0. Preamble
Draft DPA: This Data Processing Agreement is provided as a reasonable default template. Before relying on it for an enterprise customer in a regulated industry, have it reviewed by qualified counsel familiar with GDPR, UK GDPR, and your jurisdiction.
This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement (“Agreement”) between Sovereign (“Processor”) and the customer identified in the Agreement (“Controller”) for the provision of services (“Services”). It reflects the parties' agreement on the processing of Personal Data, as defined below, in connection with applicable data protection laws.
1. Definitions
- Applicable Lawmeans the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), and any other data protection or privacy laws applicable to the Processor's processing of Personal Data on behalf of the Controller.
- Personal Data means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in connection with the Services.
- Data Subjectmeans the identified or identifiable natural person to whom Personal Data relates (typically Controller's end-customers, employees, and leads).
- Sub-processor means any third party engaged by Processor to process Personal Data on behalf of Controller.
- Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- Other capitalized terms not defined here have the meanings given in Applicable Law.
2. Subject Matter and Duration
Subject matter: The processing of Personal Data necessary for Processor to provide the Services described in the Agreement, including AI-powered marketing automation, lead capture, customer relationship management, communications (email, SMS, voice), reporting, and related functionality.
Duration: Processing continues for the term of the Agreement and any post-termination period required for export, return, or deletion of Personal Data, as set out in Section 8.
Categories of Data Subjects: Controller's end-customers and prospects, Controller's employees and contractors who use the Services, and individuals identified in marketing or communications content uploaded by Controller.
Categories of Personal Data: Names, email addresses, phone numbers, postal addresses, business identifiers, communications content, service history, IP addresses, device identifiers, usage data, and any other Personal Data submitted to the Services by Controller or Data Subjects.
3. Nature and Purpose of Processing
Processor processes Personal Data solely for the purposes of:
- Providing, maintaining, and improving the Services;
- Generating AI-derived outputs (e.g., chatbot responses, content, lead scores, follow-up recommendations) on behalf of Controller;
- Sending communications (email, SMS, voice) to Data Subjects on Controller's instructions;
- Operating analytics, reporting, and fraud-prevention functions necessary for the Services;
- Complying with Processor's legal obligations and the documented instructions of Controller.
Processor will not process Personal Data for any purpose other than the performance of the Services and the documented instructions of Controller, unless required by Applicable Law (in which case Processor will inform Controller before processing, unless prohibited from doing so).
4. Sub-processors
Controller authorizes Processor to engage the sub-processors listed below for processing of Personal Data in connection with the Services. Processor will impose contractual obligations on each sub-processor that are no less protective than those set out in this DPA.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Application hosting, edge compute, CDN | US (multi-region) |
| Neon Inc. | Managed PostgreSQL database | US |
| Stripe, Inc. | Payment processing, billing | US/EU/UK |
| Resend (Plus Five Five, Inc.) | Transactional and marketing email delivery (primary) | US |
| Twilio Inc. (SendGrid) | Email delivery (fallback provider) | US |
| Twilio Inc. | Voice calls and SMS messaging | US |
| Anthropic PBC | Large language model inference (Claude) | US |
| Groq, Inc. | Low-latency model inference (optional fallback) | US |
| Google LLC | Google Business Profile, Maps, Search Console, Gemini inference (when enabled by Controller) | US |
| Meta Platforms, Inc. | Facebook / Instagram advertising and Messenger integration (when enabled by Controller) | US |
Processor will provide Controller with at least 30 days' advance notice (by email or in-product notification) of any addition or replacement of a sub-processor. Controller may object to such a change on reasonable data-protection grounds within that period; if the parties cannot agree on a resolution, Controller may terminate the affected portion of the Services.
5. Security Measures
Processor implements and maintains appropriate technical and organizational measures designed to protect Personal Data against a Personal Data Breach, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256-GCM for high-sensitivity fields such as phone numbers, email addresses, and physical addresses).
- Access controls: role-based access to production systems with least-privilege defaults, short-lived session tokens, and multi-factor authentication for administrators.
- Network segmentation, web application firewall, automated dependency vulnerability scanning, and rate-limiting on public endpoints.
- Centralized logging and error monitoring (Sentry) with alerting for anomalous events.
- Secrets management via environment-segregated configuration; no secrets stored in source control.
- Regular automated backups with point-in-time recovery (Neon PITR); backup verification job runs daily.
- Documented incident-response procedures; security awareness for personnel with access to Personal Data.
Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's Personal Data, providing the information required by Applicable Law.
6. Data Subject Rights
Processor will assist Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to Data Subject requests under Applicable Law, including rights of:
- Access (Article 15 GDPR);
- Rectification (Article 16);
- Erasure / “right to be forgotten” (Article 17);
- Restriction of processing (Article 18);
- Data portability (Article 20);
- Objection (Article 21);
- Equivalent rights under CCPA/CPRA, UK GDPR, and other Applicable Law.
Controller may exercise these rights on behalf of Data Subjects through self-service tooling provided in the Services (Dashboard > Settings > Privacy & Data) or by contacting privacy@trysovereignai.com. Where a Data Subject contacts Processor directly, Processor will forward the request to Controller without undue delay and not respond itself unless authorized to do so by Controller.
Self-service endpoints currently available to Controller include POST /api/account/export (data export) and POST /api/account/delete-request (deletion with 30-day grace period).
7. International Data Transfers
Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties agree that the Standard Contractual Clauses (Module Two: Controller-to-Processor) approved by the European Commission on 4 June 2021 (and the UK International Data Transfer Addendum where applicable) are incorporated into this DPA by reference and apply to such transfers.
8. Return and Deletion of Personal Data
Upon termination or expiration of the Agreement, Processor will, at Controller's choice, return or delete all Personal Data processed on Controller's behalf within 90 days, unless retention is required by Applicable Law. Controller may also request deletion at any time during the term using the self-service deletion endpoint; Personal Data is soft-deleted immediately and hard-deleted after a 30-day grace period.
9. Audits
Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, including SOC-equivalent control summaries, sub-processor lists, and security documentation. Where required by Applicable Law, Processor will allow for and contribute to audits, including inspections, conducted by Controller or an independent auditor mandated by Controller, subject to reasonable confidentiality, scheduling, and cost-recovery terms.
10. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability to the extent such limitation is prohibited by Applicable Law.
11. Miscellaneous
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the subject matter herein. This DPA is governed by the same governing law as the Agreement, except where Applicable Law requires otherwise (e.g., GDPR Article 28 mandatory terms).
Questions about this DPA should be directed to privacy@trysovereignai.com.