Data Processing Agreement

Note: This DPA is pending legal review. The final version will be published before the platform launches to customers.

1. Scope

This Data Processing Agreement ("DPA") governs how NailsmithInvestments LLC dba DFYhub ("Processor") processes data on behalf of customers ("Controller") when using the DFY Hub platform.

2. Data Processing Activities

We process the following categories of data:

• Business data: Analytics, SEO rankings, ad performance, content
• Account credentials: OAuth tokens for connected platforms
• Configuration data: Agent rules, thresholds, preferences
• Communication data: Agent reports, notifications, escalations

3. Security Measures

• AES-256-GCM encryption for credentials at rest
• Per-tenant encryption keys (KEK/DEK pattern)
• TLS 1.3 for all data in transit
• Encrypted daily backups to Cloudflare R2
• Role-based access controls
• Audit logging of all data access
• Container isolation between tenant workloads

4. Sub-Processors

We use the following sub-processors:

• Anthropic — AI model inference (PII scrubbed before transmission)
• DigitalOcean — Infrastructure hosting (US region)
• Cloudflare — CDN, DNS, and backup storage (R2)

5. Data Location

All data is processed and stored in the United States. We do not transfer data outside the US.

6. Breach Notification

In the event of a data breach, we will notify affected customers within 72 hours of discovery, including the nature of the breach, data affected, and remediation steps taken.

7. Data Deletion

Upon termination or request, all customer data will be deleted within 30 days. Encrypted backups will be purged within 90 days. A certificate of deletion is available upon request.

8. Contact

Data processing inquiries: daniel@yourdfyhub.com