Data Processing Addendum
Last updated: 16 June 2026 · Draft — to be reviewed by counsel before relying on it commercially.
1. Scope
This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (“Controller”) and GovernOS (“Processor”). It applies to Personal Data that Controller submits to the Service.
2. Roles
Controller determines the purposes and means of processing. Processor processes Personal Data only on documented instructions from Controller, including transfers, except as required by law.
3. Subject matter, duration and nature
The subject matter is the provision of the Service. The duration is the term of the subscription plus a 30-day reasonable-recovery window. The nature is hosting, displaying, processing and transmitting governance records.
4. Categories of data subject
Controller’s personnel, directors, officers, beneficial owners, signatories, counterparties, board members and any other natural persons whose details Controller chooses to enter.
5. Categories of Personal Data
- Identification data (name, role, email, national identifiers where Controller chooses to record them)
- Address and contact data
- Authentication credentials (hashed only — bcrypt, never stored in plaintext)
- Activity logs (login times, IP, audit-trail records)
- Documents and metadata that Controller uploads
6. Sub-processors
Controller authorises Processor to engage the sub-processors listed below. Processor will provide at least 30 days’ notice of any addition or replacement. Controller may object on reasonable grounds.
| Sub-processor | Role | Location | Data scope |
|---|---|---|---|
| Neon | Managed Postgres — primary application data store | AWS us-east-2 (US) | All tenant data (entities, people, documents metadata, billing records). |
| Vercel | Application hosting (compute, edge, CDN) | Global edge; primary in IAD (US) | Request/response payloads in-flight; no persistent customer data at rest. |
| Stripe | Payment processing (subscriptions, pay-per-event, invoicing) | US + EU | Customer billing email, plan, card-network token, charge amount and currency. |
| Resend | Transactional email (verification, reset, invoices, ops notices) | US | Recipient email, subject, message body of transactional emails. |
Subscribe to sub-processor notices: email legal@governos.co.
7. Security
Processor implements appropriate technical and organisational measures including: encryption in transit (TLS 1.2+), encryption at rest (provider-managed AES-256), per-tenant logical isolation, hashed credentials (bcrypt), audit logging with SHA-256 chain integrity, least-privilege access, and routine vulnerability monitoring. Detailed controls are summarised on the Security page.
8. International transfers
To the extent Personal Data is transferred outside the EEA, UK, Switzerland or other jurisdictions with adequacy decisions, the transfer relies on the Standard Contractual Clauses (Module 2 — controller to processor) or equivalent mechanism.
9. Sub-processor flow-down
Each sub-processor is bound by data protection obligations no less protective than those in this DPA, including security obligations and transfer safeguards.
10. Data subject rights
Processor assists Controller in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection). Controller may exercise self-service export and deletion at /settings/account; alternatively contact privacy@governos.co.
11. Breach notification
Processor will notify Controller without undue delay (target: within 48 hours) of becoming aware of a Personal Data Breach affecting Controller’s data and will provide information reasonably necessary for Controller’s own regulatory notification obligations.
12. Audit
Controller may, no more than once per 12 months and on at least 30 days’ written notice, request a copy of the most recent third-party security assessment (e.g. SOC 2 report once issued) and a written response to a reasonable security questionnaire.
13. Deletion or return
On termination, Controller may export its data via the self-service endpoint for up to 30 days. After 30 days Processor will delete or anonymise Personal Data, except where retention is required by law.
14. Liability and conflicts
The liability provisions of the Terms of Service apply to this DPA. In case of conflict between this DPA and the Terms regarding Personal Data, this DPA prevails.
15. Contact
Privacy contact: privacy@governos.co. Security contact: security@governos.co.