Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Customer,” the controller) and The Promise Digital LLC & H&J Legacy Holdings LLC (“Automate Admits,” the processor) for the use of the Automate Admits platform (the “Service”). It describes how we process personal data on the Customer’s behalf. Capitalized terms not defined here have the meaning given in our Terms of Service.
1. Roles of the parties
For personal data contained in Customer Data, the Customer is the controller (or, where the Customer acts on behalf of a third party, the processor), and Automate Admits is the processor (or subprocessor) acting on the Customer’s documented instructions. Automate Admits processes personal data only to provide and support the Service, as set out in this DPA, our Terms, and our Privacy Policy, or as otherwise instructed by the Customer in writing and as permitted by law.
2. Subject matter, duration & purpose
The subject matter is the provision of the Service. Processing continues for the duration of the Customer’s use of the Service and until data is deleted or returned as described below. The purpose is to receive, store, organize, transmit, and respond to messages and lead information through the Customer’s connected channels, including the optional AI agent.
3. Types of data & data subjects
- Types of personal data: contact identifiers (such as names, usernames, and platform-scoped IDs), message content, contact and lead details the parties choose to exchange, scheduling information, and account information for the Customer’s team.
- Categories of data subjects: the Customer’s end users (people who message the Customer’s connected accounts) and the Customer’s own team members and account users.
4. Processor obligations
- Process personal data only on the Customer’s documented instructions, including for international transfers, unless required by law (in which case we will inform the Customer where permitted).
- Ensure that personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (see Section 7).
- Assist the Customer, taking into account the nature of processing, in responding to data subject requests and in meeting the Customer’s security, breach-notification, and impact-assessment obligations.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
5. Subprocessors
The Customer authorizes Automate Admits to engage the subprocessors below to provide the Service. We impose data-protection obligations on each subprocessor that are consistent with this DPA, and we remain responsible for their performance.
- Cloudflare — application hosting, storage, and database.
- Anthropic — AI processing of message content to generate replies.
- Square — payment processing for Customer subscriptions.
- Resend — delivery of transactional and service emails.
- Meta Platforms — receiving and sending messages through Facebook and Instagram.
We will give notice of intended changes to subprocessors so the Customer has an opportunity to object on reasonable data-protection grounds.
6. Data subject requests
Taking into account the nature of the processing, Automate Admits will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to requests from data subjects to exercise their rights. Where we receive a request directly from a data subject relating to Customer Data, we will, where lawful, direct them to the Customer or forward the request.
7. Security measures
Automate Admits maintains technical and organizational measures designed to protect personal data, including encryption in transit, access controls and least-privilege access, salted hashing of passwords, signature verification of incoming platform webhooks, and logical isolation of each Customer’s data in our multi-tenant environment. Further detail is available on our Security page.
8. Personal data breach
Automate Admits will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to help the Customer meet its notification obligations.
9. Deletion or return of data
Upon termination of the Service, and at the Customer’s choice, Automate Admits will delete or make available for return the Customer’s personal data, and delete existing copies unless retention is required by law. Customers can also disconnect channels and request deletion of account data at any time, as described in our Privacy Policy.
10. Audits
Automate Admits will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality, scheduling, and security conditions.
11. International transfers
Automate Admits and its subprocessors may process personal data in countries other than the Customer’s own. Where required by applicable law, the parties will put in place an appropriate transfer mechanism. (Confirm the specific transfer mechanism and any regional clauses with counsel.)
12. General
If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls. This DPA is governed by the same law as the Terms.
To request a signed copy of this DPA, or for any data-protection question, contact privacy@automateadmits.com.