Data Processing Agreement

"Controller"

The natural or legal person who determines the purposes and means of processing of personal data. For the Pepper service, the customer or organization is the Controller.

"Processor"

Fieldcrest Ventures LLC, which processes personal data on behalf of the Controller according to this DPA and the terms of the service agreement.

"Personal Data"

Any information relating to an identified or identifiable natural person. In the context of Pepper, this includes email addresses, email content, calendar information, sender/recipient names, and other identifiable information processed through the service.

"Processing"

Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, erasure, or destruction.

"Sub-processor"

Any natural or legal person other than Processor that processes personal data on behalf of Processor and the Controller, such as cloud infrastructure providers and third-party API services.

"Data Subject"

The individual to whom personal data relates. For email-based processing, this includes email senders, recipients, and other identifiable individuals referenced in email communications or calendar data.

"Data Breach"

A security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

7.1 Processing in Accordance with Instructions

Processor will process personal data only in accordance with documented written instructions from Controller, including regarding international transfers of data, unless required by law. Processor will immediately notify Controller if a legal obligation requires processing beyond the scope of Controller's instructions.

7.2 Confidentiality

Processor ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate legal obligation of confidentiality. Personnel are trained on data protection obligations and the confidential nature of personal data.

7.3 Security Measures

Processor implements and maintains appropriate technical and organizational security measures including:

• •Encryption in transit: All personal data is encrypted with TLS 1.3 during transmission
• •Encryption at rest: Stored personal data is encrypted using AES-256
• •Token encryption: OAuth tokens are encrypted with AES-256-GCM
• •Access controls: Role-based access control and least privilege principles
• •Logging and monitoring: Security event logging and real-time threat monitoring
• •Regular updates: Timely patching of systems and dependencies

7.4 Sub-processor Management

Processor maintains a list of authorized Sub-processors (see Section 8) and obtains prior authorization from Controller before adding or replacing Sub-processors. Controller is notified of any changes to the Sub-processor list at least 30 days in advance, and Controller has the right to object to new Sub-processors.

7.5 Data Subject Rights Assistance

Processor will assist Controller in fulfilling the rights of data subjects, including:

• •Right to access personal data
• •Right to rectification of inaccurate data
• •Right to erasure ("right to be forgotten")
• •Right to restrict processing
• •Right to data portability
• •Right to object to processing

7.6 Data Breach Notification

In the event of a suspected or confirmed data breach involving personal data, Processor will notify Controller without undue delay and in no case later than 72 hours after becoming aware of the breach (where feasible). The notification will include details of the breach, affected data categories, likely consequences, and recommended mitigating measures.

7.7 Data Deletion and Return

Upon termination of services or at Controller's request, Processor will promptly delete or return all personal data unless retention is required by law. Processor will certify deletion upon request within 30 days of the deletion request.

7.8 Audit and Compliance

Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections by Controller or Controller's auditor, including making available relevant personnel. Processor will maintain documentation of processing activities and security measures.

7.9 Privacy by Design

Processor implements privacy and data protection principles by design, including data minimization, purpose limitation, and storage limitation. Transient processing (e.g., email content fetched on-demand) is prioritized where feasible to minimize storage footprint.

9.1 Lawful Instructions

Controller ensures that any instructions provided to Processor comply with applicable laws and regulations and that Controller has the lawful right to process personal data through Pepper.

9.2 Consent and Legal Basis

Controller is responsible for obtaining necessary consents from data subjects or establishing a lawful basis for processing personal data through Pepper, including compliance with all applicable privacy laws.

9.3 Accuracy and Quality

Controller is responsible for ensuring that personal data provided to Processor is accurate, complete, and not excessive for the purposes for which it is processed.

9.4 Privacy Notices

Controller is responsible for providing appropriate privacy notices to data subjects regarding the processing of personal data through Pepper, including information about Sub-processors and the use of artificial intelligence.

9.5 Data Protection Impact Assessments

Controller will conduct appropriate data protection impact assessments as required by applicable law and provide Processor with any information necessary for Processor's compliance obligations.

9.6 Cooperation

Controller will cooperate with Processor and provide all necessary information to assist Processor in meeting its obligations under this DPA and applicable law.

10.1 Encryption

• •TLS 1.3 encryption for all data in transit
• •AES-256 encryption for data at rest
• •AES-256-GCM for OAuth token storage

10.2 Access Control

• •Role-based access control (RBAC) for all systems
• •Principle of least privilege for all personnel and services
• •Multi-factor authentication for administrative access

10.3 Infrastructure Security

• •Vercel Edge functions in US region for edge computing
• •Neon PostgreSQL with US East (us-east-1) location
• •Upstash Redis US East region for ephemeral caching
• •DDoS protection and rate limiting
• •Web Application Firewall (WAF) rules

10.4 Monitoring and Logging

• •Real-time security event logging and monitoring
• •Intrusion detection and prevention systems (IDS/IPS)
• •Security Information and Event Management (SIEM)
• •Audit logs retained for minimum 12 months

10.5 Vulnerability Management

• •Regular security patching and updates
• •Automated dependency scanning and vulnerability assessment
• •Periodic penetration testing and security audits

10.6 Personnel Security

• •Data protection training and confidentiality agreements for all personnel
• •Background checks for personnel with access to personal data
• •Access revocation upon termination of employment

10.7 Data Minimization

• •Email content fetched on-demand and processed transiently
• •Only necessary metadata stored permanently
• •Semantic embeddings (non-reconstructible) used instead of raw text storage

11.1 Immediate Notification

Upon discovery of a confirmed or suspected breach, Processor will notify Controller without undue delay and in no case later than 72 hours after becoming aware of the breach. For urgent breaches, Processor will attempt notification by telephone and email within 24 hours.

11.2 Notification Content

Breach notifications will include:

• •Description of the breach and how it occurred
• •Categories and approximate number of data subjects affected
• •Categories and approximate number of personal data records affected
• •Likely consequences of the breach
• •Measures Processor has taken or proposes to take to address the breach and mitigate harm
• •Contact details of Processor's data protection officer or privacy contact

11.3 Investigation and Remediation

Processor will conduct a thorough investigation of the breach, determine its root cause, and implement measures to prevent recurrence. Processor will provide regular updates to Controller and cooperate fully with any regulatory investigations.

11.4 Regulatory Reporting

Processor will assist Controller in fulfilling its obligations to notify regulatory authorities and affected data subjects as required by law. Processor will provide all necessary information to enable Controller to meet legal notification requirements.

12.1 Right to Access

Upon a data subject's request, Processor will assist Controller in providing a copy of all personal data relating to the data subject, including email metadata, calendar data, and semantic embeddings associated with the data subject.

12.2 Right to Rectification

Processor will assist Controller in correcting inaccurate or incomplete personal data upon the data subject's request.

12.3 Right to Erasure

Upon a data subject's request, Processor will assist Controller in deleting personal data where the data is no longer necessary, the data subject withdraws consent, or other legal grounds apply. Processor will erase or anonymize all personal data relating to the data subject within 30 days unless legally required to retain the data.

12.4 Right to Restrict Processing

Processor will assist Controller in restricting the processing of personal data upon a data subject's request, limiting processing to storage and essential uses.

12.5 Right to Data Portability

Processor will assist Controller in providing personal data relating to a data subject in a structured, commonly used, machine-readable format (such as CSV or JSON) to enable portability to another service.

12.6 Right to Object

Processor will assist Controller in honoring a data subject's objection to processing where applicable. Controller has sole responsibility for determining the legal basis for processing and whether an objection must be honored.

12.7 Response Timeline

Processor will respond to requests for data subject rights assistance within 10 business days. Processor will notify Controller of any requests received from data subjects, regulatory authorities, or legal counsel regarding personal data.

13.1 US Data Processing

All personal data is processed within the United States by US-based infrastructure:

• •Vercel Edge: US region
• •Neon PostgreSQL: us-east-1 (US East)
• •Upstash Redis: US East
• •Pusher: US region

13.2 Sub-processor Transfers

Some Sub-processors (Google, Anthropic, Voyage AI) may process personal data as part of their standard operations. These Sub-processors have their own data processing agreements and privacy policies that govern data transfers.

13.3 European and International Customers

For customers subject to GDPR or other international privacy laws, Processor will enter into Standard Contractual Clauses (SCCs) as approved by the European Commission to lawfully transfer personal data from the EEA or other jurisdictions. Upon request, Processor will provide executed SCCs or alternative contractual mechanisms compliant with GDPR Article 46.

13.4 Adequacy Assessment

Controller is responsible for assessing whether data transfers to the United States comply with applicable law, including any adequacy decisions or supplementary measures required under GDPR or other applicable regulations.

14.1 Deletion Timeline

All personal data will be deleted or returned within 30 days of termination or deletion request. Controller may request deletion before this deadline. Processor will retain no backup copies except as required by law.

14.2 Deletion Certification

Upon completion of deletion, Processor will provide Controller with written certification that all personal data has been securely deleted or destroyed. Certification will include details of deletion methodology and timing.

14.3 Legal Retention Requirements

Notwithstanding deletion requests, Processor may retain personal data where required by applicable law (such as tax, accounting, or regulatory requirements). Processor will restrict processing of such retained data to the minimum necessary for legal compliance.

14.4 Data Portability

Prior to deletion, Controller may request personal data in a portable format (such as CSV or JSON). Processor will provide data in a standard, structured, machine-readable format within 10 business days of the request.

15.1 Information Provision

Processor will make available to Controller all information necessary to demonstrate compliance with this DPA, including security documentation, processing logs, and Sub-processor agreements (subject to confidentiality obligations).

15.2 Audit Inspections

Upon reasonable notice (minimum 15 business days), Processor will allow Controller or Controller's independent auditor to conduct audits or inspections of relevant systems, facilities, and processing activities. Audits will occur no more frequently than once per calendar year unless required by law or following a security incident.

15.3 Audit Reports

Controller or Controller's auditor will provide a written report of any audit findings. Processor will have opportunity to review and comment on the report prior to final submission. Any audit findings will be treated as confidential information.

15.4 Remediation

If an audit identifies compliance gaps or security deficiencies, Processor will provide a remediation plan and timeline. Processor will cooperate with Controller to address any compliance issues promptly.

15.5 Third-Party Certifications

Processor maintains security certifications and compliance assessments (such as SOC 2) for Sub-processors and will share relevant audit reports or certification summaries with Controller upon reasonable request.

16.1 Processor Liability

Processor is liable for damages arising from violations of this DPA to the extent permitted by law. Processor's total liability for any breach of this DPA is limited to the amounts specified in the primary service agreement.

16.2 Joint and Several Liability

Where Processor and a Sub-processor are jointly liable for damages to a data subject, liability allocation will be determined according to applicable law and contractual responsibility. Processor will cooperate with Controller to pursue Sub-processor liability for breaches caused by Sub-processor conduct.

16.3 Indemnification

Processor will indemnify and defend Controller against third-party claims arising from Processor's violation of this DPA, subject to the limitations in the primary service agreement. Processor will not indemnify for claims arising from Controller's misuse of the service or violation of Controller's own obligations.

16.4 Limitation of Liability

Except for liability arising from gross negligence, willful misconduct, or criminal conduct, neither party is liable for indirect, incidental, consequential, or punitive damages. Liability limitations do not apply to either party's indemnification obligations or to claims by data subjects.

17.1 Service Provider Obligations

To the extent Processor is a "Service Provider" under CCPA, Processor certifies that it:

• •Will process personal information solely for the business purposes specified
• •Will not sell, share, or retain personal information for any other purpose
• •Will not combine personal information from different sources unless authorized by Controller
• •Will certify understanding of these restrictions and will comply with CCPA Section 1641(w)

17.2 Consumer Rights Assistance

Processor will assist Controller in responding to consumer requests for access, deletion, correction, and opt-out rights under CCPA/CPRA. Processor will provide requested personal information in portable format within the timeframes required by law.

17.3 Sensitive Personal Information

Processor acknowledges that some personal data processed may constitute "sensitive personal information" under CCPA/CPRA (such as health data, financial account information, or precise geolocation). Processor will protect sensitive personal information with enhanced security measures and will not process it except as necessary for the specified business purposes.

17.4 Opt-Out of Sale/Sharing

Processor does not sell or share personal information in the manner regulated by CCPA. To the extent Controller or data subjects wish to opt out of any processing not necessary for the service, Controller should contact Processor at legal@mypepper.io.

17.5 Non-Discrimination

Processor will not discriminate against data subjects for exercising their CCPA/CPRA rights, including denying services, charging higher prices, or providing different service levels.

17.6 Automated Decision-Making Disclosure

Controller acknowledges that Pepper uses automated decision-making (artificial intelligence) to classify emails, prioritize messages, and generate drafts. Controller is responsible for notifying data subjects of this automated processing and obtaining necessary consents.

18.1 Article 28 Compliance

This DPA is intended to comply with GDPR Article 28 requirements for Data Processing Agreements between controllers and processors. Processor agrees to be bound by the same obligations of confidentiality and security as required under GDPR.

18.2 Standard Contractual Clauses

For transfers of personal data from the EEA to the United States, the parties may incorporate the Standard Contractual Clauses (Module One: Controller-to-Processor) approved by the European Commission. Upon request, Processor will provide executed SCCs compliant with GDPR Article 46.

18.3 Data Subject Rights

Processor will facilitate data subject exercise of rights under GDPR Articles 15-22, including right to access, rectification, erasure, restriction, portability, and objection.

18.4 Data Protection Impact Assessment

Processor will cooperate with Controller in conducting Data Protection Impact Assessments (DPIA) as required under GDPR Article 35 and will provide information necessary for Controller's DPIA.

18.5 Regulatory Cooperation

Processor will cooperate with supervisory authorities (such as data protection authorities) and provide information or assistance as required by GDPR and applicable EU regulations.

19.1 Limited Use of Data

Processor will access, process, and use data from Google APIs only for purposes expressly stated to users and Controller, specifically: email classification, draft generation, and scheduling optimization. Processor will not use Google API data for advertising, marketing, or any other secondary purposes.

19.2 Data Security

Processor implements comprehensive security measures for Google API data, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and regular security assessments.

19.3 User Control

Users (data subjects) maintain full control over Google API data through their Google account settings. Users may revoke Processor's access to Gmail and Google Calendar at any time through Google Account settings.

19.4 Transparency

Processor discloses its use of Google APIs and the data processed through them in Processor's Privacy Policy and this DPA. Users are informed during OAuth authentication of the specific data Processor will access.

19.5 Retention Limitations

Email content retrieved from Gmail is processed transiently and not permanently stored by Processor. Only non-reconstructible semantic embeddings and email metadata are retained. Upon account deletion, all data is permanently erased within 30 days.

20.1 Termination

This DPA terminates automatically upon termination of the customer service agreement or upon deletion of the customer's account.

20.2 Post-Termination Obligations

Upon termination, Processor will comply with data deletion obligations outlined in Section 14. Processor's confidentiality obligations survive termination indefinitely.