Legal · DPA

Data Processing Agreement

The contract that lets you (controller) lawfully use ChiefLab (processor) to process third-party personal data — prospects, customers, anyone whose data flows through your workspace.

Last updated · 2026-05-13 · v0.1 · All legal docs →

How to use: sign this as it stands by emailing legal@chieflab.io with your workspace ID and a countersigned copy (PDF attached or DocuSign). We countersign within 3 business days. Enterprise buyers may negotiate clauses; unmodified text is sufficient for self-signature.

Contents

  1. Definitions
  2. Scope and purpose
  3. Processor obligations
  4. Subprocessors
  5. International transfers
  6. Audit rights
  7. Data subject rights
  8. Data return and deletion
  9. Liability
  10. Conflict
  11. Governing law
  12. Annex 1 — Technical and organizational measures
  13. Annex 2 — Subprocessors

1. Definitions

  • Customer / Controller — the workspace owner.
  • ChiefLab / Processor — ChiefLab and its operating entity.
  • Personal Data — any data relating to an identified or identifiable natural person processed under this DPA.
  • Subprocessor — any third party engaged by ChiefLab to process Personal Data; current list at /legal/subprocessors.
  • GDPR — Regulation (EU) 2016/679, the UK GDPR, and substantively equivalent frameworks (PDPA Singapore, LGPD Brazil, etc.) where applicable.
  • SCCs — Standard Contractual Clauses, EU Commission Decision 2021/914.

2. Scope and purpose

ChiefLab processes Personal Data solely to provide the service to Customer, per the documented instructions of (a) this DPA, (b) the Terms of Service, and (c) the configuration Customer establishes through the API and dashboard. Use of the service constitutes a documented instruction.

Categories of data processed: account information; repo context Customer submits; brand context; voice samples (approved + rejected drafts); prospect / contact data Customer records; engagement records; audit logs.

Categories of data subjects: Customer's workspace members; third parties (prospects, contacts, customer engagements) whose data Customer chooses to process via the service.

Duration: term of the ToS plus retention windows in the Privacy Policy.

3. Processor obligations

  • Process Personal Data only on Customer's documented instructions. The service's documented behavior is an instruction; deviation requires explicit written authorization.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement and maintain the technical and organizational measures set out in Annex 1.
  • Notify Customer without undue delay, and where feasible within 72 hours, on becoming aware of a Personal Data Breach affecting Customer's data.
  • Assist Customer in fulfilling data subject requests using the compliance primitives documented in the Privacy Policy §9.
  • Assist Customer with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities where required.
  • Maintain records of processing activities concerning Customer's Personal Data per GDPR Art. 30.

4. Subprocessors

Customer authorizes ChiefLab to engage the subprocessors listed at /legal/subprocessors (also reproduced in Annex 2).

ChiefLab will give Customer at least 30 days advance notice by email before adding or replacing a Subprocessor. Customer may object on reasonable data protection grounds. If the objection cannot be resolved by good-faith discussion, Customer may terminate the affected service component without penalty.

ChiefLab remains liable to Customer for the acts and omissions of its Subprocessors as if performed by ChiefLab. Each Subprocessor is bound by data protection obligations substantively equivalent to this DPA.

5. International transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the SCCs (Module Two — Controller to Processor) are incorporated by reference, with ChiefLab as data importer and Customer as data exporter. The optional docking clause is enabled; the option for arbitration in clause 18(b) is selected as not selected (courts only).

Supplementary technical measures — encryption in transit (TLS 1.2+), encryption at rest, BYOK option for content-processing keys — backstop the SCCs per the European Data Protection Board's Schrems II recommendations.

For UK transfers, the UK International Data Transfer Addendum (issued by the UK ICO) is incorporated as a modification to the SCCs.

6. Audit rights

ChiefLab will respond to reasonable due-diligence questionnaires (SIG-Lite, CAIQ-Lite) within 30 days, no more than once per 12-month period except after a Personal Data Breach affecting Customer.

Under a custom enterprise agreement (negotiated via hi@chieflab.io — see the bottom of /pricing), Customer may request a third-party security audit. Where SOC 2 Type II reports are available, ChiefLab will share them under NDA. Until SOC 2 ships, ChiefLab provides: documented controls in Annex 1, reproducible audit scripts (HMAC verifier, approval-gate bypass test, GDPR delete test, GDPR Layer 2 test) under NDA, and on-request walkthrough of security controls with our engineering lead.

Audits are conducted under NDA, during business hours, with at least 30 days notice, and not in a manner that disrupts the service to other customers.

7. Data subject rights

Customer remains responsible for responding to data subject requests received from third parties whose data Customer processes. ChiefLab ships the technical tools to make this practical (all live in apps/mcp/src/tools.js):

  • chieflab_delete_workspace({ confirm: "DELETE-MY-WORKSPACE" })Shipped. Hard-purge across all workspace tables, returns deletion receipt.
  • chieflab_export_subject({ handle })Shipped. Returns all data ChiefLab holds about a specific person: exact-match primary scan plus text-contains secondary scan (flagged for manual review).
  • chieflab_purge_subject({ handle, confirm: "PURGE-SUBJECT" })Shipped. Two-phase tool: preview without confirm, surgical delete with confirm. Logs a subject.purge_completed audit event.
  • chieflab_audit_log_read()Shipped. Workspace-scoped access log read with default 30-day window; max 1000 rows per call.
  • chieflab_export_workspace()Shipped. Full DSAR-grade workspace export, secrets redacted, 10,000 rows/table cap with escalation path.

For bespoke DSARs or tables that hit the export cap, ChiefLab fulfills manually on a 5-business-day SLA via privacy@chieflab.io. Customer may reference this fallback in customer-facing privacy notices.

If a data subject contacts ChiefLab directly with a request relating to a workspace, ChiefLab will not respond substantively; we will forward the request to Customer within 5 business days and provide reasonable assistance to Customer's response.

8. Data return and deletion

On termination of the ToS, Customer may export Personal Data via chieflab_export_workspace() for 30 days. After 30 days, ChiefLab hard-deletes Customer's Personal Data from primary systems within 7 days.

Supabase point-in-time recovery backups retain historical state for up to 7 days past hard deletion. ChiefLab will not restore from backups except for disaster recovery affecting Customer. We disclose this gap honestly in the Privacy Policy §7; we believe pretending it does not exist is the lie that ruins compliance posture.

9. Liability

Liability for breaches of this DPA is subject to the limits in the Terms of Service §6, except where law prohibits such limitation. Both parties commit to good-faith cooperation in remediating any Personal Data Breach.

10. Conflict

If this DPA conflicts with the ToS, this DPA controls for Personal Data processing. If the SCCs conflict with this DPA, the SCCs control for transfers in their scope.

11. Governing law

This DPA is governed by the laws of Singapore, except where the SCCs require EU member state law for their interpretation per SCC Module Two clause 17 (in which case the laws of Ireland apply for the SCC portion).

On Delaware C-corp incorporation, this clause will update to Delaware law for the non-SCC portion; the SCC portion will remain governed per clause 17 as required.

Annex 1 — Technical and organizational measures

Confidentiality

  • Workspace + tenant isolation enforced via Supabase Row Level Security.
  • API access requires Bearer token authentication; sandbox endpoints are IP rate-limited and clearly labeled.
  • Approval gates required for every external action (publish, send, charge).
  • Connector OAuth tokens and BYOK provider keys encrypted at rest in chieflab_connector_secrets.encrypted_token.
  • Internal access to production data is logged and restricted to engineers with a need-to-access basis.

Integrity

  • HMAC-signed reviewUrls with 7-day TTL and per-workspace revocation.
  • Audit log on every read/write to sensitive tables.
  • Reproducible audit scripts available during diligence: HMAC verifier, approval-gate bypass test.

Availability

  • Vercel multi-region edge for the API runtime.
  • Supabase managed Postgres with point-in-time recovery.
  • Status page at /status.

Resilience and testing

  • Disaster recovery via Supabase PITR (7-day window).
  • Quarterly review of security controls by engineering lead.
  • Vulnerability disclosure policy at /security; advertised in /.well-known/security.txt per RFC 9116.

Annex 2 — Subprocessors

Authoritative list maintained at /legal/subprocessors with effective dates and 30-day-notice commitment. Mirror reproduced inline at /trust for convenience; /legal/subprocessors controls in case of any discrepancy.