Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Client", "you") — the subscriber of Simple4u products
- Data Processor ("Simple4u", "we") — Very Simple Solutions Inc., New York, NY
This DPA supplements the Terms of Service and Privacy Policy, and governs Simple4u's processing of personal data on behalf of the Client.
1. Scope of Processing
Simple4u processes personal data solely to provide the subscribed AI assistant services (Personal Ops, Team Ops, Marketing Ops). Processing occurs only on data sources that the Client explicitly connects during onboarding. Simple4u processes personal data only on the documented instructions of the Client, unless required to do so by applicable law. If Simple4u believes an instruction infringes applicable data protection law, it will promptly inform the Client.
Data Processing Details (GDPR Article 28)
Subject matter and duration: Processing of business communications and analytics data for the duration of the subscription agreement.
Nature and purpose: AI-powered analysis of business data (emails, messages, documents, analytics) to provide executive assistant, marketing analytics, and project management services.
Types of personal data: Names, email addresses, message content, website analytics data, project management data. No special categories of data (Article 9) are intentionally processed.
Categories of data subjects: Subscriber's employees, clients, and business contacts whose data appears in connected business tools.
Categories of data processed:
| Data category | Source | Examples |
|---|---|---|
| Email content | Gmail (IMAP) | Message bodies, subjects, sender/recipient, timestamps |
| Calendar events | Google Calendar | Event titles, times, attendees, descriptions |
| Documents | Google Drive | Document content, metadata, file names |
| Messenger messages | WhatsApp / Telegram / Slack | Message content, sender, timestamps |
| Project data (Team Ops) | Jira | Ticket titles, statuses, assignees, comments |
| Marketing data (Marketing Ops) | GA4, Search Console, Ads | Traffic metrics, keywords, ad performance |
Data subjects may include:
- Client's employees and team members
- Client's customers and business contacts (as referenced in communications)
- Third parties mentioned in emails, messages, or documents
2. Data Storage & Isolation
All Client data is stored on a dedicated VPS provisioned exclusively for the Client. There is no shared database, no multi-tenant architecture, and no co-mingling of data between clients. This is physical isolation, not logical isolation.
- Infrastructure provider: DigitalOcean, Inc. VPS located in the region closest to the Client (configurable).
- Operating system: Ubuntu 24.04 LTS with security updates.
- Data at rest: Stored in SQLite FTS5 Knowledge Database and markdown report files on the Client's VPS.
- Backups: Daily backup of the Knowledge Database to the Client's Google Drive (configured during onboarding). Backup integrity is verified automatically.
- Access control: VPS accessible only via SSH key authentication. No password-based access. Only authorized Simple4u personnel access the VPS for maintenance and support.
3. AI Query Processing
When the Client asks the bot a question, the query and relevant Knowledge Base context are sent to the Anthropic Claude API for processing:
- Provider: Anthropic, PBC
- API terms: Enterprise API data protection — query data is not used for model training
- Data retention by Anthropic: Anthropic does not retain API query data beyond what is needed to process the request and provide abuse monitoring, per their enterprise API terms
- API key: Provisioned on Simple4u's Anthropic account, with a separate key per client bot. Client may request migration to their own API key
- Data minimization: Only the specific Knowledge Base documents relevant to the query are included in the API request context, not the entire database
4. Sub-processors
Simple4u uses the following sub-processors to deliver the service:
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic, PBC | AI inference (Claude API) | Query text + relevant KB context | USA |
| DigitalOcean, Inc. | VPS hosting | All Client data (on Client's dedicated VPS) | Configurable region |
| Google LLC | Drive backup, Analytics | KB backup (Client's Drive), website analytics | USA |
| Stripe, Inc. | Payment processing | Payment card data (not processed by Simple4u) | USA |
| Cloudflare, Inc. | DNS, CDN, Zaraz | Website traffic (analytics loading) | Global edge |
Simple4u will notify the Client at least 30 days before adding a new sub-processor. The Client may object to a new sub-processor; if the objection cannot be resolved, the Client may terminate the subscription.
Google Ads API Data Handling (specific to Marketing Ops)
- Simple4u retrieves campaign metadata (campaign names, ad spend, impressions, clicks, conversions) via the Google Ads API on behalf of the Client, using OAuth credentials authorized by the Client.
- This data is retrieved on a cadence determined by the Client (default: every 6 hours) and stored only on the Client's dedicated workspace (per-client VPS isolation).
- Simple4u does not resell, repackage, or syndicate Google Ads API data to any third party.
- Simple4u does not use Google Ads data to train or improve models shared across Clients.
- Data retention follows Client's workspace retention policy (default: 90 days rolling).
5. Data Retention & Deletion
- Active subscription: Data is retained on the Client's VPS for the duration of the subscription.
- After cancellation: The VPS and all data remain available to the Client. Simple4u transfers VPS access credentials and ceases administrative access within 14 days of cancellation.
- Deletion on request: The Client may request complete deletion of the VPS and all data at any time. Deletion is performed within 7 business days and is permanent and irreversible.
- Automatic deletion: If the Client does not claim VPS access within 90 days of subscription cancellation, Simple4u will delete the VPS and all data, with 14 days' written notice before deletion.
6. Data Export
The Client may request a full data export at any time. Export formats available:
- Knowledge Base: JSON or SQLite database file
- Reports: Markdown files
- Configuration: JSON (settings, soul.md, integration config)
- Conversation history: JSON or CSV
Export is provided within 5 business days of request at no additional cost.
7. Security Measures
Simple4u implements the following technical and organizational measures:
Technical measures:
- Per-client VPS isolation — dedicated server per client, no shared infrastructure
- SSH key authentication — no password-based access to any VPS
- Separate API keys — each client bot uses its own Anthropic API key
- Credential encryption — all credentials stored in .env files with 600 permissions
- Circuit breaker — rate limiting (50 API calls/hour) prevents runaway cost or abuse
- Daily backups — Knowledge Database backed up to Client's Google Drive with verification
- Auto-restart — systemd services auto-restart within 30 seconds of failure
- HTTPS — all dashboards (Marketing Ops) served over TLS with valid certificates
Organizational measures:
- Access to Client VPS limited to authorized Simple4u personnel
- All personnel with access to Client data are bound by written confidentiality obligations
- Personnel access reviewed quarterly
- No Client data stored on Simple4u's own servers or personal devices
8. Data Breach Notification
In the event of a personal data breach affecting Client data:
- Simple4u will notify the Client within 72 hours of becoming aware of the breach (per GDPR Article 33)
- Notification will include: nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and measures taken or proposed
- Simple4u will cooperate with the Client in notifying supervisory authorities and data subjects as required
- Simple4u will take immediate steps to contain the breach and prevent recurrence
9. Data Subject Rights Assistance
Simple4u will assist the Client in responding to data subject access requests (access, rectification, erasure, portability, restriction, objection) insofar as this is possible given the nature of the processing. Assistance is provided at no additional cost for reasonable requests.
Simple4u will assist the Client in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required, taking into account the nature of the processing and the information available to Simple4u.
10. Client Obligations
The Client, as Data Controller, is responsible for:
- Ensuring a legal basis exists for processing personal data through Simple4u (e.g., legitimate interest for business operations)
- Informing their employees and contacts that business communications may be processed by an AI assistant
- Configuring which channels, chats, and folders the bot indexes (scope control)
- Responding to data subject access requests related to data processed through the bot
11. Audit Rights
The Client may request information about Simple4u's data processing practices and security measures. Simple4u will respond to reasonable audit requests within 14 business days. On-site audits (if applicable) will be conducted at the Client's expense with reasonable advance notice.
12. International Transfers
Client data is stored on the Client's VPS in a region selected during onboarding (default: DigitalOcean NYC). AI queries are processed by Anthropic in the United States. Where the Client is established in the EEA/UK and personal data is transferred to the United States, the EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission are hereby incorporated by reference.
We will notify you at least 30 days before adding or replacing a sub-processor. You may object to a new sub-processor by contacting nests@simple4uhq.com within 14 days of notification.
13. Term & Termination
This DPA remains in effect for the duration of the subscription. Upon termination, Simple4u's obligations regarding data deletion, export, and access transfer survive as described in Section 5.
14. Contact
For DPA-related questions or data protection requests:
- Email: nests@simple4uhq.com
- Company: Very Simple Solutions Inc., New York, NY