Data Processing Agreement

Provider (Data Processor): GigaCarp, LLC

Customer (Data Controller): As identified in the associated Terms of Service Order

Effective Date: 2026-04-15

Draft notice: This DPA is adapted from the Common Paper DPA Addendum (commonpaper.com/standards/data-processing-addendum/) and incorporates Bonterms template language (bonterms.com). It is intended to satisfy GDPR Article 28 (processor requirements) and to be attached by reference to the Terms of Service. Sections marked [VERIFY] should be cross-checked against the current Common Paper DPA template before publishing.

1. Relationship of the Parties

This Data Processing Agreement ("DPA") supplements the Terms of Service between GigaCarp, LLC ("Provider") and the Customer named in an Order ("Customer") and is incorporated into those Terms by reference.

Under this DPA:

Customer is the data controller of Personal Data in Customer's HubSpot CRM records.
Provider is the data processor, processing Personal Data only on Customer's documented instructions.

Where Provider processes Personal Data for its own purposes (e.g., billing records, security logs), Provider acts as an independent controller; such processing is described in the Privacy Policy, not this DPA.

2. Definitions

Term	Meaning
GDPR	EU General Data Protection Regulation 2016/679.
Personal Data	Any information relating to an identified or identifiable natural person, as defined in the GDPR.
Processing	Any operation performed on Personal Data, as defined in the GDPR.
Data Subject	The natural person to whom Personal Data relates.
Sub-Processor	A third party engaged by Provider to process Personal Data on Customer's behalf.
Security Incident	A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
SCCs	The Standard Contractual Clauses adopted by European Commission Decision 2021/914 of 4 June 2021.

3. Scope of Processing

3.1 Subject Matter

Provider processes Personal Data to deliver the Services (Redactify, Delete, Dedupify) as described in the Terms of Service.

3.2 Nature and Purpose of Processing

Service	Processing Activities	Purpose
Redactify	Read engagement records (including email body content via `sales-email-read` scope); detect pattern matches; overwrite matched fields or archive records; write audit log entries (field names, pattern names, timestamps — not original content)	Automated sensitive-data redaction per Customer configuration
Delete	Read CRM object properties; permanently delete or GDPR-delete specified records	Bulk and GDPR-compliant CRM record deletion per Customer workflow
Dedupify	Read contact, company, and deal records; compare properties using matching rules; merge duplicate records using Customer-configured field preference rules	Duplicate detection and merging

3.3 Types of Personal Data

Personal Data processed by the Services includes any Personal Data present in Customer's HubSpot CRM, which may include: contact names, email addresses, phone numbers, company affiliations, deal values, engagement records (notes, emails, calls, meetings), and any custom properties or content Customer has entered into HubSpot.

The sensitivity of this data is determined by Customer's own CRM practices. Provider applies the same processing controls regardless of the sensitivity classification.

3.4 Categories of Data Subjects

Data subjects whose Personal Data is processed include Customer's contacts, leads, customers, partners, or any natural persons whose information appears in Customer's HubSpot CRM.

3.5 Duration

Processing continues for the duration of the active subscription. On subscription cancellation, Provider ceases processing and deletes Personal Data within 30 days per the retention policy in the Privacy Policy.

4. Provider's Obligations (GDPR Article 28)

Provider agrees to:

Process only on documented instructions. Process Personal Data only on Customer's documented instructions as expressed through the Service configuration, workflow triggers, and this DPA. Provider will not process Personal Data for any other purpose, including its own commercial purposes, without Customer's prior written consent.
Confidentiality. Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
Security. Implement appropriate technical and organizational measures as described in Section 7 of this DPA, taking into account the state of the art, costs, and nature of processing, to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage.
Sub-processors. Engage Sub-Processors only with Customer's prior consent (general consent granted for Sub-Processors listed in Section 6; specific consent required for new additions), and impose equivalent data protection obligations on Sub-Processors.
Data subject rights. Assist Customer in responding to requests from Data Subjects exercising rights under the GDPR, to the extent Provider is technically able to do so.
DPIAs and consultations. Assist Customer in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation) taking into account the nature of processing and information available to Provider.
Deletion or return. On Customer's request or on termination, delete or return all Personal Data and delete existing copies, unless applicable law requires retention.
Audit cooperation. Make available to Customer all information necessary to demonstrate compliance with GDPR Article 28 obligations, and allow for and contribute to audits or inspections conducted by Customer or a mandated auditor, with reasonable notice.
Notification of unlawful instructions. Immediately notify Customer if, in Provider's opinion, an instruction infringes the GDPR or other applicable data protection law.

5. Customer's Obligations

Customer agrees to:

Ensure there is a lawful basis for Provider to process Personal Data on Customer's behalf.
Provide accurate and complete instructions through the Service configuration.
Ensure that Data Subjects have been informed of processing activities as required by law.
Not instruct Provider to process Personal Data in violation of applicable law.
Maintain responsibility for compliance with GDPR Article 13/14 notices to Data Subjects.

6. Sub-Processors

Customer grants general authorization to use the following Sub-Processors, who are subject to equivalent data protection obligations:

Sub-Processor	Service Provided	Data Processed	Location	DPA / Addendum Link
Google LLC (Google Cloud Platform)	Cloud hosting, Firestore database, Cloud Run compute, Pub/Sub messaging, Secret Manager	All categories of Customer Personal Data transiting or stored in Provider's systems	USA (us-central1)	`cloud.google.com/terms/data-processing-addendum`
Stripe, Inc.	Subscription and payment processing	Billing email address, subscription metadata (no CRM Personal Data)	USA	`stripe.com/legal/dpa`

Provider will notify Customer at least 14 days before adding a new Sub-Processor by updating this DPA and posting notice at orangemage.ai/legal/dpa. Customer may object to a new Sub-Processor within 14 days of notice; if the objection cannot be resolved, Customer may terminate the affected Service without penalty.

7. Security Measures (Technical and Organizational)

Provider implements the following measures, consistent with GDPR Article 32:

7.1 Data in Transit

All communication between Customer's browser/HubSpot and Provider's infrastructure uses TLS 1.2 or higher.
All communication between Provider's internal services uses OIDC-authenticated channels on GCP.

7.2 Data at Rest

Firestore data is encrypted at rest using AES-256 (Google-managed encryption keys).
Application secrets (OAuth client credentials) are stored in GCP Secret Manager with access restricted to service accounts with least-privilege IAM roles.

7.3 Access Controls

Production systems are accessible only to authorized service accounts.
Human access to production Firestore is restricted to the Provider principal (Alex Carpenter) and requires GCP identity authentication.
No third-party support contractors have standing access to production data.

7.4 Incident Response

Provider monitors application error rates via GCP Cloud Logging.
On detection of a Security Incident affecting Personal Data, Provider will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the incident.
Notification will include: nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

7.5 Data Minimization

Redactify processes engagement content in memory and does not persist the original text of engagement records. Only metadata (field names, pattern names, timestamps) is written to the audit log.
CRM records fetched by Delete and Dedupify are read, processed, and not retained beyond the processing operation.

8. International Data Transfers

8.1 Transfer Mechanism

Provider's infrastructure is in the United States. Where Customer is based in the EEA, UK, or Switzerland, the transfer of Personal Data from Customer (EEA controller) to Provider (US processor) is governed by the Standard Contractual Clauses (SCCs) adopted under Commission Decision 2021/914 (EU), specifically Module 2 (Controller-to-Processor). The SCCs are incorporated by reference into this DPA.

The SCCs are available at: eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914

8.2 UK GDPR

For transfers from the UK, the International Data Transfer Addendum to the EU SCCs (Version B1.0, March 2022, issued by the Information Commissioner's Office) applies.

8.3 Sub-Processor Transfers

Provider's Sub-Processors (Google Cloud, Stripe) have their own SCC-based transfer mechanisms. See the DPA links in Section 6 for details.

9. Data Subject Rights Assistance

On Customer's written request, Provider will:

Provide Customer with a copy of Personal Data held in Provider's systems for a specific Data Subject.
Delete a specific Data Subject's data from Provider's systems (audit logs, usage records, configuration data keyed to records referencing that Data Subject).
Restrict processing of a specific Data Subject's data.

Provider will respond to such requests within 14 days. Provider may charge a reasonable fee for requests that are manifestly unfounded or excessive.

10. Return and Deletion of Data

On termination of the subscription or at Customer's written request, Provider will:

Delete all Personal Data in Provider's systems relating to Customer's portal within 30 days.
Provide written confirmation of deletion on request.

Deletion is permanent and irreversible. Provider cannot recover deleted data. Exceptions apply where retention is required by applicable law (e.g., Stripe billing records retained for financial reporting purposes).

11. Audit Rights

Customer may audit Provider's compliance with this DPA once per calendar year, on at least 30 days' written notice, during normal business hours. Provider will cooperate with such audits and provide access to relevant documentation. Audits will not include access to other customers' data.

As an alternative to a direct audit, Provider may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g., SOC 2, ISO 27001) if obtained. Provider has not obtained formal SOC 2, ISO 27001, or equivalent third-party certification at the time of this Agreement. Customers requiring audit assurance may proceed via the direct audit right set out above.

12. Limitation of Liability

The limitation of liability provisions in the Terms of Service apply to this DPA. Neither party excludes or limits liability for its obligations under the SCCs, which are governed separately by their own terms.

13. Governing Law

This DPA is governed by the laws of the State of Nebraska, consistent with Section 14 of the Terms of Service. Disputes are resolved by binding arbitration under Nebraska law per ToS §14.2.

The SCCs are governed by the law of the EU Member State in which the data exporter (Customer) is established (per Clause 17 of the 2021 SCCs). Where no Member State law applies, Irish law governs.

13.1 Notice Address

Legal notices regarding this DPA must be sent to:

GigaCarp, LLC
2105 S 122nd Ave
Omaha, NE 68144
United States
Attn: Privacy / privacy@orangemage.ai

14. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. The SCCs prevail over this DPA with respect to the subject matter of the SCCs.

15. Amendments

Provider may update this DPA by posting a revised version at orangemage.ai/legal/dpa. Material changes will be notified to Customer at least 30 days in advance via email. Changes required by law or regulator may take effect immediately, with concurrent notice to Customer.

Last Updated: 2026-04-15