Data Processing Agreement
Last updated: 13 March 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between Pop Hasta Labs Ltd ("Processor", "we", "us") and the customer ("Controller", "you") for the use of the Other Me platform and related services.
This DPA sets out the terms under which we process personal data on your behalf, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By using Other Me as an enterprise customer, you agree to the terms of this DPA.
2. Definitions
- Personal Data — any information relating to an identified or identifiable living person, as defined by UK GDPR Article 4(1).
- Processing — any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
- Controller — the entity (you) that determines the purposes and means of processing personal data.
- Processor — the entity (Pop Hasta Labs Ltd) that processes personal data on behalf of the Controller.
- Sub-processor — any third party engaged by us to process personal data on your behalf.
- Data Subject — the individual whose personal data is being processed.
3. Scope of processing
We process personal data only as necessary to provide the Other Me platform to you. The details of processing are as follows:
| Subject matter | Provision of the Other Me AI platform, including AI assistant interactions, document processing, calendar sync, and enterprise API services |
|---|---|
| Duration | For the duration of your subscription, plus any retention period required by law or agreed in your contract |
| Nature of processing | Storage, retrieval, AI-assisted analysis, PII redaction, pseudonymisation, and encryption of data |
| Purpose | To provide AI assistant services, enforce security controls (SCRS), generate audit logs, and deliver enterprise features |
| Categories of data subjects | Your employees, team members, and end users of your Other Me account |
| Types of personal data | Names, email addresses, job titles, chat content, uploaded documents, calendar data, and any personal data contained within content processed through the platform |
4. Our obligations as Processor
We will:
- Process personal data only on your documented instructions, unless required by law
- Ensure all staff with access to personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 5)
- Assist you in responding to data subject requests (access, rectification, erasure, portability)
- Assist you with data protection impact assessments where required
- Notify you without undue delay (and within 72 hours) of any personal data breach
- Delete or return all personal data at the end of the contract, at your choice
- Make available all information necessary to demonstrate compliance and allow for audits
5. Security measures
We implement the following technical and organisational measures to protect personal data:
- Encryption at rest — All data encrypted using AES-256-GCM
- Encryption in transit — All connections use TLS 1.2 or higher
- SCRS Data Firewall — Patent-pending dual-gate system that blocks unauthorised data access before AI retrieval
- Access controls — Role-based access with five permission levels (Owner, Admin, Developer, Viewer, Billing)
- Audit logging — Immutable logs of all data access, changes, and administrative actions
- API key security — SHA-256 hashed keys with scoped permissions and automatic expiration
- PII redaction — Automatic detection and redaction of personal data with configurable policies
- UK data residency — All data stored on servers located in the United Kingdom
- Regular security testing — Ongoing vulnerability assessments and penetration testing
- Incident response — Documented breach response procedures with 72-hour notification
6. Sub-processors
We may engage sub-processors to help deliver our services. We will:
- Maintain a list of current sub-processors and make it available on request
- Notify you before adding or replacing a sub-processor
- Ensure all sub-processors are bound by data processing terms at least as protective as this DPA
- Remain fully liable for the acts or omissions of our sub-processors
If you object to a new sub-processor, you may terminate the affected service by giving written notice within 30 days.
7. International transfers
We store and process all data within the United Kingdom by default. If a transfer outside the UK becomes necessary (for example, through a sub-processor), we will ensure appropriate safeguards are in place, such as:
- UK International Data Transfer Agreement (IDTA)
- UK Addendum to the EU Standard Contractual Clauses
- Adequacy decisions by the UK Secretary of State
8. Data subject rights
We will assist you in fulfilling data subject requests under UK GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
If we receive a request directly from a data subject, we will inform you promptly unless legally prohibited from doing so.
9. Data breach notification
In the event of a personal data breach, we will:
- Notify you without undue delay and no later than 72 hours after becoming aware of the breach
- Provide details of the breach including the nature, categories of data affected, approximate number of data subjects, and likely consequences
- Describe the measures taken or proposed to address the breach
- Cooperate fully with your investigation and any notification to the Information Commissioner's Office (ICO)
10. Term and termination
This DPA remains in effect for the duration of your use of Other Me. Upon termination:
- We will delete or return all personal data within 30 days, at your choice
- We will provide written confirmation of deletion if requested
- Audit logs may be retained for up to 12 months after termination for compliance purposes, unless you request earlier deletion
11. Contact
For questions about this DPA or to exercise any rights under it:
- Email: dpa@pophastalabs.com
- Company: Pop Hasta Labs Ltd
- Companies House Number: 16742039