Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of the agreement between the customer (“Customer” or “Controller”) and Joshua Robert Bradford, an individual resident of the State of Florida, United States, doing business under the name Dunamis Studios (“Dunamis Studios,” “Company,” or “Processor”) for Customer’s use of the Debrief HubSpot application and related services (the “Service”) under the Dunamis Studios Terms of Service (the “Master Agreement”). Capitalized terms not defined here have the meanings given in the Master Agreement.

This DPA applies to Dunamis Studios’s processing of Personal Data on behalf of Customer in connection with the Service. It supplements, does not replace, any consent-based data-collection terms in the Privacy Policy. Where Dunamis Studios processes personal data for its own purposes as controller (account administration, billing, security, website analytics), the Privacy Policy governs instead.

By executing the Master Agreement or otherwise accepting the Dunamis Studios Terms of Service, Customer enters into and agrees to this DPA as of the Effective Date of the Master Agreement.

Terms used in this DPA have the meanings given below. Where a term is defined in the GDPR or UK GDPR and not below, the statutory definition applies.

• “Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and other comparable state, federal, or national privacy laws.
• “Personal Data” has the meaning given in GDPR Article 4(1): any information relating to an identified or identifiable natural person. Under CCPA, this term is interchangeable with “personal information.”
• “Customer Personal Data” means Personal Data that Dunamis Studios processes on Customer’s behalf in providing the Service, including HubSpot Data transmitted under the OAuth authorization Customer grants at install and any Personal Data embedded in Briefs.
• “Processing,” “Controller,” “Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given in GDPR Article 4 and UK GDPR Article 4.
• “Sub-processor” means any third party engaged by Dunamis Studios to process Customer Personal Data, as listed at /legal/subprocessors.
• “SCCs” means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914, as amended from time to time.
• “UK IDTA” means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner’s Office, version B1.0 or any successor.
• “Swiss Addendum” means an addendum to the SCCs amending them to cover transfers subject to Swiss FADP, consistent with guidance from the Swiss Federal Data Protection and Information Commissioner.
• “DPF” means the EU–US Data Privacy Framework, including the UK Extension and the Swiss–US Data Privacy Framework.
• “Personal Data Breach” has the meaning given in GDPR Article 4(12): a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

As between the parties, Customer is the Controller (or Business under CCPA) of Customer Personal Data, and Dunamis Studios is the Processor (or Service Provider under CCPA) acting on Customer’s documented instructions.

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 2.

Dunamis Studios will, in connection with Customer Personal Data:

• Documented instructions. Process Customer Personal Data only on Customer’s documented instructions, including with regard to international transfers, unless required to process for another purpose by Union or Member State law to which Dunamis Studios is subject, in which case Dunamis Studios will inform Customer of that legal requirement before processing, unless that law prohibits the notice on important grounds of public interest. Customer’s instructions are set out in the Master Agreement, this DPA, the Documentation, and any subsequent written instructions Customer sends through its configured channels.
• Confidentiality of personnel. Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or statutory duties of confidentiality.
• Security measures. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, including those described in Annex 3, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing as well as the risk to Data Subjects.
• Data Subject requests. Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests from Data Subjects to exercise rights under Chapter III of the GDPR (see §8).
• Breach notification. Notify Customer of a Personal Data Breach affecting Customer Personal Data within 48 hours of Dunamis Studios confirming the breach (see §9).
• DPIA assistance. Assist Customer in ensuring compliance with obligations under GDPR Articles 32 to 36, taking into account the nature of processing and the information available to Dunamis Studios.
• Return or deletion. At Customer’s choice, delete or return all Customer Personal Data after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage (see §11).
• Audit support. Make available to Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits conducted by Customer or another auditor mandated by Customer (see §10).
• Instructions that infringe. Immediately inform Customer if, in Dunamis Studios’s opinion, an instruction from Customer infringes the GDPR or other Data Protection Law.

General written authorization. Customer grants Dunamis Studios general written authorization to engage Sub-processors, subject to this Section. Dunamis Studios’s current Sub-processors are listed at /legal/subprocessors, which is incorporated by reference.

Notice of new Sub-processors. Dunamis Studios will provide Customer with at least thirty (30) days’ prior written notice (which may be by email to the administrative contact or by updating the Sub-processors page with an email-list notification) of any intended addition or replacement of a Sub-processor that will process Customer Personal Data.

Upstream asymmetry. Anthropic, the upstream LLM provider, commits to only fifteen (15) days’ notice of its own sub-processor changes. Where Dunamis Studios receives shorter upstream notice, Dunamis Studios will pass through the change as soon as practicable, which may mean less than 30 days’ notice to Customer. This is a known asymmetry, not a breach of this DPA.

Right to object. Within the notice period, Customer may object to a proposed new Sub-processor on reasonable data-protection grounds by written notice to legal@dunamisstudios.net. The parties will discuss the objection in good faith. If the parties cannot resolve it, Customer’s sole remedy is to terminate the affected subscription under the Master Agreement, with a pro-rata refund of unused prepaid fees.

Flow-down. Dunamis Studios will impose on each Sub-processor, by written contract, data-protection obligations that are substantially the same as those imposed on Dunamis Studios under this DPA and that meet the requirements of GDPR Article 28(4). Dunamis Studios remains fully liable to Customer for each Sub-processor’s performance of its data-protection obligations.

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision, the parties rely on the following, in order of applicability:

• DPF. For Sub-processors certified under the EU–US DPF, the UK Extension, and the Swiss–US DPF (Vercel, Upstash, Stripe, Resend, HubSpot), transfers are made under the applicable DPF certifications.
• EU SCCs (Implementing Decision 2021/914). For Sub-processors that are not DPF-certified (notably Anthropic) and as a fallback mechanism for any DPF transfer that subsequently becomes unavailable, the parties incorporate the SCCs, Module 2 (Controller-to-Processor) where Customer is a Controller and Dunamis Studios is a Processor, and Module 3 (Processor-to-Processor) where Customer acts as a Processor on behalf of its own controllers, as follows:
  • Clause 7 (docking clause): applies.
  • Clause 9(a) (sub-processing): Option 2 applies, general written authorization with the notice period in §4.
  • Clause 11 (redress): the optional language is not included.
  • Clause 17 (governing law): the laws of Ireland apply.
  • Clause 18 (choice of forum and jurisdiction): the courts of Ireland have jurisdiction.
  • Annex I.A (List of Parties) is populated by Annex 1; Annex I.B (Description of Transfer) is populated by Annex 2; Annex I.C (Competent Supervisory Authority) is the Irish Data Protection Commission unless another is specifically designated; Annex II (Technical and Organizational Measures) is populated by Annex 3; Annex III (Sub-processors) is populated by the list at /legal/subprocessors.
• UK IDTA. Transfers subject to UK GDPR are governed by the UK International Data Transfer Addendum to the SCCs, incorporated by reference and populated consistent with the Annexes to this DPA.
• Swiss Addendum. Transfers subject to the Swiss FADP are governed by the SCCs as amended by the Swiss Addendum, with references to EEA Supervisory Authorities read as the Swiss Federal Data Protection and Information Commissioner where appropriate.

Supplementary measures. Consistent with EDPB Recommendations 01/2020, Dunamis Studios implements the supplementary measures described in Annex 3, including TLS 1.2+ encryption in transit, AES-256 encryption at rest, data minimization, role-based access controls, and a documented transfer impact assessment refreshed annually.

Order of precedence. To the extent of conflict between the SCCs and any other provision of this DPA or the Master Agreement, the SCCs prevail.

Dunamis Studios implements and maintains technical and organizational measures appropriate to the risks of processing Customer Personal Data, as described in Annex 3. Dunamis Studios reviews those measures periodically and may update them, provided the overall level of security is not materially diminished.

Dunamis Studios restricts access to Customer Personal Data to personnel and approved contractors who need access to perform their duties, and binds them to written confidentiality obligations or appropriate statutory duties of confidentiality.

Dunamis Studios will, taking into account the nature of the processing and insofar as technically and commercially reasonable, assist Customer in responding to Data Subject requests under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making) and comparable rights under UK GDPR, Swiss FADP, CCPA, and other Data Protection Laws.

Where a Data Subject contacts Dunamis Studios directly with a request about Customer Personal Data, Dunamis Studios will refer the request to Customer without disclosing Personal Data beyond what is necessary to identify the relevant customer, unless prohibited by law.

Customer is responsible for verifying the identity of requestors and for the substantive response. Dunamis Studios will provide reasonable technical assistance (including export and deletion tooling available through the Service) without additional charge.

Dunamis Studios will notify Customer of a Personal Data Breach affecting Customer Personal Data within 48 hours of Dunamis Studios confirming the breach.

The notice will include, to the extent known at the time of notice and consistent with GDPR Article 33(3):

• a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• the name and contact details of the Dunamis Studios point of contact for further information;
• a description of the likely consequences of the Personal Data Breach; and
• a description of the measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where the full information is not available at the time of initial notification, Dunamis Studios will provide updates as information becomes available, without undue further delay. Notification of a Personal Data Breach is not an acknowledgment by Dunamis Studios of fault or liability.

To enable Customer to verify compliance with this DPA, Dunamis Studios will, upon reasonable written request and no more than once per calendar year (or more frequently where required by a Supervisory Authority or after a confirmed Personal Data Breach materially affecting Customer’s data):

• respond to a reasonable written questionnaire regarding its information security program and compliance with this DPA; and
• where the questionnaire does not reasonably resolve Customer’s compliance inquiries, permit, with at least thirty (30) days’ advance written notice and at mutually agreed times during normal business hours, an on-site audit conducted by Customer or by an independent third-party auditor (not a competitor of Dunamis Studios) bound by confidentiality obligations at least as protective as those in the Master Agreement. On-site audits are conducted at Customer’s expense.

Audits must not unreasonably interfere with Dunamis Studios’s business, must respect the confidentiality of other customers’ data and Dunamis Studios’s own confidential information, and must not include access to premises, systems, or data of any Sub-processor (for which Dunamis Studios will request Sub-processor audit reports or other evidence on Customer’s behalf consistent with its Sub-processor contracts).

On termination or expiration of the Master Agreement, or earlier on Customer’s written request:

• Customer has a thirty (30)-day export window (as described in Master Agreement §13) to retrieve its Briefs through the Service’s export tooling;
• Dunamis Studios will delete Customer Personal Data from active production systems within sixty (60) days of termination;
• Customer Personal Data residing in backups will be deleted on its natural backup-rotation cycle (generally within 30–90 days after deletion from primary systems); and
• on written request, Dunamis Studios will provide a written certification of deletion within a reasonable period after completion.

Dunamis Studios may retain Customer Personal Data to the extent, and for as long as, required by applicable law, provided that Dunamis Studios will continue to protect that data in accordance with this DPA and will limit processing to the storage purpose.

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Master Agreement. This DPA does not expand any party’s liability beyond those limitations. To the extent the SCCs require otherwise for a particular transfer, the SCCs prevail for that transfer only.

This DPA takes effect on the Effective Date of the Master Agreement and continues for so long as Dunamis Studios processes Customer Personal Data. Provisions that, by their nature, should survive termination (including return/deletion, confidentiality, and liability) survive.

Data Exporter (Controller): the customer identified on the account that accepted the Master Agreement and this DPA, including the account administrative contact, as recorded in Dunamis Studios’s account system.

Activities relevant to the data transferred under this DPA: Customer uses the Service to generate AI-assisted handoff briefs from its HubSpot CRM data.

Role: Controller (or, where Customer is itself a processor of its own controllers’ data, Processor).

Data Importer (Processor)

Joshua Robert Bradford, an individual resident of the State of Florida, United States, doing business under the name Dunamis Studios.

Contact for data-protection matters: legal@dunamisstudios.net and privacy@dunamisstudios.net.

Activities relevant to the data transferred: operating the Debrief HubSpot application, transmitting Customer Personal Data to Anthropic’s Claude API for brief generation, hosting the Service on Vercel, caching metadata on Upstash, processing billing via Stripe, and sending transactional email via Resend.

Role: Processor (Service Provider under CCPA).

Subject matter. Generation of AI-assisted handoff briefs and related Service functions, as described in the Master Agreement and Documentation.

Duration. For the duration of the Master Agreement plus the retention periods described in the Privacy Policy and in §11.

Nature and purpose. Read Customer’s HubSpot CRM records under OAuth authorization, transmit relevant records to Anthropic’s Claude API over encrypted connection, receive the generated Brief, store Brief metadata, and return the Brief to Customer within Customer’s HubSpot portal. Related processing includes account administration, authentication, billing, support, logging, and security monitoring.

Types of Personal Data. HubSpot CRM record fields within the OAuth scopes Customer approved at install, which may include: names, business email addresses, job titles, phone numbers, company names and company metadata, deal and ticket content, engagement content (emails, notes, call summaries) as authorized; Dunamis Studios account holder identifiers (name, email, hashed password or OAuth identifier); billing contact information. Customer must not submit sensitive data categories as defined in Master Agreement §4.

Categories of Data Subjects. Customer’s own customers, prospects, contacts, and business counterparties whose data is stored in Customer’s HubSpot portal; Customer’s authorized users of the Service; and Customer’s billing representatives.

Frequency of transfer. Continuous, on demand as Customer’s users request Briefs.

Retention. As described in the Privacy Policy and §11 of this DPA.

Recipients. Dunamis Studios’s Sub-processors as listed at /legal/subprocessors.

Dunamis Studios maintains the following technical and organizational measures. The measures are updated as the Service evolves; the overall level of protection will not be materially diminished without Customer’s consent.

• Encryption in transit. TLS 1.2 or later for all connections to the Service, to Sub-processor APIs (Anthropic, Vercel, Upstash, Stripe, Resend, HubSpot), and to administrative consoles.
• Encryption at rest. AES-256 (or equivalent modern cipher) for Customer Personal Data cached or stored in Sub-processor systems (Upstash Redis, Vercel storage, Stripe).
• Access controls. Role-based access with principle of least privilege; multi-factor authentication on administrative accounts; secrets stored in a dedicated secrets manager and rotated on schedule or on suspected exposure.
• OAuth token handling. HubSpot OAuth tokens encrypted at rest, scoped per portal, never logged in plaintext, and invalidated on uninstall or revocation.
• Network and application security. Sub-processors selected for their security posture (DPF certification or SOC 2 Type II where available); HTTPS-only public endpoints; CSRF protections on state-changing requests; parameterized queries to prevent SQL injection; dependency vulnerability scanning; runtime error monitoring.
• Logging and monitoring. Audit and application logs retained for a rolling period (generally 30 days) with access restricted to authorized operators; alerting on anomalous access patterns and on upstream API failures.
• Incident response. Documented playbook for identifying, containing, eradicating, and recovering from security incidents; post-incident review with remediation tracking; breach-notification paths aligned with §9.
• Personnel. Personnel and approved contractors with access to Customer Personal Data are subject to confidentiality obligations, receive periodic security and privacy training, and have access removed on role change or departure.
• Data minimization. Only Personal Data within the OAuth scopes Customer approved is retrieved; only data relevant to a requested brief is transmitted to the LLM API; Brief metadata retained only as needed for the Service.
• Sub-processor oversight. Written contracts with each Sub-processor that flow down data-protection obligations substantially equivalent to this DPA; annual review of Sub-processor posture and transfer mechanisms.
• Business continuity. Sub-processors provide backup, redundancy, and disaster-recovery capabilities documented in their own DPAs and security documentation, on which Dunamis Studios relies.
• Transfer Impact Assessment. Documented TIA covering transfers to the US under SCCs and DPF; reviewed at least annually and on any material change in Sub-processor, legal landscape, or Service architecture.

The list of current Sub-processors and their roles, processing locations, and transfer mechanisms is published at /legal/subprocessors and is incorporated into this DPA as Annex 4. That page is the authoritative live list, governed by the notice and objection process in §4.