Data Processing Agreement

1. Parties

Data Controller: You, the registered user of Assay, acting in your personal or business capacity.

Data Processor: Goldseam AI Consulting Ltd, registered in England & Wales, company number 16896682 ("we", "us", "Assay").

2. Subject matter and duration

We process personal data on your behalf for the purpose of providing the Assay service: storing, displaying, and using contact data to generate outreach messages and maintain relationship records. This DPA applies for the duration of your use of Assay and until all personal data is deleted following account closure.

3. Nature and purpose of processing

We process contact data to:

• Store and display contacts, grades, and outreach history in the app.
• Generate personalised outreach message drafts using AI (Anthropic API).
• Enrich contact data via third-party enrichment providers, where you have enabled that feature.
• Execute background tasks related to contact management via Trigger.dev.

4. Types of personal data processed

The personal data processed may include, depending on what you import:

• Names, email addresses, phone numbers.
• Job titles, company names, LinkedIn URLs.
• Notes and relationship context you have recorded about contacts.
• Outreach message history.
• Relationship grade/tier assigned by you.

You must not import special category data (as defined by UK GDPR Article 9) without explicit consent from the data subjects.

5. Our obligations as data processor

We will:

• Process personal data only on your documented instructions (i.e. by providing the service as described) unless required to do otherwise by applicable law.
• Ensure all personnel with access to personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, or destruction.
• Not engage a new sub-processor without informing you and giving you the opportunity to object. Our current sub-processors are listed in the Privacy Policy.
• Assist you in responding to data subject rights requests (access, deletion, portability, rectification) relating to personal data we process on your behalf, where technically feasible. Contact privacy@runassay.app.
• Notify you without undue delay (and no later than 72 hours) after becoming aware of a personal data breach involving data we process on your behalf.
• Delete or return all personal data on termination of the service, in accordance with the retention periods set out in the Privacy Policy.
• ke available all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections by you or an auditor you appoint. We may satisfy audit requests via provision of current third-party audit reports (e.g. SOC 2 Type II) in the first instance.

6. Your obligations as data controller

You confirm that:

• You have a lawful basis under UK GDPR for processing the personal data you import into Assay.
• Where required, you have provided appropriate privacy notices to your contacts informing them their data may be processed via software tools including AI services.
• You will handle any data subject rights requests from your contacts promptly.
• You will not import data that you do not have the right to process.

7. Sub-processors

We use the following sub-processors to deliver the service. By accepting this DPA you authorise their use:

• Clerk - authentication (user account data only; not contact data).
• Neon - database storage (all contact and account data).
• Anthropic - AI message generation (contact names, notes, context included in API prompts).
• Trigger.dev - background job processing (contact identifiers in task payloads).
• Netlify - serverless function hosting (request/response data in transit).

We will update this list if we add new sub-processors and will give you reasonable notice before doing so.

8. International data transfers

Some sub-processors (including Anthropic and Trigger.dev) may process data in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place - such as the UK International Data Transfer Agreement (IDTA) or the UK extension to the EU Standard Contractual Clauses (SCCs) - or we rely on adequacy decisions where available.

9. Security measures

We maintain the following technical and organisational measures:

• Encryption in transit (TLS 1.2+) for all data transfers.
• Encryption at rest for database storage.
• Access controls: production data is accessible only to authorised personnel on a need-to-know basis.
• Regular security reviews and dependency updates.
• Authentication enforced via Clerk (including MFA support).

10. Governing law

This DPA is governed by the laws of England & Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England & Wales. This DPA shall be read alongside the Terms of Service and Privacy Policy.