Data Processing Agreement

1. Definitions

"Data Controller" means you, the person who clicked "I agree" without reading anything.

"Data Processor" means Hatable, the company that will process your data in ways that would make a GDPR auditor weep.

"Sub-processor" means whoever's AWS account we're currently borrowing.

"Personal Data" means all the stuff we probably shouldn't have but definitely do.

"Processing" means ??? (our legal team left this blank and went to lunch).

2. Scope of processing

We process data for the following purposes:

• Generating terrible apps (core business function)
• Storing your prompts in a database we'll forget to back up
• Making charts go up for investors
• Unclear additional purposes (see Appendix C, which does not exist)

3. Sub-processors

We use the following sub-processors:

4. Security measures

We implement the following technical and organizational measures to protect your data:

• HTTPS (the lock icon makes people feel safe)
• The database is on a private network (Dave's Wi-Fi)
• We say "we take security seriously" on our website
• One team member completed 40% of a cybersecurity course on Udemy

5. Data breach notification

In the event of a data breach, we will notify you within 72 hours, as required by law. Just kidding — we'll find out about the breach from Twitter like everyone else, panic for 48 hours, and then post a blog titled "An Update on Security" that says absolutely nothing.

6. International transfers

Your data may be transferred to countries that the EU considers "inadequate." We consider all countries inadequate, so at least we're consistent. We rely on Standard Contractual Clauses, which is a fancy way of saying "pinky promise."

7. Audit rights

You have the right to audit our data processing activities. To schedule an audit, please give us 90 years' notice. Audits are conducted in our office, which is a WeWork hot desk that we visit on Tuesdays (sometimes).