Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Controller") and MyCoordinated AI ("MyCoordinated" or "Processor") and applies whenever MyCoordinated processes personal data on the Customer's behalf in connection with the service.

1. Subject Matter and Duration

The Processor processes personal data on the Controller's behalf solely to provide the MyCoordinated AI service as described in the Terms of Service. This DPA applies for as long as the Processor processes personal data on the Controller's behalf.

2. Nature and Purpose of Processing

The Processor processes personal data to host the service, store uploaded documents, deliver AI-generated responses based on those documents, manage authentication, and support the Controller's administration of its account. Personal data is not used to train AI models.

3. Categories of Data and Data Subjects

  • Categories of personal data — account identifiers (email, name), authentication metadata, content of uploaded documents, chat messages, and usage/diagnostic logs.
  • Categories of data subjects — the Controller's authorised users and any individuals identifiable in documents the Controller uploads.

4. Processor Obligations

  • Process personal data only on documented instructions from the Controller, including those set out in the Terms of Service and this DPA.
  • Ensure personnel authorised to process personal data are bound by appropriate confidentiality obligations.
  • Implement and maintain the security measures described in Section 7.
  • Assist the Controller in responding to data-subject requests where reasonably possible.
  • Notify the Controller without undue delay of personal data breaches affecting the Controller's data.
  • On termination, delete or return the Controller's personal data in line with Section 11.

5. Sub-processors

The Controller authorises the Processor to engage the following sub-processors, each bound by contractual data-protection terms:

  • Supabase — managed Postgres, authentication, and object storage (data at rest encrypted with AES-256; data in transit secured with TLS).
  • OpenAI — AI language model inference.
  • Anthropic — AI language model inference.
  • Stripe — billing and payment processing; processes name, email, and payment data.
  • Resend — transactional email delivery; processes name and email.

The Processor will give the Controller reasonable prior notice of any intended addition or replacement of a sub-processor. The Controller may object on legitimate data-protection grounds, in which case the parties will work in good faith to find a resolution.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area, the parties rely on the Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914) as the lawful transfer mechanism. Sub-processors located in the United States are bound by those clauses through MyCoordinated's contracts with them.

7. Security Measures

The Processor maintains technical and organisational measures appropriate to the risk, including:

  • Encryption of uploaded documents at rest (AES-256) and in transit (TLS 1.2+).
  • Per-user data isolation enforced at the database layer.
  • Role-based access controls and least-privilege defaults for operators.
  • OAuth/PKCE authentication and server-enforced session limits.
  • Logging, monitoring, and routine review of access to production systems.
  • A documented incident-response process.

8. Personal Data Breach

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, providing the information reasonably necessary for the Controller to meet its own notification obligations under applicable law.

9. Data Subject Rights

Taking into account the nature of the processing, the Processor will assist the Controller in fulfilling its obligations to respond to data-subject requests for access, rectification, erasure, restriction, portability, or objection.

10. Audits

On reasonable prior written request and no more than once per twelve-month period, the Processor will make available the information necessary to demonstrate compliance with this DPA. The parties may agree on third-party audit reports or written questionnaires as a substitute for on-site audits.

11. Return or Deletion of Data

On termination of the service, the Processor will, at the Controller's choice, delete or return all personal data processed on the Controller's behalf within 30 days, and delete remaining copies, unless retention is required by applicable law.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service.

13. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service in relation to the processing of personal data, this DPA prevails.

14. Contact

For questions about this DPA or to exercise data-protection rights, contact support@mycoordinated.com.