Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Client", "you") — the entity that has executed a Master Service Agreement ("MSA") with Very Simple Solutions Inc.
- Data Processor ("Simple4u", "we") — Very Simple Solutions Inc., a Delaware corporation, 1755 Ocean Parkway, Brooklyn, NY 11223, USA
This DPA is incorporated by reference into the MSA and supplements our Terms of Service and Privacy Policy. It governs Simple4u's processing of personal data on the Client's behalf during a retainer engagement.
1. Scope of processing
Simple4u processes personal data only to deliver the services scoped in the MSA. The exact services depend on which capabilities are in scope for the engagement (software development, AI infrastructure, marketing operations, creative production, operations partnership). Simple4u processes personal data only on the documented instructions of the Client, unless required by applicable law. If Simple4u believes an instruction infringes applicable data protection law, it will promptly inform the Client.
Processing details (GDPR Article 28)
Subject matter and duration: Processing personal data within the scope of an active retainer engagement, for the duration of that engagement and any wind-down period agreed in the MSA.
Nature and purpose: Engineering and operational services delivered by an embedded technical team. This may include software development against Client systems, marketing analytics and reporting, AI agent operation, creative production using Client materials, and ongoing technical operations.
Types of personal data: Categories vary by engagement scope and are itemized in the engagement-specific Schedule referenced in the MSA. Typical categories include names, email addresses, message content from connected business tools, analytics identifiers, and customer or contact records within tools we manage. No special categories of data (Article 9) are intentionally processed unless explicitly agreed in writing.
Categories of data subjects: Client's employees, Client's customers and business contacts, and third parties whose data appears in connected systems within the engagement scope.
2. Data storage and isolation
Infrastructure choices are agreed in the MSA. Default posture:
- Per-engagement isolation: Personal data processed for one Client is not co-mingled with data of any other Client. Where Simple4u operates infrastructure on the Client's behalf, that infrastructure is provisioned per engagement.
- Hosting providers: DigitalOcean Inc., Vercel Inc., or Client-controlled cloud accounts, depending on the engagement.
- Access: SSH-key authentication only; no shared passwords. Access to Client systems is limited to authorized VSS Inc personnel acting on documented Client instructions.
- Encryption: Data in transit is protected with TLS. Data at rest is protected per the security posture of the underlying provider; engagement-specific encryption requirements can be agreed in the MSA.
3. AI processing
Where the engagement includes AI services (custom agents, marketing-bot, AI infrastructure), queries and the relevant context are sent to AI providers for inference:
- Primary AI provider: Anthropic, PBC (Claude API). Anthropic does not retain API query data beyond what is needed to process the request and provide abuse monitoring, per their enterprise API terms. Client data sent through the API is not used to train Anthropic's models.
- API credentials: Each engagement uses dedicated API credentials, scoped per Client.
- Data minimization: Only the specific context relevant to a query is included in AI requests, not the entire Client knowledge base.
- Other providers: Where the engagement explicitly requires other AI providers (OpenAI, fal.ai, ElevenLabs, etc.), those providers are added to the sub-processor list with notice.
4. Sub-processors
Simple4u uses the following baseline sub-processors. Engagement-specific sub-processors are documented in the engagement Schedule.
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI inference (Claude API) | USA |
| DigitalOcean, Inc. | VPS hosting (when used) | Configurable region |
| Vercel, Inc. | Web hosting (when used) | Global edge |
| Google LLC | Workspace integrations, Analytics, Ads (when in scope) | USA |
| Stripe, Inc. | Payment processing for retainer billing | USA |
| Cloudflare, Inc. | DNS | Global edge |
Simple4u will notify the Client at least 30 days before adding or replacing a sub-processor that processes Client personal data. The Client may object to a new sub-processor; if the objection cannot be resolved, the Client may terminate the affected portion of the engagement.
Google Ads API data handling
Where the engagement includes Google Ads management or Keyword Planner research:
- Simple4u retrieves campaign metadata and keyword research data via the Google Ads API on behalf of the Client, using developer credentials issued to Simple4u under the Client's authorization.
- Data is retrieved on a cadence agreed with the Client and stored only on the engagement-specific infrastructure.
- Simple4u does not resell, repackage, or syndicate Google Ads API data to any third party.
- Simple4u does not use Google Ads data to train models shared across clients.
5. Data retention and deletion
- Active engagement: Personal data is retained on engagement infrastructure for the duration of the engagement.
- End of engagement: Within 30 days of MSA termination (or any other period agreed in the MSA), Simple4u will return personal data to the Client and/or delete it from systems under our control, at the Client's choice. Deletion is permanent and irreversible.
- Backups: Where backups are operated by Simple4u, they are pruned per the engagement Schedule, with default 90 days rolling retention.
- Legal holds: Simple4u may retain data beyond the agreed period only where required by applicable law, with notice to the Client.
6. Data export
The Client may request a full data export at any time during the engagement. Default export formats: JSON or CSV for structured data, native file formats for documents. Export is provided within 5 business days of request at no additional cost.
7. Security measures
Technical measures
- Per-engagement infrastructure isolation
- SSH-key-only authentication on managed infrastructure
- Per-engagement API credentials (no credential reuse across clients)
- Credentials encrypted at rest with restrictive file permissions
- HTTPS / TLS for all web-facing services we operate
- Daily backups (where in scope) with integrity verification
- Auto-restart and health checks on long-running services
Organizational measures
- Access to Client systems limited to authorized VSS Inc personnel
- All personnel with access to Client data bound by written confidentiality obligations
- Personnel access reviewed quarterly
- No Client production data stored on personal devices
8. Data breach notification
In the event of a personal data breach affecting Client data:
- Simple4u will notify the Client within 72 hours of becoming aware of the breach, per GDPR Article 33
- Notification will include: nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and measures taken or proposed
- Simple4u will cooperate with the Client in notifying supervisory authorities and data subjects as required
- Simple4u will take immediate steps to contain the breach and prevent recurrence
9. Data subject rights assistance
Simple4u will assist the Client in responding to data subject access requests (access, rectification, erasure, portability, restriction, objection) insofar as this is possible given the nature of the processing. Reasonable assistance is provided at no additional cost.
Simple4u will assist the Client in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required.
10. Client obligations
The Client, as Data Controller, is responsible for:
- Ensuring a lawful basis exists for processing personal data through Simple4u (e.g., legitimate interest for business operations, contract performance, consent where required)
- Informing employees and contacts that business communications may be processed by an embedded technical team
- Configuring scope: which channels, accounts, and systems Simple4u is granted access to
- Responding to data subject access requests in the first instance, with Simple4u's assistance as described above
11. Audit rights
The Client may request information about Simple4u's data processing practices and security measures. Simple4u will respond to reasonable audit requests within 14 business days. On-site audits, if required, will be conducted at the Client's expense with at least 30 days' advance notice and during business hours.
12. International transfers
Where the Client is established in the EEA, the United Kingdom, or Switzerland and personal data is transferred to a country outside that jurisdiction, the EU Standard Contractual Clauses (Module 2: Controller to Processor) approved by the European Commission, the UK International Data Transfer Addendum, and the Swiss FDPIC requirements (as applicable) are hereby incorporated by reference. The Client may request the executed copy.
13. Term and termination
This DPA remains in effect for the duration of the MSA. On termination, Simple4u's obligations regarding data deletion, export, and assistance survive as described in Sections 5 and 6.
14. Contact
For DPA-related questions or data protection requests:
- Email: nests@simple4uhq.com
- Mail: Very Simple Solutions Inc., 1755 Ocean Parkway, Brooklyn, NY 11223, USA