Data Processing Agreement

Version 1.0 · Effective: March 20, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Dacard.ai (operated by Darren Card, "Processor") and the customer ("Controller") for use of the Dacard.ai platform. It describes how Dacard.ai processes personal data on behalf of the customer in compliance with applicable data protection laws, including the GDPR and PIPEDA.

Request a signed DPA

Enterprise customers requiring a countersigned DPA can request one by email. We will respond within 3 business days.

Request DPA →

1. Definitions

Controller: The customer, who determines the purposes and means of processing personal data.
Processor: Dacard.ai, who processes personal data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).
Sub-processor: A third party engaged by the Processor to process data on behalf of the Controller.
GDPR: The EU General Data Protection Regulation 2016/679.

2. Scope and Purpose of Processing

Dacard.ai processes personal data only as instructed by the Controller and only for the purpose of providing the Dacard.ai platform services, as described in the Terms of Service.

Category	Data types	Purpose	Retention
Account data	Name, email, user ID, role	Authentication, access control, billing	Until account deletion
Scoring inputs	Product URLs, context provided	AI maturity scoring	Until result deletion or account deletion
Integration data	OAuth tokens, operational signals (PR activity, issues)	Enriched scoring and coaching	Until integration disconnected or account deleted
Usage data	Feature usage events, credit consumption	Service operation, billing	12 months

3. Controller Instructions

Dacard.ai will process personal data only on documented instructions from the Controller. The Controller's use of the platform and these Terms constitute such instructions. If Dacard.ai is required by law to process data beyond those instructions, it will notify the Controller before doing so (unless legally prohibited).

4. Confidentiality

Dacard.ai will ensure that personnel authorized to process personal data are bound by confidentiality obligations. Dacard.ai will not disclose Controller data to any third party except as necessary for sub-processors (listed below) or as required by law.

5. Security Measures

Dacard.ai implements appropriate technical and organizational measures to protect personal data, including:

Encryption of OAuth credentials at rest (AES-256-GCM)
Encryption of all data in transit (TLS 1.2+)
Role-based access controls on all data endpoints
Authentication via Clerk with email verification
HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
Audit logging for administrative actions
Regular dependency updates and security patching

6. Sub-processors

The Controller authorizes Dacard.ai to engage the following sub-processors. Dacard.ai will maintain contractual data protection obligations with each sub-processor and will notify the Controller of any material changes to this list with at least 14 days' notice.

Sub-processor	Role	Location	DPA / Transfer mechanism
Clerk, Inc.	Authentication	United States	SCCs
Stripe, Inc.	Payment processing	United States	SCCs
ChiselStrike (Turso)	Database	United States	SCCs
Anthropic, PBC	AI processing (Claude API)	United States	SCCs
PostHog, Inc.	Analytics	United States	SCCs
Vercel, Inc.	Hosting	United States	SCCs

7. Data Subject Rights

Dacard.ai will assist the Controller in responding to requests from data subjects to exercise their rights (access, rectification, erasure, portability, objection). The platform provides self-serve data deletion. For other requests, contact privacy@dacard.ai.

8. Data Breach Notification

Dacard.ai will notify the Controller without undue delay (and no later than 72 hours after becoming aware) of a personal data breach affecting Controller data. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

9. Data Transfers

Where personal data is transferred outside the EEA or UK to sub-processors in the United States, such transfers are made under the EU Standard Contractual Clauses (SCCs, 2021/914/EU) or the UK IDTA as applicable. The Controller appoints Dacard.ai as its agent to enter into SCCs with sub-processors on its behalf where required.

10. Deletion and Return of Data

Upon termination of the service agreement or on Controller request, Dacard.ai will delete or return all personal data within 30 days, except where retention is required by law. The platform's Settings > Account > Delete Account feature performs immediate deletion of user data.

11. Audits

Dacard.ai will provide the Controller with information reasonably necessary to demonstrate compliance with this DPA. For enterprise customers requiring a formal audit, please contact legal@dacard.ai to arrange an appropriate process.

12. Governing Law

This DPA is governed by the laws of British Columbia, Canada. Where required by applicable data protection law, this DPA will be interpreted to comply with GDPR requirements.

Need a countersigned DPA?

Email us with your company name, the name of your data protection contact, and your jurisdiction. We will send a countersigned copy within 3 business days.

Request signed DPA →