AI Assistants CRM Email + Projects Live Chat Ticketing Flows Enterprise Security HR-lite Control Center Solutions Pricing Start free trial
Legal

Data Processing Addendum

Last updated: 24 June 2026

This is a template for the Other Me site build. Review and adapt it with qualified legal counsel before publishing or signing.

1. Roles

For client personal data processed within the product, the customer is the controller and Pop Hasta Labs Ltd is the processor. This DPA forms part of the agreement between us.

2. Scope & instructions

We process personal data only to provide the service and on the customer’s documented instructions, including as configured in the Control Center.

3. Nature of processing & SCRS

Personal data is detected and tokenised by the Secure Context Retrieval System (SCRS) before any AI model or search index processes it, and rehydrated only for authorised users at egress. We do not use customer content to train shared models.

4. Confidentiality

Personnel with access to personal data are bound by confidentiality obligations.

5. Security

We implement appropriate technical and organisational measures, including encryption, the SCRS firewall, field-level access controls, BYOK options, a tamper-evident audit trail, and our SOC 2 / ISO 27001 / ISO 42001 programme.

6. Sub-processors

We engage vetted sub-processors (for example infrastructure, payments and governed AI inference). A current list is available on request, and we give notice of changes with a right to object.

7. International transfers

We host in the UK/EU and support data residency. Where transfers occur, we use the UK IDTA or EU SCCs as appropriate.

8. Data subject requests & assistance

We assist the customer in responding to data subject requests and in meeting security, breach-notification and impact-assessment obligations, including via the Governance module.

9. Breach notification

We notify the customer without undue delay after becoming aware of a personal data breach affecting their data.

10. Deletion & return

On termination, the customer can export data for a limited period, after which we delete it — including by crypto-shred where keys are customer-managed.

11. Audits

We make available information needed to demonstrate compliance and allow for audits in line with the agreement.

12. Contact

dpo@otherme.example · Pop Hasta Labs Ltd, United Kingdom. See also our Privacy Policy.