Data Processing Agreement
Last updatedMarch 2025
This Data Processing Agreement (“DPA”) is offered to business or team customers (“Customer”) who use CoordlyOS and need formal terms for the processing of personal data. We act as the data controller for end-user data in our service. Where we use sub-processors, we ensure they process data in line with applicable data protection law (e.g. GDPR).
1. Roles
Controller: We (CoordlyOS / Coordly) determine the purposes and means of processing the personal data of users of our service. We are the controller for that data.
Processors: We use the following sub-processors to operate the service. Each has committed to process personal data only on our documented instructions and in accordance with applicable law:
- Supabase — authentication and database hosting. Supabase’s DPA and privacy terms apply to their processing.
- Stripe — payment processing for Pro subscriptions. Stripe’s DPA and privacy policy apply to payment-related processing.
We rely on their standard DPAs and, where relevant, Standard Contractual Clauses (SCCs) or equivalent mechanisms for international transfers.
2. Processing on behalf of Customer (if applicable)
If you are a business customer and we process personal data on your behalf (e.g. your end users or employees), then for that processing you are the controller and we act as processor. In that case: we will process personal data only on your documented instructions, assist with security and breach notification, and support your compliance with data subject rights and regulatory requests. We will make available a signable DPA upon request (contact us using the details on our website or in the app).
3. Security and confidentiality
We implement appropriate technical and organisational measures to protect personal data (e.g. encryption, access controls, secure development practices). Our personnel with access to personal data are bound by confidentiality obligations.
4. Sub-processors and international transfers
We use the sub-processors listed above. We may update the list from time to time; we will inform you of material changes. Where data is transferred outside the EEA/UK, we ensure appropriate safeguards (e.g. SCCs) are in place as required by applicable law.
5. Signable DPA
If you need a signable Data Processing Agreement (e.g. for your compliance records), please contact us. We can provide our standard DPA for execution.
6. Contact
For DPA requests or data protection questions, contact us at the email or address provided on our website or in the app (e.g. legal or privacy contact).