Data Processing Agreement
Last updated: April 2026 · OpenSassy
This Data Processing Agreement ("DPA") forms part of the Terms of Service between OpenSassy ("Processor") and you, the customer ("Controller"). It governs how we process personal data on your behalf under UK GDPR Article 28.
1. Definitions
Controller: You, the customer — the entity that determines the purposes and means of processing personal data (your clients' data, staff data).
Processor: OpenSassy — processing personal data on your behalf to provide the platform.
Personal Data: Any information relating to an identified or identifiable natural person as defined by UK GDPR.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
2. Subject matter and nature of processing
Subject matter: Provision of the OpenSassy AI business management platform.
Nature: Storage, retrieval, analysis, and display of business operational data.
Purpose: To provide the services described in the Terms of Service.
Duration: For the term of the subscription and 30 days following cancellation.
Types of personal data: Client names, contact details, appointment history, payment records, staff details, payroll data.
Categories of data subjects: Your clients, staff, and any individuals whose data you input into the platform.
3. Processor obligations
OpenSassy agrees to:
- Process personal data only on documented instructions from you (the Controller)
- Ensure persons authorised to process personal data are bound by confidentiality
- Implement appropriate technical and organisational security measures (Article 32)
- Assist you in responding to data subject rights requests
- Delete or return all personal data within 30 days of contract termination
- Provide all information necessary to demonstrate compliance with this DPA
- Notify you without undue delay (within 72 hours where feasible) if a personal data breach occurs
4. Sub-processors
We use the following approved sub-processors. We will provide 30 days' notice before adding new sub-processors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, data storage | UK (London) |
| Stripe | Payment processing | EEA/UK |
| Anthropic | AI response generation (transient) | USA — SCCs in place |
| xAI (Grok) | AI response generation (transient) | USA — SCCs in place |
| Google DeepMind (Gemini) | AI voice & multimodal (transient) | EEA/UK |
5. Security measures
- AES-256 encryption at rest; TLS 1.2+ in transit
- Access controls and role-based permissions
- Regular automated backups with point-in-time recovery
- Vulnerability scanning and dependency auditing
- UK data residency (Google Cloud London region)
6. Controller obligations
As Controller, you are responsible for:
- Ensuring you have a lawful basis to collect and input personal data into OpenSassy
- Providing required privacy notices to your clients and staff
- Responding to data subject rights requests (we will assist you)
- Ensuring the personal data you provide is accurate
7. Contact
Data protection enquiries: hello@the-sassy.com
OpenSassy ·