Data Processing Agreement
Last updated: March 20, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between AI Edge 247, LLC ("Processor," "we," "us") and you ("Controller," "Client") and governs the processing of personal data by AssistantAI on your behalf.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, including email content, contact information, names, email addresses, phone numbers, and any other personal information contained within emails processed by the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, classification, analysis, AI processing, and deletion.
- "Data Controller" (you) means the entity that determines the purposes and means of processing Personal Data.
- "Data Processor" (us) means the entity that processes Personal Data on behalf of the Data Controller.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
2. Roles and Responsibilities
You are the Data Controller. You determine what data is processed by connecting your Gmail account and using the Service. You are responsible for ensuring you have a lawful basis for processing the personal data contained in your emails.
We are the Data Processor. We process personal data solely on your behalf and in accordance with your instructions (as given by your use of the Service) to provide email classification, AI draft generation, analytics, and related features.
We will:
- Process Personal Data only for the purposes of providing the Service as described in the Terms of Service
- Not process Personal Data for our own purposes, marketing, or data monetization
- Not sell, rent, or share Personal Data with third parties except as required to provide the Service (via Sub-processors listed below)
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Assist you in responding to data subject access requests to the extent reasonably practicable
3. Sub-processors
We use the following Sub-processors to provide the Service. By agreeing to these terms, you authorize the use of these Sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|
| Anthropic | AI email classification and draft generation | Email content (subject, body, sender/recipient) | United States |
| Supabase | Database hosting and storage | All account and email data | US-West-2 (Oregon) |
| Vercel | Application hosting and serverless functions | Request data, API processing | US-East-1 (Virginia) |
| Stripe | Payment processing | Billing name, email, payment method | United States |
| Resend | Transactional email delivery | Recipient email, email content | United States |
| Google | Gmail API (email access per your OAuth authorization) | Email content as authorized | United States |
Key notes on Sub-processors:
- Anthropic: Email content is sent to Anthropic's Claude API for processing. Anthropic does not use API data for model training, does not retain data beyond the processing window, and processes data in accordance with their Privacy Policy.
- Supabase: Data is stored in PostgreSQL databases with encryption at rest and Row-Level Security (RLS) for tenant isolation.
- Google: We access Gmail data only within the scope you explicitly authorize via OAuth consent. You can revoke access at any time.
If we engage a new Sub-processor, we will update this list and notify affected clients via email at least 30 days before the new Sub-processor begins processing Personal Data. If you object to a new Sub-processor, you may terminate your subscription within 30 days of notification.
4. Data Location
All data processed and stored by AssistantAI resides within the United States:
- Primary database: Supabase — AWS US-West-2 (Oregon)
- Application hosting: Vercel — US-East-1 (Virginia)
- AI processing: Anthropic — United States
- Payment processing: Stripe — United States
We do not transfer Personal Data outside the United States. If this changes in the future, we will notify you and ensure appropriate safeguards are in place (such as Standard Contractual Clauses for EU data transfers).
5. Security Measures
We implement and maintain appropriate technical and organizational security measures to protect Personal Data, including:
- Encryption at rest: AES-256 encryption for database storage; AES-256-GCM for OAuth tokens
- Encryption in transit: TLS 1.3 for all data transmission between clients, servers, and Sub-processors
- Access controls: API key authentication for all endpoints; Row-Level Security on all database tables ensuring strict tenant isolation
- Audit logging: All system actions logged with timestamps and actor identification
- Rate limiting: Protection against brute-force and abuse on all public endpoints
- Minimal data access: No human access to client email content unless explicitly requested by the client for support purposes
- Regular security review: Ongoing assessment and hardening of security practices
For comprehensive security details, see our Security Practices page.
6. Data Breach Notification
In the event of a confirmed data breach affecting Personal Data:
- We will notify affected clients via email within 72 hours of discovering the breach.
- The notification will include: a description of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- We will cooperate with you in investigating the breach and mitigating its effects.
- We will maintain a record of all data breaches, including their effects and remediation actions taken.
7. Data Subject Rights
We will assist you in fulfilling data subject requests to the extent technically feasible and within a reasonable timeframe. This includes requests for:
- Access: Providing copies of personal data we hold
- Rectification: Correcting inaccurate personal data
- Erasure: Deleting personal data ("right to be forgotten")
- Portability: Providing personal data in a structured, machine-readable format
- Restriction: Limiting processing of personal data in certain circumstances
Submit data subject requests to cal@aiedge247.com. We will respond within 30 days.
8. Data Retention and Deletion
- Active accounts: Personal Data is retained for the duration of your subscription.
- Upon termination: All client data, including email content, voice profiles, contacts, and analytics, is permanently deleted within 30 days of account closure.
- Backup retention: Database backups that may contain Personal Data are retained for up to 7 days after deletion from the primary database, after which they are purged.
- Billing records: Basic account information (name, email, payment history) may be retained for up to 12 months after termination for legal and accounting purposes, as permitted under applicable law.
9. Audits
Upon reasonable written request (no more than once per year), we will provide you with information necessary to demonstrate compliance with this DPA. This may include a summary of our security practices, certifications, and relevant audit results.
Enterprise tier clients may request an on-site audit or independent third-party audit at their own expense, with at least 60 days advance notice and subject to reasonable confidentiality protections.
10. International Data Transfers
Currently, all data processing occurs within the United States. If you are located outside the United States and are subject to data protection laws that restrict international data transfers (such as GDPR), please contact us to discuss appropriate transfer mechanisms before using the Service.
11. Term and Termination
This DPA is effective for the duration of your subscription to AssistantAI and terminates automatically when your account is closed. Our obligations regarding data deletion and breach notification survive termination.
12. Incorporation
This DPA is incorporated into and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding data processing matters, this DPA shall prevail.
13. Contact
For questions about this DPA or data processing practices:
Cal Bosard
AI Edge 247, LLC
Phoenix, AZ
cal@aiedge247.com
(308) 249-6894