Data Processing Addendum

Asasi processes personal data only on your documented instructions (i.e. through your use of the Asasi platform). The categories, purposes, and duration of processing are described in our Privacy Policy.

Categories of personal data processed: account identifiers, intake form answers, generated outputs, usage telemetry. Special-category data (health, biometric, genetic, etc.) should not be submitted to Asasi.

Asasi uses the following sub-processors. Each has signed a GDPR-compliant DPA with Asasi and provides Standard Contractual Clauses where data is transferred outside the EEA.

• Anthropic, PBC— LLM inference (United States). Data is not used to train models per Anthropic Commercial Terms.
• Supabase, Inc.— Postgres database, authentication, file storage (regions: EU + US, configurable per project).
• Vercel Inc.— Application hosting and CDN (global edge network).
• Stripe, Inc.— Subscription billing and payment processing (United States, payment data isolated from Asasi).
• Resend— Transactional email (United States).
• Sentry— Error monitoring (United States, PII scrubbed before send).
• PostHog— Product analytics (EU region for EU customers).

We will notify customers in advance (at least 30 days) of any new sub-processor through our changelog. Customers may object within that period.

Where personal data is transferred from the EEA / UK to a country without an adequacy decision, the transfer is governed by the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum.

Asasi implements appropriate technical and organisational measures including:

• TLS 1.2+ encryption in transit.
• AES-256 encryption at rest (via Supabase storage layer).
• Password hashing with bcrypt; 2FA via TOTP on paid plans.
• Principle of least privilege on internal access; SSO-protected admin tools.
• Regular dependency audits and prompt patching of security advisories.
• SOC 2 Type I certification in progress.

If a data subject contacts Asasi directly with a GDPR access, rectification, erasure, or portability request, we will refer them to you (the controller) within 5 business days unless local law requires a different course of action.

We will assist you in responding to data subject requests at no charge for requests routed through the standard product features (account export, account deletion). For requests requiring custom engineering work, reasonable costs may apply.

If Asasi becomes aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

Customers on the Enterprise tier may, upon reasonable notice and subject to confidentiality obligations, audit Asasi’s compliance with this DPA once per calendar year. Audits may take the form of completed security questionnaires, the most recent SOC 2 report (once available), or, where strictly necessary, on-site inspection.

On termination of your subscription, Asasi will delete all personal data within 30 days, except where retention is required by law. Backups are retained for an additional 90 days then permanently rotated.

For all DPA-related correspondence (sub-processor objections, audit requests, data subject requests routed via Asasi): dpo@asasi.io.