Data Processing Agreement
Last updated: 2026-06-21 · OpenSassy is operated by ANDUMA Intelligence Group Ltd
This Data Processing Agreement ("DPA") forms part of the Terms of Service between OpenSassy ("Processor") and you, our business customer ("Controller"). It governs how we process your end-clients' personal data on your behalf under UK GDPR Article 28 — i.e. the data of the people who book with you, not your own account data (which is covered by our Privacy Policy, where we're the controller).
1. Definitions
Controller: You, the customer — the business that determines the purposes and means of processing your clients' and staff's personal data.
Processor: OpenSassy (ANDUMA Intelligence Group Ltd) — processing that personal data on your behalf to provide the platform.
Sub-processor: A third party we engage to help process the data, listed in §4.
Personal Data: Any information relating to an identified or identifiable natural person as defined by UK GDPR.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, transmission, or deletion.
2. Subject matter and nature of processing
Subject matter: Provision of the OpenSassy AI business management platform — bookings, CRM, payments, AI assistant, and (where enabled) voice receptionist.
Nature: Collection, storage, retrieval, AI-assisted analysis, and display of your business's operational data, including data about your clients and staff.
Purpose: To provide the services described in the Terms of Service, at your instruction.
Duration: For the term of your subscription, plus 30 days following cancellation (to allow export), unless a longer period applies — see retention in our Privacy Policy.
Types of personal data: Client names, contact details, appointment/booking history, notes, payment metadata (not raw card numbers), staff details, payroll figures, and — where you use the voice receptionist — caller phone numbers and call audio/transcripts.
Categories of data subjects: Your clients, your staff, and any individuals whose data you input into or that calls into the platform.
COUNSEL FLAG: if you operate in a vertical where appointment notes may capture health information (e.g. a clinic or allied-health practice), that is special category data under Article 9 and needs a separate condition agreed with us before you process it through OpenSassy. Contact us before onboarding clients with health data.
3. Processor obligations
OpenSassy agrees to:
- Process personal data only on your documented instructions (i.e. the data and actions you configure in the platform)
- Ensure anyone authorised to process the data is bound by confidentiality
- Implement appropriate technical and organisational security measures (Article 32) — see §5
- Assist you in responding to your clients' or staff's data subject rights requests
- Not engage a new sub-processor without giving you reasonable prior notice (see §4)
- Delete or return all personal data within 30 days of contract termination, except where we're legally required to retain it (e.g. billing records)
- Provide information reasonably necessary to demonstrate compliance with this DPA
- Notify you without undue delay, and within 72 hours where feasible, if we become aware of a personal data breach affecting your data
4. Sub-processors
We use the sub-processors below to provide the platform. This list reflects the providers actually wired into the live system as of this audit. COUNSEL: confirm the notice period for adding a new sub-processor (proposed 30 days) and the mechanism for objecting.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Primary database — all stored personal data | EEA project | N/A (EEA) |
| Google Cloud Platform | App hosting / compute | europe-west1, Belgium (EEA) | N/A (EEA) |
| Stripe | Payment processing | US/EU | Standard Stripe DPA |
| Twilio | SMS + voice receptionist (calls, recordings, transcripts) | USA | COUNSEL: IDTA/SCCs pending |
| Anthropic (Claude) | Primary AI brain — chat, analysis, building features | USA | COUNSEL: IDTA/SCCs pending |
| xAI (Grok) | AI fallback + voice receptionist brain | USA | COUNSEL: IDTA/SCCs pending |
| Google (Gemini) | Image analysis + memory embeddings | USA | COUNSEL: IDTA/SCCs pending |
| Moonshot (Kimi) | AI fallback for long-context tasks | COUNSEL: jurisdiction to verify | COUNSEL: high-priority flag — confirm before relying on this row |
| Resend | Transactional email (confirmations, receipts, OTP) | US/EU — to verify | COUNSEL: confirm DPA in place |
COUNSEL: rows marked "IDTA/SCCs pending" are the largest open item before this DPA can be relied on for real/enterprise customers — each US-based sub-processor needs a signed transfer mechanism in place first.
5. Security measures
- Encryption in transit (TLS) between your browser/app and our servers, and between our services and our database
- Per-business data isolation enforced at the application layer (every query is scoped to your organisation; cross-tenant access is actively monitored and audited)
- Role-based access controls for staff accounts
- Secrets (API keys, credentials) held in Google Cloud Secret Manager, never in source code
- EEA data residency for storage and compute (Belgium)
- Regular backups
- COUNSEL/build flag: a formal 72-hour breach-notification runbook is being finalised — not yet a documented process as of this draft.
6. Controller obligations
As Controller, you are responsible for:
- Having a lawful basis to collect and input your clients' and staff's personal data into OpenSassy
- Giving your clients and staff your own privacy notice covering how you use OpenSassy to process their data
- Obtaining any consent the platform requires on your behalf (e.g. AI-processing or marketing consent captured at your clients' sign-up)
- Responding to your clients'/staff's data subject rights requests (we will assist you, and provide self-service tools where available)
- Ensuring the personal data you input is accurate and that you don't input special category data (health, etc.) without first agreeing this with us — see §2
- Telling us promptly if you believe a sub-processor or our processing has caused a breach affecting your data
7. Audits
We will make available the information reasonably necessary to demonstrate compliance with this DPA. COUNSEL: confirm the audit clause (frequency, scope, who bears cost) appropriate for our customer base before finalising.
8. Contact
Data protection enquiries: hello@the-sassy.com
ANDUMA Intelligence Group Ltd, trading as OpenSassy.