Legal

Data Processing Agreement

Effective date: 13 June 2026 · Last updated: 13 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between AmDital(“Processor”) and the customer (“Controller”) and is incorporated into the Terms of Service.

1. Definitions

Terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and, where applicable, the UK GDPR.

“GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR as retained in UK law.
“Personal Data” has the meaning given in Article 4(1) GDPR.
“Processing” has the meaning given in Article 4(2) GDPR.
“Controller” means the customer who signs up to use the Service.
“Processor” means AmDital.
“Sub-processor” means any third party engaged by AmDital to process Personal Data.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.

2. Subject matter and duration of processing

AmDital processes Personal Data on behalf of the Controller for the duration of the subscription term and for such additional period as may be required to fulfil legal obligations or as permitted by the Terms of Service for data export purposes (30 days post-cancellation). Processing is carried out in connection with the provision of the Service as described in the Terms of Service.

3. Nature and purpose of processing

AmDitalprocesses Personal Data to: provide access to the Service; store and retrieve workspace data on the Controller's behalf; send transactional notifications; provide customer support; and monitor for security incidents. Processing is limited to what is strictly necessary for these purposes.

4. Categories of personal data processed

Category	Examples
Employee / team member data	Name, email, job title, department, leave records, performance data, payroll data
Customer / CRM contact data	Contact name, email, phone, company, deal history, communications
End-user / support requester data	Name, email, support ticket content, conversation history
Usage and activity data	Login events, feature usage, time tracking, activity log (opt-in only)
Billing and financial data	Stripe customer ID, subscription status, invoice records
AI interaction data	Prompts sent to Ami, generated outputs (stored per retention policy)

5. Categories of data subjects

Workspace members— employees, contractors, and administrators of the Controller's organisation who use the Service.
CRM contacts— individuals whose data is stored in the Controller's CRM module (leads, prospects, clients, partners).
Support requesters— individuals who submit support tickets via the Controller's helpdesk module.
Recruitment candidates— individuals whose data is stored in the Controller's recruitment module.

6. Processor obligations

AmDital undertakes to:

Process Personal Data only on documented instructions from the Controller (the Terms of Service and any written instructions).
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organisational security measures (see Section 8).
Not engage Sub-processors without the Controller's prior general or specific written authorisation.
Assist the Controller in fulfilling data subject rights requests within the timeframes required by the GDPR.
Assist the Controller with data protection impact assessments (DPIAs) where required.
Delete or return all Personal Data at the end of the service relationship as instructed, subject to applicable legal obligations.
Make available to the Controller all information necessary to demonstrate compliance with this DPA and permit and contribute to audits.
Notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach.

7. Sub-processors

The Controller grants general authorisation for AmDital to engage the following approved Sub-processors. AmDital will notify the Controller of any intended changes at least 14 days in advance, giving the Controller the opportunity to object.

Sub-processor	Purpose	Transfer mechanism
Supabase Inc.	Database and authentication	SCCs (EU-US) or EU-region hosting
Stripe Inc.	Payment processing	SCCs (EU-US)
Functional Software Inc. (Sentry)	Error monitoring	SCCs (EU-US)
PostHog Inc.	Product analytics	SCCs (EU-US) or EU-region hosting
Vercel Inc.	Application hosting	SCCs (EU-US)

8. Technical and organisational security measures

AmDital implements the following measures in accordance with Article 32 GDPR:

Pseudonymisation and encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3).
Access control: Row-Level Security (RLS) on all database tables; role-based access control with least-privilege principle; MFA enforced for administrative access.
Data isolation: Strict workspace isolation — no cross-tenant data access is architecturally possible via RLS policies scoped to Supabase JWT workspace claims.
Availability: Vercel and Supabase SLAs provide 99.9% uptime; automated backups with point-in-time recovery.
Incident response: Continuous monitoring via Sentry; documented incident response process; 72-hour breach notification commitment.
Vendor management: All sub-processors are subject to DPAs; regular review of sub-processor security posture.
Employee training: All personnel with data access are trained on data protection obligations and bound by confidentiality agreements.

9. Data subject requests

AmDital will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within 30 days. The Controller remains the primary point of contact for data subjects.AmDital will promptly forward any data subject requests received directly to the Controller.

10. Breach notification

In the event of a Personal Data breach, AmDital will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include: the nature of the breach; categories and approximate number of data subjects affected; categories and approximate number of Personal Data records affected; likely consequences; and measures taken or proposed to address the breach.

11. Audit rights

AmDitalwill make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including upon reasonable written request: security certifications, penetration test summaries (redacted), and audit reports. Physical audits may be conducted with 30 days' written notice, subject to reasonable confidentiality obligations.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.

13. Governing law

This DPA is governed by the same law as the Terms of Service (England and Wales, subject to review by qualified legal counsel).

14. Contact

Data protection enquiries: AmDital · privacy@amdital.com