Data processing addendum
DPA for B2B customers.
Last updated: April 2026. This addendum forms part of your agreement with us when your use of automatebusinessnow involves personal data of people in the EU, UK, Switzerland, or California and you are the controller of that data.
Draft — counsel review pending. Enterprise customers should request the counter-signed reviewed version from legal@automatebusiness.com.
1. Parties + roles
You are the data controller. We (Chosen Ascendance LLC dba automatebusinessnow) are the data processor. Where we act as a joint controller for analytics or billing data we've identified that in our Privacy Policy.
2. Scope + subject matter
We process personal data only to deliver the service you've contracted for: running AI jobs, storing job history, delivering autonomous agent actions through your connected tools, and providing support. We do not process personal data for our own purposes, except aggregated de-identified metrics used to improve reliability.
3. Categories of data + data subjects
Categories of data: the prompts you send, the files you attach, the outputs we generate, the integration data your agents read/write, and the metadata we log (timestamps, employee slugs, credit usage).
Data subjects: your users, your customers, your prospects, your employees, or any natural persons whose data you choose to upload, reference, or contact through our service.
4. Instructions from you
We process personal data only on your documented instructions, including as expressed through your configuration of autonomous agents. If we believe an instruction violates applicable data protection law, we'll notify you and may suspend processing for that instruction until resolved.
5. Subprocessors
Our current subprocessors are listed in the Privacy Policy. By accepting this DPA you give us general authorization to engage those subprocessors. We'll notify you at least 30 days before adding a new subprocessor that handles personal data, and you have the right to object (continuing to use the service after objection is not deemed acceptance).
6. Security
We maintain technical + organizational measures appropriate to the risk, including:
- Encryption of personal data in transit (TLS 1.2+) and at rest.
- Role-based access controls + least-privilege for staff.
- Row-level security isolating tenant data on the DB.
- Centralized audit logs for administrator actions.
- Annual penetration testing once we cross the threshold for it.
- Documented incident-response runbook.
7. Breach notification
If we suffer a personal-data breach affecting your data, we'll notify you without undue delay (target: within 72 hours of confirmation) with the information the GDPR requires: nature of the breach, categories and approximate number of data subjects / records, likely consequences, and measures taken.
8. International transfers
For transfers from the EEA, UK, or Switzerland to the United States (where our servers run), we rely on the EU Commission Standard Contractual Clauses (Module 2, controller-to-processor) and the UK International Data Transfer Addendum. Copies on request to privacy@automatebusiness.com.
9. Assistance with data-subject requests
We'll help you respond to data-subject access, deletion, correction, and portability requests. Our Settings page already lets each end user self-serve export + delete. For admin-driven requests, email us — we'll action within 10 business days.
10. Audits
We'll share SOC 2 reports once we've completed that audit (targeted late 2026). Until then we'll respond to reasonable security-questionnaire requests and answer questions in writing. On-site audits are not practical for a remote team at our scale; we'll revisit when we grow.
11. Return or deletion on termination
When your subscription ends, we retain your data for 30 days to let you reactivate, then delete. You can self-trigger deletion at any time via Settings → Your data → Delete account. Backups follow the retention schedule in the Privacy Policy.
12. Signing + precedence
This DPA is accepted by your use of the service under a plan that requires it (enterprise or regulated-industry contracts). Paid customers on standard plans can request a counter-signed copy from legal@automatebusiness.com. Where this DPA conflicts with the Terms, this DPA controls for personal-data processing.