Data Processing Addendum.

The brokerage tenant is the data controller. Bob is the data processor, acting on the controller’s documented instructions. Bob will not process personal data for any purpose outside the agreement without prior written consent.

Bob uses the following subprocessors:

• Supabase (database, auth, RLS) — auckland-1 / sydney-1 regions
• Cloudflare (CDN, DDoS, edge logs) — auckland POP first
• AWS (object storage, backups) — ap-southeast-2
• OpenAI / Anthropic (LLM inference) — no persistence, no training
• Twilio (voice telephony) — DPA-bound
• ElevenLabs (voice synthesis) — DPA-bound, per-tenant voice models
• Stripe(billing) — for Bob’s invoicing, not for customer payments

We notify tenants in writing 30 days before adding any new subprocessor, and tenants can object by terminating without penalty.

Bob implements technical and organisational measures to protect personal data: row-level isolation tested on every read, hash-chained audit ledger, encryption at rest (AES-256) and in transit (TLS 1.3), least-privilege access controls, SOC 2 Type II audit in progress for Q3 2026.

Bob will notify affected tenants without undue delay and in any case within 72 hours of becoming aware of a personal-data breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and remediation steps.

Personal data of EU residents is processed only in regions covered by the EU Commission’s adequacy decision (or with Standard Contractual Clauses in place). The same applies to UK residents under the UK addendum.

For DPA questions or to sign a per-tenant addendum: [email protected].