Data Processing Addendum
- Effective
- May 31, 2026
- Last revised
- May 31, 2026
- Version
- 2026.05.31
- Issued by
- RAgencyOS, ragencyos.com
This Data Processing Addendum (DPA) governs how RAgencyOS, acting as a processor, handles personal data you (the controller) upload about your agents and other people. It applies automatically to every paying customer alongside the Terms of Service, you donât have to sign anything separate. If your procurement team needs a counter-signed copy, email support@ragencyos.com.
1.When this DPA applies
This Data Processing Addendum (âDPAâ) supplements and forms part of the RAgencyOS Terms of Service between you (âCustomerâ) and RAgencyOS (âwe,â âusâ). It applies whenever we process personal data on behalf of Customer in connection with the Service.
To the extent of any conflict between this DPA and the Terms of Service, this DPA controls, but only with respect to processing of personal data on behalf of Customer. The Terms of Service govern everything else.
2.Definitions
- âPersonal Dataâ means any information relating to an identified or identifiable natural person that Customer uploads to or generates through the Service.
- âCustomer Personal Dataâ means Personal Data for which Customer is the controller and we are the processor.
- âData Subjectâ means the individual to whom Customer Personal Data relates, typically Customerâs agents, employees, contractors, or other agency staff.
- âProcessingâ has the meaning given in applicable data-protection law and includes storage, retrieval, transmission, display, and deletion.
- âSubprocessorâ means a third party we engage to process Customer Personal Data on our behalf in connection with the Service.
- Capitalized terms used but not defined here have the meaning given in the Terms of Service or the Privacy Policy.
3.Subject matter, duration, nature, and purpose
- Subject matter: Processing of Customer Personal Data necessary to provide the Service described in the Terms of Service.
- Duration: The term of the Customerâs subscription, plus any post-termination retention period required by law or specified in Section 13 below.
- Nature of processing: Storage, indexing, retrieval, transmission, display, analysis, summarization, and deletion necessary to provide the Serviceâs payroll-reconciliation, onboarding, time-tracking, communications, and reporting features.
- Purpose: Providing the Service to Customer and Customerâs authorized users in accordance with Customerâs instructions.
4.Categories of Data Subjects and Personal Data
Categories of Data Subjects:Customerâs agents, employees, independent contractors, owners, admins, and other agency personnel.
Categories of Personal Data:
- Identification and contact data (name, work email, phone number, date of birth if provided).
- Professional identification (National Producer Number, state license details, FFM ID).
- Employment data (role, status, start date, termination date, pay tier, base rate).
- Identity verification documents (W-9, photo identification), stored as documents in private storage with row-level security, not indexed or extracted.
- Compensation data (per-period payouts, CPA values, bonuses, deductions, adjustments).
- Time and attendance data (clock-in/out events, lunch and break durations).
- Communications metadata and content (in-app messages, broadcast messages, team-chat messages routed through the Service).
- Operational logs (IP address, timestamps, request paths) tied to the userâs account.
See the Privacy Policy §3 for the âsensitive personal informationâ subset and how each category is handled.
5.Customer's instructions and obligations
- Customer is the controller of Customer Personal Data. Customer instructs us to process Customer Personal Data only to provide the Service in accordance with the Terms of Service, this DPA, the Privacy Policy, and any documented written instructions Customer subsequently provides.
- Customer warrants that it has all rights, consents, and lawful bases necessary to upload Customer Personal Data to the Service and to authorize our processing of it.
- Customer is responsible for responding to Data Subject rights requests directed to Customer (right to access, correct, delete, port, restrict, object, etc.), with our cooperation under Section 9.
- Customer is responsible for keeping the agency roster and access controls up to date so that only authorized users can read or modify Customer Personal Data inside the Service.
6.Our obligations as processor
We will:
- Process Customer Personal Data only in accordance with Customerâs documented instructions, including the Terms of Service, Privacy Policy, and this DPA.
- Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Annex A (Security Measures) and at ragencyos.com/security.
- Engage subprocessors only in accordance with Section 7 below.
- Assist Customer with responding to Data Subject rights requests (Section 9), data-protection impact assessments and prior consultations (Section 10), and breach notifications (Section 11).
- On termination of the Service and Customerâs written request, delete or return all Customer Personal Data as described in Section 13.
- Make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, as described in Section 12 (Audits).
7.Subprocessors
Customer authorizes us to engage the subprocessors listed in the Privacy Policy §8 (which currently includes Supabase, Vercel, Cloudflare, Resend, and, where Customer has opted in, Google and Telegram). The current list is maintained in the Privacy Policy.
We will give Customer at least 15 daysâ advance notice by email before engaging a new subprocessor or replacing an existing one with one that processes Customer Personal Data, where reasonable. Customer may object to a new subprocessor within that notice period by emailing support@ragencyos.com. If Customer reasonably objects, the parties will work together in good faith to resolve the concern; if no resolution is reached, Customer may terminate the affected portion of the Service and receive a prorated refund of prepaid unused fees.
We remain liable for the acts and omissions of our subprocessors to the same extent as we would be if we performed the subprocessorâs services directly, subject to the limitation of liability in the Terms of Service.
8.International transfers
The Service is hosted in the United States. Customer authorizes the transfer of Customer Personal Data to the United States for processing as described in this DPA and the Privacy Policy. If Customer is established in a jurisdiction whose data-protection law restricts international transfers (such as the European Economic Area, United Kingdom, or Switzerland), the parties will execute the European Commissionâs Standard Contractual Clauses or a successor transfer mechanism before such transfers begin.
9.Assistance with Data Subject rights
Where a Data Subject contacts us directly with a rights request relating to Customer Personal Data, we will redirect them to Customer (the controller) and notify Customer of the request without undue delay. Customer is responsible for responding.
We will provide Customer with the information and tools reasonably necessary for Customer to respond, for example, by providing data exports, search functions, and (on written request) deletion of specific Personal Data, taking into account the nature of the processing and the data available to us.
10.Data Protection Impact Assessments and prior consultation
To the extent required by applicable data-protection law, we will provide Customer with reasonable assistance in conducting Data Protection Impact Assessments and prior consultations with supervisory authorities, taking into account the nature of processing and the data available to us. Customer is responsible for completing the assessment itself.
11.Personal data breach notification
If we become aware of a confirmed Personal Data Breach affecting Customer Personal Data, we will:
- Notify Customer by email at the account ownerâs address within 72 hours of confirming the breach;
- Describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures we have taken or propose to take;
- Document the breach in a manner sufficient to support Customerâs notification obligations to supervisory authorities and Data Subjects;
- Take reasonable steps to mitigate the effects and to prevent recurrence.
Customer is responsible for notifying its own supervisory authorities and affected Data Subjects where required by law. We will provide reasonable assistance with those notifications.
12.Audits and certifications
On Customerâs reasonable written request and no more than once per twelve-month period (unless required more frequently by a supervisory authority or in response to a breach), we will make available the information reasonably necessary to demonstrate compliance with this DPA, including (where applicable) our most recent third-party security audit or compliance report.
We are not currently SOC-2 audited. Where Customer requires an on-site audit and we have not engaged an independent third-party auditor whose report can be shared, the parties will agree in advance on the scope, timing, and confidentiality of the audit. Audits must not interfere with our operations or with other customersâ access to the Service.
13.Return and deletion
On termination of the Service (or earlier on Customerâs written request), we will delete or return all Customer Personal Data within 30 days, except where retention is required by law (for example, tax or audit obligations) or to defend a legal claim. Customerâs ability to export its data through the in-product export features remains available until termination.
Backups maintained by our storage subprocessor (Supabase) are overwritten in the normal course of operations within 30 days. We will not restore Customer Personal Data from backups after deletion except where doing so is necessary to comply with law.
14.Liability
The aggregate liability of each party under this DPA is subject to the limitation of liability set forth in the Terms of Service.
15.Order of precedence
If there is any conflict between this DPA and the Terms of Service or Privacy Policy with respect to the processing of Customer Personal Data on behalf of Customer, this DPA controls. In all other respects, the Terms of Service control.
16.Annex A, Technical and organizational security measures
See ragencyos.com/security for the current description of the technical and organizational measures we implement to protect Customer Personal Data. That description is incorporated into this DPA by reference and may be updated from time to time, subject to the no-degradation commitment below.
No-degradation commitment. We may update our security measures from time to time, provided that any update does not materially decrease the overall level of protection.
17.Contact
Questions, audit requests, or notices under this DPA:
This document is provided in good faith and reflects RAgencyOSâs current practices as of the effective date shown above. It does not constitute legal advice. For questions, please contact support@ragencyos.com.
â RAgencyOS