Data Processing Agreement
GDPR-compliant data processing terms for enterprise customers and privacy-conscious users
Plain-English Summary
This Data Processing Agreement (DPA) explains how we handle your personal data when providing our Universal Context Pack services. Here's what it means:
- • We only process your data to provide the services you requested
- • We don't sell, share, or use your data for any other purposes
- • You control your data and can delete it anytime
- • We use industry-standard security measures to protect your data
- • This agreement meets GDPR and other privacy law requirements
1. Definitions
"Controller" means the entity that determines the purposes and means of processing personal data (typically, you as our customer).
"Processor" means Universal Context Pack, LLC, which processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person contained in files you upload to our service.
"Processing" means any operation performed on personal data, including analysis, transformation, and context pack generation.
"Data Subject" means the natural person to whom personal data relates.
2. Scope and Application
This DPA applies to the processing of personal data by Universal Context Pack on behalf of the Controller in connection with the Universal Context Pack services.
This DPA forms part of and supplements our Terms of Service. In case of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.
3. Purpose and Duration of Processing
Purpose: We process personal data solely to provide the Universal Context Pack services, including:
- • Analyzing and transforming conversation files
- • Generating context packs from uploaded content
- • Providing file download and export capabilities
- • User authentication and account management
Duration: Processing continues for the duration of the service relationship. Personal data is deleted within 24-48 hours of user-initiated deletion or account termination.
4. Processing Instructions
Universal Context Pack will process personal data only on documented instructions from the Controller, including:
- • File upload and processing requests
- • Context pack generation instructions
- • Data deletion requests
- • Account management actions
If we believe an instruction infringes applicable data protection laws, we will immediately inform the Controller.
5. Security Measures
We implement appropriate technical and organizational measures to ensure data security:
Technical Measures:
- • AES-256 encryption at rest
- • TLS 1.3 encryption in transit
- • Secure key management (Cloud KMS)
- • Regular security updates
Organizational Measures:
- • Role-based access controls
- • Security awareness training
- • Incident response procedures
- • Regular security assessments
6. Sub-processors
The Controller provides general authorization for the engagement of sub-processors. Current authorized sub-processors include:
| Company | Service | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure & Hosting | Global (Data in US) |
| Supabase | Database Services | US |
| Stripe | Payment Processing | US |
| OpenAI | AI Processing | US |
We will provide 30 days' notice before adding new sub-processors.
7. Data Subject Rights
We assist the Controller in fulfilling data subject rights requests:
- • Access: View processed data
- • Rectification: Correct inaccurate data
- • Erasure: Delete personal data
- • Portability: Export data in structured format
- • Restriction: Limit processing activities
- • Objection: Object to certain processing
- • Automated decisions: Human review available
Data subject requests should be directed to: privacy@universalcontextpack.com
8. Data Breach Notification
In case of a personal data breach, we will:
- • Notify the Controller without undue delay (within 72 hours when possible)
- • Provide all relevant information about the breach
- • Assist with breach notification to supervisory authorities and data subjects
- • Implement immediate containment and remediation measures
Security incidents should be reported to: security@universalcontextpack.com
9. Audits and Compliance
We make available to the Controller:
- • Information necessary to demonstrate compliance with this DPA
- • Security certifications and audit reports
- • Reasonable assistance with Controller audits
- • Regular compliance assessments
Audit requests should be submitted to: compliance@universalcontextpack.com
10. International Data Transfers
Personal data is primarily processed within the United States. Where transfers occur to countries without adequacy decisions, we ensure protection through:
- • Standard Contractual Clauses (SCCs) approved by the European Commission
- • Additional safeguards where required
- • Regular adequacy assessments of transfer destinations
11. Term and Termination
This DPA remains in effect for the duration of the service relationship. Upon termination:
- • All personal data will be deleted within 24-48 hours
- • Data may be retained longer only if required by law
- • Controller may request return of data before deletion
- • Deletion will be certified upon request
Questions or Concerns?
Need clarification on our data processing practices or have questions about this DPA?
Last updated: September 8, 2025