Data Processing Agreement
GDPR Compliant DPA
Last updated: October 15, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Ersilia ("Processor", "we", "us") for the provision of scope creep detection and project management services ("Services").
This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws, including the EU General Data Protection Regulation 2016/679 ("GDPR").
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" has the meaning given to it in the GDPR and includes any operation performed on Personal Data
- "Data Subject" means the individual to whom Personal Data relates
- "Sub-processor" means any entity engaged by Processor to process Personal Data
- "Data Protection Laws" means all applicable laws relating to data protection and privacy including GDPR and CCPA
3. Scope and Details of Processing
Subject Matter
The subject matter of processing is the provision of scope creep detection, project management, and communication analysis services as described in our Terms of Service.
Duration
Processing will continue for the duration of the Customer's subscription, plus the retention period specified in our Privacy Policy (7 days for trial, 30 days for Pro subscribers). When an account is deleted, all associated Personal Data is permanently erased immediately.
Nature and Purpose
The nature and purpose of processing includes:
- Storage and management of project data
- Analysis of client communications using AI to detect scope creep
- Generation of alerts and notifications
- Analytics and reporting on project metrics
- Integration with third-party services (Slack, email, etc.)
Types of Personal Data
- Account information (name, email address, phone number)
- Project data (project names, descriptions, budgets, deadlines)
- Client information (names, contact details)
- Communication content (emails, messages analyzed for scope detection)
- Usage data (login times, features used, settings)
Categories of Data Subjects
- The Customer (account holder)
- The Customer's clients
- The Customer's team members (if applicable)
4. Processor's Obligations
Ersilia shall:
- Process Personal Data only on documented instructions from the Customer (via use of the Services)
- Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures to ensure security of Personal Data
- Assist the Customer in responding to Data Subject rights requests
- Notify the Customer of any Personal Data breach within 72 hours of becoming aware
- Delete or return Personal Data to the Customer upon termination (except where retention required by law)
- Make available all information necessary to demonstrate compliance with this DPA
5. Sub-processors
The Customer provides general authorization for Ersilia to engage Sub-processors to process Personal Data. Current Sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database hosting, authentication | USA (SOC 2 certified) |
| Stripe | Payment processing | USA (PCI-DSS compliant) |
| Google (Gemini AI) | AI-powered scope detection | USA |
| Vercel | Application hosting, CDN | USA |
| Resend | Email delivery (notifications) | USA |
| Sentry | Error monitoring (no PII) | USA |
Ersilia shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors via email notification or service announcement, giving the Customer the opportunity to object to such changes within 30 days.
6. Data Subject Rights
Ersilia shall assist the Customer in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of Access - Data export feature available in Settings
- Right to Rectification - Users can edit their data in-app
- Right to Erasure - Account deletion available in Settings
- Right to Data Portability - JSON export of all Personal Data
- Right to Object - Users can disable specific processing (e.g., notifications)
For requests that cannot be fulfilled through self-service features, contact support@ersilia.ai and we will respond within 30 days.
7. Security Measures
Ersilia implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
- Row-Level Security (RLS) ensuring user data isolation
- Regular security testing and code reviews
- Access controls and authentication requirements
- Automated backups with 30-day retention
- Incident detection and monitoring (Sentry)
- Regular security updates and vulnerability patching
For complete details, see our Security Policy.
8. Data Breach Notification
In the event of a Personal Data breach, Ersilia shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for more information
Full breach notification procedures are documented in our Breach Response Plan, available to customers on request at privacy@ersilia.ai.
9. International Data Transfers
Personal Data may be transferred to and processed in the United States and other countries where our Sub-processors operate. Such transfers are subject to:
- Sub-processors' own data protection agreements and certifications (SOC 2, PCI-DSS, ISO 27001)
- Standard Contractual Clauses or equivalent mechanisms where required by applicable law
- Adequacy decisions where applicable
- Contractual obligations requiring sub-processors to implement appropriate safeguards
All Sub-processors listed in Section 5 are enterprise-grade service providers that maintain compliance with international data protection standards. Customers may request documentation of specific data transfer mechanisms by contacting support@ersilia.ai.
10. Audit Rights
Ersilia shall make available to the Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
The Customer may request an audit by contacting support@ersilia.ai with at least 30 days' advance notice. Audits shall be conducted during business hours and shall not unreasonably interfere with Ersilia's business operations.
11. Return or Deletion of Data
Upon termination of Services, Ersilia shall:
- Allow the Customer to export their data at any time while the account is active, using the data export feature
- Permanently delete all Personal Data when the Customer deletes their account
- Delete existing copies unless retention is required by applicable law
Account deletion is immediate and permanent. Deleted data cannot be recovered.
12. Liability and Indemnification
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA shall limit or exclude either party's liability for:
- Death or personal injury caused by negligence
- Fraud or fraudulent misrepresentation
- Any other liability that cannot be excluded or limited by applicable law
13. Duration and Termination
This DPA shall remain in effect for as long as Ersilia processes Personal Data on behalf of the Customer. Upon termination, the provisions regarding data deletion (Section 11) shall continue to apply.
14. Contact Information
For DPA-related inquiries:
Email: support@ersilia.ai
General Contact: hello@ersilia.ai
We will respond to all DPA-related requests within 30 days as required by GDPR.
15. Governing Law
This DPA shall be governed by and construed in accordance with the governing law specified in the Terms of Service. For matters specifically related to data protection, the GDPR and applicable EU data protection laws shall apply.
✅ GDPR Compliant DPA
This Data Processing Agreement meets GDPR Article 28 requirements and is automatically accepted when you use our Services. For questions or to request a signed copy, contact support@ersilia.ai.