Legal

Data Processing Addendum

When you use AI Growth Officer to process personal data that belongs to your customers or employees, you are the controller and we are the processor. This DPA governs that relationship.

Last updated: 2026-04-20

In one paragraph

We sign a standard Data Processing Addendum with every paid customer. It commits us to process Customer Data only on your documented instructions, apply the technical and organizational safeguards described on our Security page, use only the subprocessors we publicly list, notify you of new ones at least 30 days in advance, help you respond to data-subject requests, notify you without undue delay of any incident, and return or delete Customer Data on termination. The full text incorporates the EU Standard Contractual Clauses where cross-border transfers apply.

How to get our DPA

Email [email protected] with the subject DPA request and include:

  • Your legal entity name (the signing party on your side).
  • Your account email or tenant identifier on AI Growth Officer.
  • Whether you want our standard DPA or have your own template you'd like us to review.

We countersign our standard DPA within one business day. Custom DPAs take up to five business days depending on review complexity.

Scope & duration

The DPA applies as long as you have an active subscription. It terminates automatically when your subscription ends, except for surviving obligations (audit cooperation, return of Customer Data, confidentiality of what we learned while serving you).

Categories of data we process

On your behalf, we may process:

  • Contact details of people inside your organization who use the Portal (name, work email, role).
  • Identifiers of IM channels and accounts you connect (Slack channel ID, Discord guild ID, etc.).
  • Content of briefings, approvals, and outbound messages — which may include personal data about third parties if you configure a connector that surfaces it.
  • Activity logs tied to your tenant (schedules triggered, approvals granted, errors).

We do not knowingly receive special categories of data (e.g. health, biometric, or children's data). If your planned use case touches those categories, stop and email [email protected] so we can assess together.

Categories of data subjects

  • Your employees and contractors who use the Portal.
  • Your customers, prospects, or other third parties surfaced through connectors you configure.

International transfers & SCCs

For EU and UK customer data transferred outside the EEA/UK, we rely on the EU Commission's Standard Contractual Clauses (Module Two: controller-to-processor) and, where relevant, the UK's International Data Transfer Addendum. The SCCs are incorporated by reference in our DPA; they prevail over any conflicting provision.

Subprocessors

The current list of subprocessors is published on our Security page. You can subscribe to email notifications for subprocessor changes at that link.

Contact

For all DPA-related matters — new requests, amendments, subprocessor objections, audit cooperation — email [email protected].

Data Processing Addendum · Ceres