Data Processing Addendum (DPA)

Version 1.0 · Effective 5 March 2026 · Last updated 5 March 2026

1. Parties and Relationship

This Data Processing Addendum (“DPA”) forms part of the Terms of Use or any applicable subscription or enterprise agreement between The Progress Collective (“Processor”, “we”, “us”) and the customer entity (“Controller”, “you”).

Where applicable data protection laws use different terminology, the parties intend that “Controller” and “Processor” have the equivalent meaning.

2. Scope

This DPA applies to the processing of personal data by The Progress Collective on behalf of the Controller in connection with providing the Services.

3. Processing Details

Subject matter: provision of the Services (hosting, authentication, storage, AI-enabled generation, support)
Duration: for the term of the agreement, plus any retention period described in the Privacy Policy
Nature of processing: collection, storage, retrieval, use, disclosure (to subprocessors), deletion
Categories of data subjects: users, administrators, customer personnel, and other individuals included in customer content
Types of personal data: account identifiers (name, email), usage metadata, and customer-submitted content that may contain personal data

4. Controller Responsibilities

The Controller is responsible for:

ensuring it has a lawful basis to collect and provide personal data to the Services
ensuring appropriate notices and permissions are provided to data subjects
ensuring the accuracy, quality, and legality of the data submitted
configuring access and user permissions appropriately

5. Processor Obligations

The Processor will:

process personal data only on documented instructions from the Controller (including as necessary to provide the Services)
ensure personnel authorised to process data are bound by confidentiality obligations
implement appropriate technical and organisational measures to protect personal data
notify the Controller of a confirmed personal data breach where required by applicable law

6. Security Measures

The Processor maintains safeguards designed to protect personal data, including:

encrypted HTTPS/TLS communications
secure authentication and access controls
restricted access to production systems
monitoring and operational security practices

7. Subprocessors

The Controller authorises the use of subprocessors as necessary to provide the Services. Subprocessors may include providers of:

hosting and infrastructure (e.g. Render)
database, authentication, and storage (e.g. Supabase)
payments and subscriptions (e.g. Stripe)
AI processing technology providers
email delivery and communications providers
analytics and monitoring providers

The Processor will require subprocessors to protect personal data through contractual obligations consistent with this DPA.

8. International Transfers

Personal data may be processed in countries other than the Controller’s country. Where required by applicable law, the parties will rely on appropriate safeguards for international transfers (such as contractual protections) to enable the provision of the Services.

9. Data Subject Requests

Taking into account the nature of processing, the Processor will provide reasonable assistance to the Controller to respond to requests from individuals to access, correct, or delete personal data, to the extent required by applicable law.

10. Deletion and Return

Upon termination of the Services, the Processor will delete or return personal data in accordance with the agreement and our data retention practices, unless retention is required by law.

11. Order of Precedence

If there is a conflict between this DPA and the Terms of Use (or enterprise agreement), this DPA will govern solely with respect to data processing obligations.

12. Contact

For DPA or data processing enquiries:
support@theprogresscollective.com