Data processing agreement.

Customer is the data controller. Resett is the data processor for personal data processed on the Customer's behalf (calendar event metadata; optional Slack, Gmail, GitHub metadata; aggregate sustainability metrics). Each party complies with its respective obligations under GDPR / UK GDPR / Swiss FADP and equivalent regimes.

• Categories of data subject: Customer's employees and contractors who sign up for and use Resett.
• Categories of personal data: account email, salted password hash, Google Calendar event times (no titles/attendees/content), opt-in Slack message counts, opt-in Gmail counts, opt-in GitHub PR titles + timestamps, audit logs.
• Special categories (Art 9): none. The burnout-proxy “sharply_worsening” flag is derived from work-pattern metadata and is not a health-data special category under GDPR; we treat it conservatively.
• Duration: for the term of the customer subscription plus the deletion timelines in our privacy policy.

• Google LLC — Google Calendar API (read + write of Resett-created events only), OpenID Connect for sign-in, and (opt-in) Gmail API metadata scope. Use bound by Google API Services User Data Policy Limited Use requirements (see Privacy Policy). US.
• Fly.io, Inc. — application hosting (API, Postgres, Redis, background workers). Frankfurt (fra) region for EU/UK/CH customers. SCCs in place.
• Vercel Inc. — front-end hosting and edge CDN, EU edge regions for EU/UK/CH customers.
• Stripe, Inc. — payment processing. US. Standard Contractual Clauses 2021/914 in place.
• Sentry (Functional Software, Inc.) — error reporting with PII scrub-on-send and sampled payloads. US (SCCs).
• PostHog Inc. — product analytics with EU instance for EU customers, IP anonymization on, disabled until consent for EU/UK/CH subjects.
• Twilio SendGrid (or equivalent SMTP provider) — transactional email. US (SCCs).

We notify Customer at least 14 days before adding or replacing any subprocessor; Customer may object and terminate for those specific subprocessors per the signed DPA.

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• OAuth tokens encrypted with a per-deployment key separate from storage encryption.
• Principle of least privilege for production access; time-limited; every access logged.
• Background-checked engineers only; production access scoped to incident response, gated by 2FA.
• Append-only audit log for security-sensitive actions (registration, login, leader dashboard views, exports, account deletion).
• SOC 2 Type 1: readiness assessment in progress; auditor not yet engaged. Honest current state — we will mark this as “in flight” only when an auditor is signed and as “achieved” only when the report is in hand.
• ISO 27001 / 27701: not yet pursued; will follow SOC 2.
• Penetration testing: annual third-party test pre-launch and after material architectural changes; first one scheduled.

• Aggregate-only leader view. No user_id or identifier of any kind appears in cross-team response payloads.
• Cohort threshold enforced at N ≥ 5. Smaller cohorts grey out entirely; the gate is enforced server-side and tested.
• Optional integrations (Slack, Gmail metadata, GitHub PRs) require per-user opt-in stored in user_consents.
• Manager-visibility of the burnout-proxy flag is off by default in the EU/UK/CH and on by default elsewhere with one-click opt-out, audit-logged.
• Machine-readable privacy manifest available via GET /public/brainos/methodology.

We require all subprocessors to provide written commitments substantially equivalent to those in this DPA. Where transfer to third countries is involved, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented by a Transfer Impact Assessment we share on request.

We assist Customer in responding to data subject access, rectification, erasure, restriction, portability, and objection requests. Standard self-service paths are available in /app/settings for the data subject directly; controller-routed requests can be sent to privacy@resett.dev.

We notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any personal-data breach affecting Customer data, with the information required under GDPR Art 33(3).

On termination of the master subscription, we delete all Customer personal data within 30 days, except where we are required by law to retain a subset (e.g. billing records for 7 years). A certificate of deletion is available on request.