Data Processing Addendum (DPA)
Last Updated: April 20, 2026
This Data Processing Addendum (“DPA”) is entered into between Subcraft.ai, Inc., a Delaware corporation with its principal place of business at 3654 Thornton Ave, #720, Fremont, CA 94536 (“Subcraft,” “Processor”), and the Customer identified in the applicable Order Form or Services agreement (“Customer,” “Controller”). It is incorporated into and forms part of Subcraft’s Terms & Conditions and Privacy Policy, and governs the parties’ respective rights and obligations regarding the processing of Personal Data in connection with the Services.
1. Definitions
- Personal Data: Information relating to an identified or identifiable natural person.
- Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- Controller: The entity that determines the purposes and means of Processing (Customer).
- Processor: The entity that Processes Personal Data on behalf of the Controller (Subcraft).
- Subprocessor: A third party engaged by Subcraft to Process Personal Data.
- Data Protection Laws: All laws applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and other applicable state, federal, or international privacy laws.
- Standard Contractual Clauses (SCCs): The clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914.
2. Roles of the Parties
Customer is the Controller of Personal Data submitted to the Services. Subcraft acts as the Processor of such Personal Data on Customer’s behalf. Where Subcraft processes data for its own business purposes (e.g., billing, product analytics of account administrators), Subcraft acts as an independent Controller and Processing is governed by Subcraft’s Privacy Policy, not this DPA.
3. Subcraft Obligations
Subcraft will:
- Process Personal Data only in accordance with Customer’s documented instructions, including as set out in this DPA and the Services agreement.
- Ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Exhibit B.
- Notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
- Assist Customer, taking into account the nature of the Processing, in responding to data subject rights requests.
- Assist Customer in complying with its obligations under Data Protection Laws regarding security, breach notifications, data protection impact assessments, and prior consultations with supervisory authorities.
- Delete or return all Customer Personal Data on termination of the Services, unless continued retention is required by applicable law.
4. AI and Model Training
Subcraft uses Customer Personal Data to operate AI and machine-learning models that power retry and recovery features of the Services. Subcraft will not use end-customer Personal Data to train third-party or general-purpose foundation models. Subcraft may use aggregated or de-identified data — which cannot reasonably be used to identify any individual — to improve Subcraft’s own models and Services.
5. Subprocessors
- Customer grants Subcraft general authorization to engage Subprocessors to perform specific Processing activities on Customer’s behalf, subject to the terms of this Section.
- Subcraft maintains a current list of Subprocessors at subcraft.ai/subprocessors.
- Subcraft will provide at least 30 days’ prior notice of any intended addition or replacement of a Subprocessor (via the subprocessor page, RSS feed, or email). Customer may object on reasonable data-protection grounds during that notice period.
- Subcraft enters into written agreements with each Subprocessor imposing data-protection obligations no less protective than those in this DPA and remains liable for the acts and omissions of its Subprocessors.
6. Data Security
Subcraft implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure, as described in Exhibit B. Customer remains responsible for the security of its own systems, credentials, and end-user accounts.
7. International Data Transfers
Where Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country not deemed adequate by the relevant regulator, the parties agree that such transfers are governed by:
- The EU Standard Contractual Clauses, Module Two (Controller to Processor), which are incorporated into this DPA by reference;
- The UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office, for transfers subject to UK GDPR; and
- The Swiss addendum referencing the Swiss Federal Data Protection and Information Commissioner, for transfers subject to Swiss data-protection law.
Customer authorizes such transfers, subject to the protections above.
8. Data Subject Rights
Subcraft will, without undue delay, notify Customer of any request received directly from a data subject concerning Customer Personal Data and will not respond to the request itself except on Customer’s documented instruction or as required by law. Subcraft will provide reasonable assistance to enable Customer to respond to data subject requests.
9. Audits
Subcraft will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports and certifications (where available). Customer may, on reasonable prior notice and no more than once per year (except as required by a supervisory authority or following a Personal Data Breach), conduct an audit of Subcraft’s Processing activities at Customer’s expense, provided such audit does not unreasonably disrupt Subcraft’s operations and is subject to confidentiality obligations.
10. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Services agreement or Terms & Conditions between the parties.
11. Term and Termination
This DPA remains in effect for as long as Subcraft Processes Customer Personal Data. Obligations that by their nature should survive termination (including confidentiality, liability, and return/deletion of Personal Data) will so survive.
12. Governing Law
This DPA is governed by the laws of the State of Delaware, without regard to its conflict-of-laws principles, except where Data Protection Laws require the application of other law.
Exhibit A — Processing Details
| Item | Description |
|---|---|
| Subject matter | Processing of end-user payment-related metadata for revenue recovery. |
| Duration | For the term of Customer’s use of the Services. |
| Nature and purpose | AI-powered smart retries, automated customer messaging, analytics, and recovery insights. |
| Categories of data subjects | Customer’s end customers (subscribers and users). |
| Categories of Personal Data | Transaction identifiers, billing metadata, subscription status, payment-decline codes, and communication preferences. No payment card data is retained. |
| Special categories of data | None. |
| Frequency of transfer | Continuous, as data is submitted via the Services. |
| Retention period | For the duration of the Services. Deleted or returned on termination per Section 3. |
Exhibit B — Technical and Organizational Measures (TOMs)
Subcraft implements the following measures, which may be updated from time to time provided the overall level of protection is not reduced:
- Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using industry-standard algorithms.
- Access control. Access to Personal Data is restricted to personnel who require it to perform their duties. Role-based access controls, least-privilege principles, and multi-factor authentication are enforced for administrative access.
- Network security. Production environments are isolated from development and corporate networks. Firewalls, private networks, and identity-aware proxies are used to control traffic.
- Logging and monitoring. Access to production systems and Personal Data is logged and monitored for anomalies. Logs are retained for investigative purposes.
- Backups. Regular, encrypted backups are maintained with documented restore procedures.
- Personnel. Personnel with access to Personal Data are subject to confidentiality obligations and receive appropriate security and privacy training.
- Vendor management. Subprocessors are evaluated for security and data-protection posture before engagement and bound by written contractual obligations.
- Incident response. Subcraft maintains a documented incident-response plan covering detection, containment, notification, and remediation of security events.
- Secure development. Changes to production systems follow code review and automated testing; secrets are managed through a centralized secrets manager.
Exhibit C — Subprocessors
A current list of Subprocessors is maintained at subcraft.ai/subprocessors. As of the Last Updated date above, Subcraft engages the following Subprocessors:
| Subprocessor | Service provided | Data processed | Location |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | Cloud hosting, managed database, authentication (Firebase/GCIP), secrets management, logging, and related infrastructure | All Customer Personal Data submitted to the Services | United States |
Contact
For questions regarding this DPA, contact:
Subcraft.ai, Inc.
3654 Thornton Ave, #720
Fremont, CA 94536
Telephone: 408-762-4310
Email: privacy@subcraft.ai