Data Processing Agreement

How we process and protect your business data in compliance with data protection laws

Last updated: August 13, 2025

Agreement Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and Jetson ("Processor," "we," "us") regarding the processing of personal data in connection with our customer support analysis services.

This DPA ensures compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Roles and Responsibilities

You (Data Controller)
  • • Determine purposes and means of processing
  • • Ensure lawful basis for data processing
  • • Provide clear instructions to Jetson
  • • Respond to data subject requests
  • • Notify us of any data breaches
  • • Conduct Data Protection Impact Assessments
Jetson (Data Processor)
  • • Process data only on your instructions
  • • Implement appropriate security measures
  • • Assist with data subject rights requests
  • • Notify you of any data breaches
  • • Delete or return data upon termination
  • • Maintain records of processing activities

Categories of Data Processed

Personal Data Categories

Customer Support Data

  • • Customer names and contact information
  • • Email addresses and phone numbers
  • • Support ticket content and communications
  • • Customer account identifiers

Technical Data

  • • IP addresses and device information
  • • Browser and system identifiers
  • • Usage patterns and timestamps
  • • Performance and error data

Data Subjects

  • • Your customers who contact your support team
  • • Your employees who use your support systems
  • • Third parties mentioned in support conversations
  • • Users of your products or services seeking assistance

Processing Activities

Purposes of Processing

  • Analysis: Automated classification of support conversations
  • Insights Generation: Pattern recognition and trend analysis
  • Reporting: Dashboard analytics and performance metrics
  • Integration: Connecting with GitHub and other business tools
  • Service Provision: Platform functionality and user support

Processing Operations

Automated Processing

  • • Collection and ingestion
  • • Automated analysis
  • • Classification and tagging
  • • Statistical aggregation

Data Management

  • • Storage and organization
  • • Access control and retrieval
  • • Export and portability
  • • Deletion and destruction

Technical and Organizational Measures

Security Measures

Technical Safeguards

  • • Encryption in transit (TLS 1.3)
  • • Encryption at rest (AES-256)
  • • Multi-factor authentication
  • • Regular security updates
  • • Intrusion detection systems

Organizational Controls

  • • Role-based access control
  • • Employee security training
  • • Incident response procedures
  • • Regular security audits
  • • Vendor risk management

Data Minimization

  • • We process only data necessary for the specified purposes
  • • Automated data retention policies ensure timely deletion
  • • Personal identifiers are pseudonymized where possible
  • • Data aggregation techniques protect individual privacy

Access Controls

  • • Strict need-to-know basis for employee access
  • • All access is logged and monitored
  • • Regular access reviews and certification
  • • Automated access revocation upon role changes

Sub-processors

We engage third-party sub-processors to provide our services. All sub-processors are contractually bound to maintain the same level of data protection as outlined in this DPA.

Current Sub-processors

OpenAI

Processing and analysis services

United States
Amazon Web Services

Cloud infrastructure and storage

United States
Stripe

Payment processing services

United States

Sub-processor Changes: We will provide 30 days' notice before adding new sub-processors. You may object to any new sub-processor within this notice period.

International Data Transfers

Transfer Safeguards
  • Standard Contractual Clauses (SCCs): EU-approved transfer mechanism
  • Adequacy Decisions: Transfers to countries with adequate protection
  • Additional Safeguards: Supplementary measures for enhanced protection
  • Regular Assessments: Ongoing evaluation of transfer risk and adequacy

Primary Processing Locations

  • European Union: GDPR-compliant processing within EU borders
  • United States: Protected by SCCs and additional security measures
  • Data Residency Options: Available for enterprise customers upon request

Data Subject Rights Support

We will assist you in fulfilling data subject rights requests within applicable legal timeframes:

Rights We Support

  • • Right of access
  • • Right to rectification
  • • Right to erasure
  • • Right to restrict processing
  • • Right to data portability
  • • Right to object

Our Response Process

  • • Acknowledge receipt within 24 hours
  • • Identify relevant data within 72 hours
  • • Execute request within 30 days
  • • Provide status updates throughout
  • • Document all actions taken

Data Breach Procedures

Incident Response

  1. 1. Detection: Automated monitoring and manual security reviews
  2. 2. Assessment: Evaluate scope, impact, and risk level within 2 hours
  3. 3. Containment: Immediate steps to prevent further unauthorized access
  4. 4. Notification: Notify affected customers within 24 hours of discovery
  5. 5. Investigation: Thorough analysis of root cause and impact
  6. 6. Remediation: Implement fixes and enhanced security measures

Notification Requirements

  • Customer Notification: Within 24 hours via email and account notification
  • Regulatory Notification: We assist with supervisory authority reporting
  • Data Subject Notification: When required, we help communicate to affected individuals
  • Documentation: Detailed incident reports and response actions

Data Retention and Deletion

Retention Periods

Customer Support Data As long as your account is active
Analytics and Logs Maximum 2 years
Backup Data Maximum 90 days
Legal Hold Data Until legal requirements expire

Secure Deletion

  • Cryptographic Erasure: Encryption keys destroyed to render data unreadable
  • Physical Destruction: Secure wiping of storage media according to NIST standards
  • Verification: Confirmation of successful deletion provided upon request
  • Backup Purging: Systematic removal from all backup systems

Audit and Compliance

Audit Rights

  • • You may request audit information annually or upon reasonable cause
  • • We provide SOC 2 Type II reports and relevant certifications
  • • Third-party audits available for enterprise customers
  • • Compliance documentation available through our security portal

Certifications and Standards

  • ISO 27001: Information Security Management certification
  • SOC 2 Type II: Security, availability, and confidentiality controls
  • GDPR Compliance: Regular assessment and validation
  • Industry Standards: Adherence to security frameworks and best practices

Termination and Data Return

Upon Service Termination

  1. 1. Grace Period: 90-day period for data export and account reactivation
  2. 2. Data Export: Self-service tools available for complete data download
  3. 3. Data Return: Alternative secure transfer methods upon request
  4. 4. Secure Deletion: Permanent deletion after grace period expires
  5. 5. Confirmation: Certificate of deletion provided upon completion

Emergency Data Return

  • • Available for urgent business needs or legal requirements
  • • Processed within 48 hours of verified request
  • • May incur additional service fees for expedited handling
  • • Secure transfer via encrypted channels

Contact and Escalation

Data Protection Office

Email: [email protected]
Response time: Within 72 hours
For: GDPR requests, privacy questions, data breaches

Legal and Compliance

Email: [email protected]
Response time: Within 5 business days
For: DPA questions, audit requests, legal matters

Enterprise Customers: Dedicated account managers and expedited response times available. Contact your account manager for specialized data processing requirements.

Agreement Updates

This Data Processing Agreement may be updated to reflect changes in applicable laws, regulations, or our processing practices. Material changes will be communicated at least 60 days in advance. Continued use of our services constitutes acceptance of the updated DPA.

This DPA supplements and forms an integral part of our Terms of Service. In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.