1. Definitions
"Controller" means the entity that determines the purposes and means of processing personal data — i.e., the customer using OutreachAgent.
"Processor" means Emacron AI Technologies, which processes personal data on behalf of the Controller as part of providing the Service.
"Personal Data" means any information relating to an identified or identifiable natural person as defined by GDPR Article 4(1).
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the individual whose Personal Data is processed (e.g., a lead, contact, or customer in the Controller's workspace).
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
2. Scope & Purpose of Processing
The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the OutreachAgent service, which includes:
- Storing and managing contact records, leads, and customer data in the CRM
- Sending and receiving emails, WhatsApp messages, SMS, and other communications on behalf of the Controller
- Processing conversation data for AI-powered features (reply suggestions, lead scoring, intent detection)
- Generating analytics, reports, and dashboards based on workspace data
- Managing deal pipelines, tasks, and workflow automations
3. Types of Personal Data Processed
| Category | Examples |
|---|
| Contact identifiers | Name, email address, phone number, company, job title |
| Communication content | Email bodies, WhatsApp messages, SMS content, chat transcripts |
| Behavioural data | Email open/click events, website visits (via tracking pixel), form submissions |
| CRM metadata | Deal values, pipeline stages, tags, notes, custom fields |
| Social profile data | LinkedIn URL, Facebook Page ID, WhatsApp Business Account ID |
| Technical identifiers | IP addresses, browser user agent (from form submissions or tracking) |
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorised to process Personal Data have committed to confidentiality
- Implement appropriate technical and organisational measures to ensure security of processing (see Section 7)
- Not engage another processor (sub-processor) without prior written authorisation of the Controller
- Assist the Controller in responding to Data Subject access, rectification, erasure, and portability requests
- Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, DPIA)
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
5. Sub-processors
The Controller authorises the Processor to engage the following sub-processors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|
| Supabase | Database infrastructure & authentication | EU (Frankfurt) |
| Resend | Transactional email delivery | US |
| Twilio | SMS delivery | US |
| Stripe | Payment processing | US |
| Cloudflare | CDN, DDoS protection, R2 storage | Global |
| Hetzner | Application server hosting | EU (Germany) |
| Meta Platforms | WhatsApp Business API, Messenger, Instagram | US/EU |
| Google | Gmail API (when connected by user) | US |
| Microsoft | Outlook/Graph API (when connected by user) | US/EU |
6. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
- Provide the Controller with sufficient information to meet any obligations to report or notify Data Subjects of the breach
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
- Document all breaches, including their effects and the remedial action taken
7. Technical & Organisational Measures
The Processor implements the following measures to protect Personal Data:
Encryption at rest
AES-256-GCM for all sensitive data, credentials, and tokens
Encryption in transit
TLS 1.3 for all client-server and service-to-service communication
Access control
Role-based permissions (owner, admin, agent, viewer) with principle of least privilege
Authentication
Bcrypt password hashing, TOTP 2FA, OAuth 2.0 with PKCE
Audit logging
Immutable log of all data access, modifications, and administrative actions
Data isolation
Workspace-level row-level security (RLS) enforced at the database layer
Backup & recovery
Point-in-time recovery with encrypted backups retained for 30 days
Vulnerability management
Regular dependency audits, automated scanning, and responsible disclosure programme
8. International Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) and Module 3 (Processor to Sub-processor)
- EU-US Data Privacy Framework (DPF) certification where applicable
- Adequacy decisions recognised by the European Commission
- Supplementary measures (encryption, access controls) where required by the Schrems II decision
9. Data Retention & Deletion
Upon termination of the agreement or at the Controller's request:
- The Processor shall delete all Personal Data within 30 days, unless retention is required by law
- The Controller may request a data export in a machine-readable format (JSON/CSV) before deletion
- Backup copies are purged within 30 days of the primary data deletion
- The Processor shall provide written confirmation of deletion upon request
10. Audits & Compliance
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA. The Controller or an independent third-party auditor may conduct audits, subject to reasonable notice and confidentiality obligations.
11. Term & Termination
This DPA shall remain in effect for the duration of the Controller's use of OutreachAgent. It shall automatically terminate when the underlying service agreement terminates. The obligations regarding data deletion (Section 9) and confidentiality survive termination.
12. Contact
For questions about this DPA or to request a signed copy:
Legal Team
Emacron AI Technologies
Fourth Floor, City Vista, Kharadi, Pune 411014, India
[email protected]