, PBC | LLM inference (Claude) | US |
| OpenAI, L.L.C. | LLM inference | US |
| Google LLC | Calendar API integration | Global |
| Microsoft Corporation | Graph / Outlook integration | Global |
| Amazon Web Services, Inc. | Cloud hosting + SES email | US |
| OVH SAS / OVH Ltd | Cloud hosting (EU/UK residency) | UK / EU |
4.3 Flow-down. Company imposes data-protection obligations on each sub-processor no less onerous than this DPA.
4.4 Change notice. 30 days' advance notice of new or replacement sub-processors. Customer may object on reasonable data-protection grounds.
4.5 Liability. Company remains liable for its sub-processors' acts and omissions.
5. International transfers
5.1 Where Customer Personal Data is transferred outside the EEA, UK or Switzerland, the parties rely on:
- EU Standard Contractual Clauses (2021/914), modules 2 & 3 — Annex III, incorporated by reference.
- UK International Data Transfer Addendum (IDTA) — Annex IV.
- Swiss Addendum, as applicable.
5.2 Parties will complete the SCC/IDTA annexes with transfer specifics; where not separately completed, the descriptions in this DPA govern.
6. Data subject requests
6.1 Company will promptly notify Customer of any data-subject request and will not respond directly except as instructed.
6.2 Company will provide reasonable assistance (including export / deletion tools) to enable Customer to respond within statutory deadlines.
7. Incident notification
7.1 Company will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.
7.2 The notification will describe (to the extent known): nature, categories and approximate numbers of data subjects/records, likely consequences, and measures taken.
8. Audit
8.1 Evidence. Company makes available information reasonably necessary to demonstrate Article 28 compliance, typically via (a) third-party audit reports (SOC 2 Type II — roadmap), (b) Security Whitepaper, (c) completed questionnaires (SIG-Lite, CAIQ).
8.2 On-site audit. No more than once per year (unless following a Personal Data Breach or mandated by a supervisory authority), Customer or a mutually agreed auditor may audit, on reasonable advance notice, during business hours, under confidentiality, without disrupting the Service. Customer bears costs unless material non-compliance is found.
9. Technical and organizational measures (Annex II)
- Encryption: TLS 1.2+ in transit; Fernet symmetric encryption of OAuth tokens and webhook secrets, two-key rotation; platform disk encryption (AWS/OVH).
- CIA & resilience: regionally redundant storage, documented backups, health checks, RPO/RTO per SLA.
- Restoration: tested backup restore procedures.
- Regular testing: dependency scanning, periodic penetration testing.
- Access control: least-privilege RBAC, MFA on admin consoles, formal joiner/mover/leaver process.
- Tenant isolation: PostgreSQL row-level security on tenant-scoped tables, enforced server-side.
- Logging: audit log of security-relevant actions.
- Personnel: confidentiality, background checks (where permitted), annual security training.
- Physical security: handled by sub-processors (AWS, OVH) under certified controls.
- Incident response: documented runbook, 72-hour notification SLA.
10. Return and deletion of data
10.1 Within 30 days of termination or written request, Company will delete or return Customer Personal Data at Customer's option, except where retention is required by law or for legitimate billing/audit records.
10.2 Backups are cycled out within 35 days; they remain encrypted and inaccessible until overwritten.
11. Controller responsibilities
11.1 Customer warrants a valid legal basis to collect and submit Customer Personal Data to the Service.
11.2 Customer is responsible for its own transparency obligations (e.g. its own privacy notice covering use of Time Manager).
12. Miscellaneous
12.1 Precedence. This DPA controls over the Agreement as to processing of personal data. The SCCs/IDTA control over this DPA in a conflict.
12.2 Liability. Liability under this DPA is subject to the Agreement's limitation-of-liability terms.
12.3 Changes. Company may update this DPA to reflect regulatory or structural changes with 30 days' notice; updates will not materially reduce Customer's protections.
Annexes
- Annex I — List of parties, description of transfer, competent supervisory authority. To be completed per order form.
- Annex II — Technical and organizational measures (see §9).
- Annex III — EU SCCs (2021/914), modules 2 & 3, incorporated by reference.
- Annex IV — UK IDTA, incorporated by reference.
- Annex V — Sub-processor list (current version at
/timemanager/pages/legal/sub-processors.htmlwhen published).