Data Processing Agreement (DPA)

1. Definitions

• Controller: The business customer who determines the purposes and means of processing personal data
• Processor: Gantta, who processes personal data on behalf of the Controller
• Data Subject: Individuals whose personal data is processed (meeting participants, employees, etc.)
• Personal Data: Any information relating to an identified or identifiable person (meeting recordings, emails, names, etc.)
• Processing: Any operation performed on personal data (recording, transcription, analysis, storage, etc.)
• GDPR: General Data Protection Regulation (EU) 2016/679

2. Scope and Purpose

This DPA applies to all personal data processed by Gantta in providing the AI meeting assistant service to the Controller.

• Purpose: Processing is limited to providing Gantta services (meeting recording, transcription, action extraction, automated follow-ups)
• Duration: For the duration of the subscription plus 30 days after termination
• Types of Data: Meeting recordings, transcriptions, action items, user emails, Slack messages, integration tokens, user profiles
• Categories of Data Subjects: Meeting participants, employees, contractors, and other individuals whose data is processed

3. Obligations of Gantta (Processor)

3.1 Processing Instructions

• Process personal data only on documented instructions from the Controller
• Not process data for any purpose other than providing the Service
• Inform Controller if instructions violate GDPR or other applicable laws

3.2 Confidentiality

• Ensure persons authorized to process data are bound by confidentiality obligations
• Maintain confidentiality of personal data at all times
• Provide regular training on data protection and confidentiality

3.3 Security Measures

We implement appropriate technical and organizational measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• JWT-based authentication and access controls
• Role-based access control (RBAC) and least-privilege principles
• Regular security assessments and penetration testing
• Incident response procedures
• Regular backups and disaster recovery plans
• Employee security training and awareness programs

3.4 Data Subject Rights

We will assist the Controller in responding to data subject requests:

• Access requests - Provide data within 7 days
• Deletion requests - Delete data within 7 days
• Rectification requests - Correct inaccurate data
• Portability requests - Provide data in structured format
• Objection requests - Cease processing where applicable

3.5 Data Breach Notification

• Notify Controller within 24 hours of becoming aware of a data breach
• Provide details: nature of breach, categories affected, likely consequences, measures taken
• Assist Controller in notifying supervisory authorities and data subjects if required

3.6 Data Return/Deletion

• Upon termination, return or delete all personal data within 30 days
• Provide certification of deletion upon request
• Retain only data required by law (in anonymized form where possible)

3.7 Audit and Documentation

• Maintain records of processing activities
• Make available security documentation for audits
• Allow on-site inspections with reasonable advance notice
• Provide information necessary to demonstrate GDPR compliance

4. Sub-Processors

4.1 Authorized Sub-Processors

We use the following sub-processors:

• Supabase: Database hosting and authentication services
• OpenAI/Anthropic: AI processing services for transcription and analysis
• Cloud Storage Providers: Secure storage of meeting recordings and data
• Email Service Providers: Transactional and notification emails
• Payment Processors: Secure payment processing

4.2 Sub-Processor Requirements

• All sub-processors are bound by equivalent data protection obligations
• We enter into data processing agreements with all sub-processors
• Sub-processors are required to implement appropriate security measures

4.3 Changes to Sub-Processors

• We will notify Controller of any new sub-processors at least 30 days in advance
• Controller may object to new sub-processors within 14 days
• If objection cannot be resolved, Controller may terminate the agreement

5. Data Subject Rights

We will assist the Controller in fulfilling data subject rights under GDPR:

• Right of Access (Article 15): Provide data subjects with access to their personal data
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure (Article 17): Delete personal data upon request
• Right to Restriction (Article 18): Restrict processing where applicable
• Right to Data Portability (Article 20): Provide data in structured, machine-readable format
• Right to Object (Article 21): Cease processing where data subject objects

We will respond to Controller's requests for assistance within 7 business days.

6. Security Measures

We implement comprehensive security measures including:

• Encryption: All data encrypted in transit (TLS) and at rest (AES-256)
• Access Controls: Multi-factor authentication, role-based access, least-privilege principles
• Network Security: Firewalls, intrusion detection, DDoS protection
• Application Security: Regular security testing, code reviews, vulnerability scanning
• Incident Response: Documented procedures for detecting and responding to security incidents
• Employee Training: Regular security awareness training for all staff
• Physical Security: Secure data centers with restricted access

7. Data Breach Notification

In the event of a personal data breach:

• We will notify the Controller without undue delay and in any event within 24 hours
• Notification will include:
  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of personal data records concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
• We will assist Controller in notifying supervisory authorities and data subjects if required
• We will document all breaches and remedial actions taken

8. International Data Transfers

Personal data may be transferred to and processed in countries outside the EEA:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to third countries
• Data Location: Data is primarily stored in [specify regions - e.g., US, EU]
• Adequate Safeguards: All transfers include appropriate safeguards as required by GDPR
• Sub-Processor Transfers: All sub-processors are bound by equivalent transfer mechanisms

9. Audit Rights

The Controller has the right to:

• Conduct audits of our data processing activities with reasonable advance notice (at least 30 days)
• Request security documentation and compliance certifications
• Inspect our facilities and systems (subject to security and confidentiality requirements)
• Request third-party audit reports (SOC 2, ISO 27001, etc.)
• Audits must be conducted during business hours and not disrupt our operations
• Controller may use independent auditors, subject to confidentiality agreements

10. Liability and Indemnification

• We are liable for damages caused by processing only where we have not complied with GDPR obligations
• Our liability is limited to direct damages and excludes indirect, consequential, or punitive damages
• We maintain appropriate insurance coverage for data protection incidents
• Each party is liable for its own GDPR violations

11. Termination

• This DPA terminates when the main service agreement terminates
• Upon termination, we will return or delete all personal data within 30 days
• We will provide certification of deletion upon request
• We may retain data required by law (in anonymized form where possible)
• Provisions regarding confidentiality, liability, and dispute resolution survive termination

12. Governing Law

This DPA is governed by [specify jurisdiction - e.g., laws of Ireland for EU customers]. Any disputes will be resolved in accordance with the dispute resolution provisions of the main service agreement.

Contact

For questions about this DPA, contact our Data Protection Officer: