Data Processing Agreement
Effective: March 2026 · Version 1.0
This Data Processing Agreement ("DPA") governs the processing of personal data by dailyOps on behalf of the Customer ("Data Controller"), pursuant to GDPR Article 28.
1. Definitions
- "Personal Data" — Any information relating to an identified or identifiable natural person (GDPR Art. 4(1))
- "Processing" — Any operation performed on Personal Data (GDPR Art. 4(2))
- "Data Controller" — The Customer who determines purposes and means of processing
- "Data Processor" — dailyOps, which processes data on behalf of the Controller
- "Sub-processor" — A third party engaged to process data on behalf of the Controller
2. Subject Matter & Duration
The Data Processor processes Personal Data to provide digital HACCP compliance services including record-keeping, AI-assisted data extraction, team management, and compliance reporting. This DPA remains in effect for the duration of the Customer's subscription.
3. Nature & Purpose of Processing
| Purpose | Description |
|---|---|
| Service delivery | Storing and displaying HACCP compliance records |
| AI data extraction | Processing label images through AI to extract product information |
| AI chat assistant | Processing natural language queries for HACCP actions |
| Team management | Managing user accounts, roles, permissions, and tasks |
| Email communications | Sending invitations and password resets via Resend |
| Payment processing | Managing subscriptions and payments via Stripe |
| Audit logging | Immutable records of all data changes |
4. Types of Personal Data
Identity data (name, email), authentication data (hashed password, sessions), organizational data (org name, country, role), operational HACCP data (records attributed to users), AI interaction data (label images, chat messages), communication data (email), technical data (IP, user agent), and audit data (user ID, timestamps, change snapshots).
5. Categories of Data Subjects
Organization owners, managers, and staff members — all employees or authorized representatives of the Customer's food service business.
6. Data Processor Obligations
- Process data only on documented instructions of the Controller
- Ensure authorized persons are bound by confidentiality
- Implement appropriate security measures (see Appendix)
- Not engage Sub-processors without prior authorization
- Assist with Data Subject rights requests
- Notify Controller of data breaches within 72 hours
- Assist with data protection impact assessments
- Allow for compliance audits by the Controller
- Return or delete data upon subscription termination
7. Sub-processors
The Controller authorizes the following Sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic | AI label extraction and chat (ephemeral) | United States | SCCs |
| Stripe | Payment processing | United States / EU | SCCs, PCI-DSS Level 1 |
| Resend | Transactional email | United States | SCCs |
| OAuth authentication (optional) | United States | SCCs |
The Processor will notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object; unresolved objections permit subscription termination.
8. International Data Transfers
Personal Data may be transferred to Sub-processors in the United States. All transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Data Controller Obligations
The Controller shall ensure lawful basis for processing, provide accurate data, inform Data Subjects per GDPR Articles 13/14, respond to Data Subject requests, and notify the Processor of instruction changes.
10. Liability
Each party's liability is subject to the limitations in the Terms of Service.
11. Term & Termination
This DPA is effective from service start through subscription duration. Upon termination, data will be returned or deleted within 90 days at the Controller's choice, unless retention is required by law.
Appendix: Technical & Organizational Security Measures
TLS 1.3 in transit, database encryption at rest, cryptographic password hashing.
Email/password with hashed credentials, HTTP-only session cookies, three-role RBAC, multi-tenant isolation via tenantId on every query.
Zod input validation, Prisma parameterized queries, Better Auth CSRF protection, Stripe webhook verification, Next.js XSS protections.
Immutable append-only audit trail, PostgreSQL 16 transactional integrity.
Label images processed ephemerally, chat processed ephemerally (not retained for training), client-side image resizing, explicit user approval for AI write actions.
Confidentiality obligations, 72-hour breach notification, data processing agreements with all Sub-processors.
Contact
For DPA-related inquiries, contact our data protection team.