Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between JustAutomateIt ("Processor", "we", "us") and you ("Controller", "Customer") for the use of our services, as required under Article 28 of the General Data Protection Regulation (GDPR).

Effective date: February 5, 2026

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Controller" means the Customer who determines the purposes and means of Processing Personal Data.
"Processor" means JustAutomateIt, which processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Services" means the JustAutomateIt platform and related services provided under the Terms of Service.

2. Scope and Purpose of Processing

This DPA applies to all Processing of Personal Data by JustAutomateIt on behalf of the Customer in connection with the Services. The details of Processing are as follows:

Subject matter

Provision of business automation, data integration, and analytics services as described in the Terms of Service.

Duration

For the duration of the Customer's use of the Services, plus any retention period required by law or agreed upon.

Nature and purpose

Processing Customer Data to provide automation workflows, data integrations, analytics dashboards, and AI-assisted insights as configured by the Customer.

Categories of Data Subjects

Customer's employees, end users, clients, contacts, and any other individuals whose data is submitted to the Services by the Customer.

Types of Personal Data

Names, email addresses, phone numbers, job titles, business data, usage data, IP addresses, and any other Personal Data submitted by the Customer through the Services.

3. Obligations of the Processor

JustAutomateIt shall:

Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by applicable law.
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 5.
Respect the conditions for engaging Sub-processors, as described in Section 6.
Assist the Controller, taking into account the nature of Processing, by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to Data Subject requests.
Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
At the Controller's choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections.

4. Obligations of the Controller

The Controller shall:

Ensure that it has a lawful basis for processing Personal Data and providing it to JustAutomateIt.
Provide documented instructions to JustAutomateIt regarding the Processing of Personal Data.
Be responsible for the accuracy, quality, and legality of the Personal Data provided.
Comply with its obligations under applicable data protection laws, including providing appropriate notices to Data Subjects.

5. Security Measures

JustAutomateIt implements and maintains appropriate technical and organisational measures to protect Personal Data, including but not limited to:

Encryption

TLS 1.2+ encryption in transit; AES-256 encryption at rest for stored data.

Access Control

Role-based access control (RBAC), multi-factor authentication, and principle of least privilege.

Infrastructure

Hosted on SOC 2 Type II certified infrastructure (Supabase/AWS) with redundancy and failover.

Monitoring

Continuous security monitoring, intrusion detection, and automated alerting systems.

Data Isolation

Logical tenant separation ensuring Customer data is isolated from other customers.

Backup & Recovery

Regular automated backups with tested disaster recovery procedures.

Vulnerability Management

Regular security assessments, dependency scanning, and timely patching.

Personnel

Background checks, security training, and confidentiality agreements for all staff.

For full details, see our Security & Compliance documentation.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall:

Inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.
Ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.
Remain fully liable for the acts and omissions of its Sub-processors.

Current Sub-processors:

Sub-processor	Purpose	Location
Supabase	Database, authentication, and backend services	US / EU (AWS)
Vercel	Application hosting and edge delivery	Global (AWS)
Stripe	Payment processing	US / EU
Google Cloud	OAuth authentication services	Global
GitHub	OAuth authentication services	US
Anthropic	AI assistant (Claude models)	US
OpenAI	AI assistant (GPT models)	US
Google (Gemini)	AI assistant (Gemini models)	US
xAI	AI assistant (Grok models)	US
OpenRouter	AI model routing	US
Resend	Transactional email delivery	US
n8n	Workflow automation engine	EU (self-hosted)

For the full list with compliance certifications, see our Subprocessors page. To receive notifications of changes, contact us at support@just-automate-it.org.

7. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that:

Transfers are made to countries recognised by the European Commission as providing an adequate level of protection; or
Appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) adopted by the European Commission; or
A valid derogation under Article 49 GDPR applies.

Where Sub-processors are located in the United States, transfers are covered under the EU-US Data Privacy Framework where applicable, or EU Standard Contractual Clauses.

8. Data Subject Rights

JustAutomateIt shall assist the Controller in responding to Data Subject requests to exercise their rights under GDPR, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / right to be forgotten (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject, and shall not respond to such request without the Controller's prior written authorisation unless required by law.

9. Data Breach Notification

In the event of a Personal Data breach, JustAutomateIt shall:

Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach.
Provide sufficient information to allow the Controller to meet its obligations under Articles 33 and 34 GDPR, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Audits and Inspections

JustAutomateIt shall make available to the Controller, on request, all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.

The Controller (or an appointed third-party auditor) may conduct audits and inspections, subject to:

Reasonable prior written notice (minimum 30 days)
Audits conducted during normal business hours
The auditor entering into appropriate confidentiality obligations
The scope being limited to the Processing activities covered by this DPA

Where available, JustAutomateIt may provide SOC 2 reports, penetration test summaries, or other independent audit reports to satisfy audit requests.

11. Data Retention and Deletion

Upon termination of the Services or at the Controller's written request, JustAutomateIt shall:

Return all Personal Data to the Controller in a commonly used, machine-readable format; or
Delete all Personal Data, including any copies, within 30 days of the request, unless applicable law requires continued storage.
Certify in writing that deletion has been completed upon request.

12. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. It automatically terminates when the Services agreement ends, subject to the Processor's obligations regarding data deletion and return as described in Section 11. The obligations under this DPA survive termination to the extent necessary to protect Personal Data.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of laws provisions. Where the Controller is established in the EEA, GDPR shall apply regardless of governing law.

14. Contact

For questions about this DPA or to exercise any rights, please contact:

JustAutomateIt

Data Protection Contact

Email: support@just-automate-it.org

General: support@just-automate-it.org

Website: www.just-automate-it.org