Data Processing Addendum
Effective: July 8, 2026 · Last updated: July 8, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between MySupportAgent, LLC (“MySupportAgent,” “Processor,” “we”) and the customer agreeing to the Agreement (“Customer,” “Controller,” “you”). It governs our processing of Personal Data on your behalf when we provide the Services. If there is a conflict, this DPA controls over the rest of the Agreement for matters of data protection.
Capitalized terms not defined here have the meaning given in the Agreement.
1. Definitions
- “Data Protection Laws” — all privacy and data-protection laws applicable to a party’s processing, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Swiss FADP, and U.S. state privacy laws (e.g., California, Colorado, Connecticut, Utah, Virginia), as applicable.
- “Personal Data” — information relating to an identified or identifiable person that we process on your behalf under the Agreement (i.e., your Shoppers’ and Authorized Users’ data within End-User Data / Customer Content).
- “Controller,” “Processor,” “Sub-processor,” “Data Subject,” “Process/Processing,” and “Personal Data Breach” have the meanings in the GDPR (or the equivalent under other Data Protection Laws).
- “Standard Contractual Clauses” / “SCCs” — the clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), and, for the UK, the UK International Data Transfer Addendum.
2. Roles and scope
You are the Controller (or a processor acting for another controller) of the Personal Data, and we are your Processor. We process Personal Data only to provide and support the Services and as otherwise instructed by you. The subject matter, duration, nature and purpose of processing, the types of Personal Data, and categories of Data Subjects are described in Annex A.
3. Our obligations as Processor
We will:
- Process on documented instructions. Process Personal Data only on your documented instructions (including the Agreement, this DPA, and your use of the Services), unless required by law, in which case we will inform you unless legally prohibited.
- Confidentiality. Ensure personnel authorized to process Personal Data are bound by confidentiality.
- Security. Implement and maintain the technical and organizational measures in Annex B, appropriate to the risk.
- Sub-processors. Engage Sub-processors only as permitted in Section 5.
- Assist you. Taking into account the nature of the processing, provide reasonable assistance with (a) responding to Data Subject requests, (b) security of processing, (c) Personal Data Breach notification, and (d) data-protection impact assessments and prior consultations.
- Breach notice. Notify you without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting your Personal Data, with the information reasonably available to us.
- Deletion or return. On termination, delete or return Personal Data as described in Section 6.
- Records and audits. Make available information reasonably necessary to demonstrate compliance with this DPA, as described in Section 7.
4. Your obligations as Controller
You will: (a) comply with your obligations under Data Protection Laws as Controller; (b) have a lawful basis and provide any required notices to, and obtain any required consents from, Data Subjects for the processing; (c) issue only lawful instructions; and (d) not provide us with data outside the scope described in Annex A or the Agreement (for example, you will not configure the Services to collect payment-card data, government identifiers, or special-category/sensitive data, which the Services are not designed to process).
5. Sub-processors
5.1 You provide general authorization for us to engage Sub-processors to process Personal Data. Our current Sub-processors are listed in Annex C.
5.2 We will impose data-protection obligations on each Sub-processor that are substantially the same as those in this DPA, and we remain responsible for their performance.
5.3 We will give you notice (for example, by updating Annex C or the sub-processor page and, where you subscribe to notifications, by email) before adding or replacing a Sub-processor. You may object on reasonable data-protection grounds within 30 days; if we cannot reasonably accommodate your objection, you may terminate the affected Services and receive a refund of prepaid fees for the unused period.
6. Deletion or return
On expiry or termination of the Agreement, we will, at your choice, delete or return the Personal Data we process on your behalf, and delete existing copies unless retention is required by law. Consistent with the Agreement and Privacy Policy, exportable data is made available for 30 days after termination and then deleted or de-identified within a further 90 days. Aggregated or de-identified data that does not identify any Data Subject is not subject to this Section.
7. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA and, on your reasonable written request no more than once per year (unless required by a supervisory authority or after a Personal Data Breach), provide responses to a reasonable security questionnaire and any third-party audit reports or certifications we maintain. On-site audits, where legally required, will be conducted on reasonable notice, during business hours, subject to confidentiality, and without unreasonably disrupting our operations.
8. International transfers
Where we process Personal Data subject to the GDPR, UK GDPR, or Swiss FADP and transfer it to a country without an adequacy decision, the Standard Contractual Clauses (and the UK Addendum and Swiss amendments, as applicable) are incorporated by reference and apply, with the parties completing the relevant modules and annexes using the information in this DPA and its Annexes. In the event of conflict, the SCCs prevail for such transfers.
9. Liability and governing law
Each party’s liability under this DPA is subject to the limitations and exclusions in the Agreement. This DPA is governed by the law of the State of North Carolina, USA, except that the SCCs are governed by the law they specify. The Agreement’s dispute-resolution terms apply, except where the SCCs require otherwise.
Annex A — Details of processing
- Subject matter: provision of the Services (AI customer support) under the Agreement.
- Duration: for the term of the Agreement, plus the deletion period in Section 6.
- Nature and purpose: hosting, processing, and generating responses to Shopper inquiries; verifying order lookups; creating conversation records and handoffs; and related support, security, and improvement of the Services.
- Types of Personal Data: Shopper identifiers and contact data provided in a conversation (such as name and email); the order number and email or postal/ZIP code used to verify an order lookup; the content of chat messages and conversation records; and Authorized-User account data. Excludes physical/mailing addresses, government identifiers, and payment-card data, which the Services do not store.
- Categories of Data Subjects: the Customer’s Shoppers (end customers) and the Customer’s Authorized Users.
- Special categories: none intended; you must not submit special-category data.
Annex B — Technical and organizational measures
- Encryption of sensitive secrets at rest and encryption of data in transit (TLS).
- Multi-tenant logical isolation (row-level security) so one merchant cannot access another’s data.
- Deterministic, server-side verification for order lookups (order number plus email or postal/ZIP code) so a Shopper only sees their own order.
- Access controls and least-privilege for personnel; authentication on administrative access.
- A data-minimization design that avoids storing addresses, government identifiers, and payment-card data.
- Logging and monitoring; secure software-development and change-management practices.
- Vendor/Sub-processor due diligence and contractual data-protection terms.
- Backup and recovery for the hosting and database platforms.
(These measures may be updated as the Services evolve, provided they do not materially reduce the level of protection.)
Annex C — Sub-processors (current)
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting | USA |
| Supabase, Inc. | Database and authentication | USA |
| Anthropic, PBC | AI provider (generates agent responses) | USA |
| Stripe, Inc. | Payment processing | USA |
| PostHog, Inc. | Product analytics | USA |
| Transactional email provider | Service and notification emails | USA |
The current list is maintained here and available on request. We will provide notice of changes as described in Section 5.3.
Contact
Data-protection questions: privacy@mysupportagent.ai · Legal: legal@mysupportagent.ai
MySupportAgent, LLC — North Carolina, USA