Data Processing Addendum
This DPA forms part of the agreement between you ("Controller") and Digital Bar AI, Inc. ("Processor") and governs the processing of personal data by us on your behalf.
Request a counter-signed copy
Email legal@digitalbar.ai with your legal entity name and we'll return a counter-signed DPA within 2 business days.
Request DPA1. Subject matter and duration
We process personal data only as necessary to provide the DigitalBar platform under the Master Services Agreement. Processing continues for the duration of the agreement plus any retention period required for backups, legal holds, or billing reconciliation.
2. Nature and purpose of processing
Storage, retrieval, organization, transmission, AI inference, voice synthesis and transcription, email delivery, and any other operations reasonably necessary to provide the platform features you configure.
3. Categories of data subjects and personal data
- Your end users (account holders): name, email, role, authentication tokens
- Your contacts and leads: name, email, phone, company, notes, call recordings, transcripts
- Your prospects: publicly available business information you research
4. Sub-processors
We engage the sub-processors listed at /subprocessors. We give you 30 days' notice before adding a new sub-processor via the email address you register for security updates. You may object on reasonable grounds.
5. Security measures
We implement the technical and organizational measures described on our Trust Center and in Annex II to this DPA, including encryption in transit and at rest, RLS-based tenant isolation, audit logging, access controls, and incident response procedures.
6. International transfers
Where personal data of EEA, UK, or Swiss data subjects is transferred outside an adequacy region, the EU Standard Contractual Clauses (Module 2 / Module 3, as applicable) and the UK International Data Transfer Addendum are incorporated by reference and apply between the parties.
7. Data subject rights
We assist you in fulfilling requests from data subjects via /privacy-requests within a reasonable time, taking into account the nature of the processing.
8. Personal data breach notification
We notify you without undue delay, and in any case within 72 hours of becoming aware of a confirmed personal data breach affecting your data, with the information required by Article 33(3) GDPR to the extent then available.
9. Audits
We make available the SOC 2 reports, penetration test attestations, and security questionnaires reasonably necessary to demonstrate compliance. On-site audits may be arranged with reasonable notice and at the requesting party's cost.
10. Deletion and return
On termination, we delete or return all customer personal data within 30 days, except where retention is required by law. Encrypted backups are purged within 90 days of termination.
This page is a summary for transparency. The legally binding DPA is the counter-signed document you receive from legal@digitalbar.ai. If there is any conflict, the signed DPA controls.