Data Processing Agreement

Self-service DPA: This DPA is available on a click-to-accept basis as part of the Staffinity Master Service Agreement. Enterprise clients requiring a countersigned PDF or custom terms may contact privacy@staffinity.io.

§1 Parties

Effective May 15, 2026

This Data Processing Agreement ("DPA") is entered into between:

Data Processor

Staffinity, Inc.

A corporation organized under the laws of the United States
Contact: privacy@staffinity.io
Security inquiries: security@staffinity.io

Data Controller

The Client

The entity or individual who has entered into a Staffinity Master Service Agreement or Order Form, identified therein as the "Customer" or "Client."

Together referred to as the "Parties." This DPA forms part of and is incorporated into the Staffinity Master Service Agreement ("MSA") or applicable Order Form. In the event of a conflict between this DPA and the MSA, this DPA shall prevail with respect to the processing of Personal Data.

§2 Scope & Duration

2.1 Subject Matter

This DPA governs the processing of Personal Data by Staffinity ("Processor") on behalf of the Client ("Controller") in connection with Staffinity's AI workplace agent platform, including Teams/Slack integration, orchestration infrastructure, knowledge retrieval (RAG), scheduling, and related services (collectively, the "Services"), as described in Annex B.

2.2 Nature of Processing

Processing activities include: collection, storage, transmission, retrieval, use, and deletion of Personal Data submitted by or on behalf of the Controller through the Services. Personal Data is processed solely to provide the Services and not for Staffinity's own purposes.

2.3 Duration

This DPA is effective from the date the Client accepts the MSA or Order Form and remains in force for the duration of the Services. Upon termination, Section 10 (Data Deletion) applies.

2.4 Role Clarification

The Client is the Data Controller; Staffinity is the Data Processor. Staffinity processes Personal Data only on documented instructions from the Controller, except where required to do so by applicable law. Where Staffinity reasonably believes an instruction infringes GDPR or other applicable data protection law, Staffinity shall promptly inform the Controller.

§3 Controller Obligations

The Controller represents and warrants that:

It has a valid legal basis under GDPR Article 6 (and Article 9, where applicable) for each processing activity carried out under this DPA.
It has provided all required notices to and, where necessary, obtained all required consents from, Data Subjects whose Personal Data is processed under this DPA.
It shall not instruct the Processor to process Personal Data in any manner that would cause the Processor to violate applicable law.
It shall cooperate with the Processor to facilitate Data Subject rights requests as described in Section 7.
It shall promptly notify the Processor of any changes in applicable law that materially affect the processing activities under this DPA.
It will conduct and maintain, where required, a Data Protection Impact Assessment (DPIA) for high-risk processing activities, and consult the Processor as reasonably required.

§4 Processor Obligations

4.1 Instructions

Staffinity shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable Union or Member State law. Staffinity shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

4.2 Confidentiality

Staffinity shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require it for the performance of the Services.

4.3 Security

Staffinity shall implement and maintain appropriate technical and organizational measures ("TOMs") to ensure a level of security appropriate to the risk, including those set out in Annex A. Staffinity's security measures are informed by ISO 27001 controls, the AWS Well-Architected Framework, and CSA STAR requirements.

4.4 No Secondary Use

Staffinity shall not process Personal Data for any purpose other than providing the Services. Client data is never used to train AI models — this is contractually enforced through Staffinity's agreements with all AI model providers.

4.5 Assistance

Taking into account the nature of processing, Staffinity shall assist the Controller by appropriate technical and organizational measures, in fulfilling the Controller's obligations to respond to Data Subject rights requests, and in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation).

4.6 Records

Staffinity shall maintain records of all processing activities carried out on behalf of the Controller, as required by GDPR Article 30(2), and make these available to the Controller upon request.

§5 Sub-Processors

The Controller provides general authorization for Staffinity to engage sub-processors. Staffinity shall impose data protection obligations on sub-processors equivalent to those set out in this DPA, by way of written contract. Staffinity remains fully liable to the Controller for the performance of sub-processors' obligations.

Staffinity shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance via email to the Controller's registered contact, giving the Controller opportunity to object. The current list of authorized sub-processors is:

Sub-Processor	Purpose	Data Location	Safeguards
Amazon Web Services (AWS) Amazon.com, Inc. — Seattle, WA, USA	Cloud infrastructure, ECS compute, RDS (pgvector), ElastiCache, S3, KMS, CloudWatch, GuardDuty. All processing in us-east-2 (Ohio) by default, or any AWS EU region (e.g. eu-central-1 Frankfurt, eu-west-1 Ireland, eu-west-3 Paris) for EU-based clients — selected at deployment.	US or EU depending on client region	ISO 27001 SOC 2 Type II GDPR DPA EU SCCs
Anthropic, PBC San Francisco, CA, USA	AI inference (Claude Sonnet). Message content is sent to Anthropic API for response generation. No data is used to train models under the Anthropic Enterprise Agreement.	USA (Anthropic API)	Enterprise DPA GLBA Addendum EU SCCs No model training
Microsoft Corporation Redmond, WA, USA	Microsoft Teams channel delivery, Microsoft Graph API (for SharePoint, Entra ID authentication). Employee identity data (AAD Object IDs, display names) processed for authorization only.	EU/US (Microsoft EU Data Boundary for EU clients)	ISO 27001 SOC 2 Type II GDPR DPA EU Data Boundary
Perplexity AI, Inc. San Francisco, CA, USA	Web search tool (optional feature). When agents perform web searches, queries are sent to Perplexity API. Search queries may contain context from user messages. This sub-processor is only active when the web search capability is enabled.	USA	Perplexity DPA EU SCCs No model training
Cloudflare, Inc. San Francisco, CA, USA	DNS, CDN, and DDoS protection for staffinity.io domains. Cloudflare processes IP addresses and HTTP metadata; does not process message content.	Global edge (metadata only)	ISO 27001 SOC 2 Type II GDPR DPA

Note for HIPAA clients: Standard Perplexity and Anthropic DPAs do not constitute Business Associate Agreements (BAAs). HIPAA-enabled deployments require separate BAA negotiations with these providers. Contact privacy@staffinity.io before processing Protected Health Information.

§6 International Data Transfers

6.1 EU/EEA to USA

Staffinity's primary AI inference provider (Anthropic) and web search provider (Perplexity) are based in the United States. Transfers of Personal Data from the EU/EEA to these providers are governed by Standard Contractual Clauses (SCCs) in accordance with Commission Implementing Decision (EU) 2021/914 ("2021 SCCs"), specifically the Module 2 (Controller to Processor) clauses.

6.2 EU-Resident Clients — Data Residency Option

Clients with EU data residency requirements may request deployment in any AWS EU region (including eu-central-1 Frankfurt, eu-west-1 Ireland, eu-west-3 Paris, eu-north-1 Stockholm, and others). The specific region is agreed at deployment time and documented in the applicable Order Form. In this configuration, all infrastructure-layer processing (compute, storage, databases, caching) occurs within the EU. AI inference (Anthropic) continues to involve US-based processing under SCCs as described above.

6.3 Transfer Impact Assessment

Staffinity has conducted a Transfer Impact Assessment (TIA) for transfers to Anthropic and Perplexity. Key findings: (a) data transferred consists of conversational messages, not special categories of data; (b) Anthropic and Perplexity operate under robust security controls and comply with applicable US federal privacy laws; (c) SCCs provide adequate safeguards in conjunction with supplementary technical measures including TLS 1.3 in transit and AES-256 at rest. The TIA is available to Controllers upon request under NDA.

6.4 No Unauthorized Third-Country Transfers

Staffinity shall not transfer Personal Data to any third country or international organization not listed in Section 5 without the prior written consent of the Controller and without ensuring that an appropriate safeguard under GDPR Chapter V is in place.

§7 Data Subject Rights

Where Staffinity receives a request directly from a Data Subject exercising their rights under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection), Staffinity shall:

Not respond independently to the Data Subject, but promptly forward the request to the Controller;
Assist the Controller in responding to the request, providing relevant technical and organizational assistance as reasonably required;
Not charge the Controller for standard assistance in responding to Data Subject requests (reasonable costs may apply for large-scale export or complex technical operations).

Staffinity's platform is designed to support the Controller's compliance with Data Subject rights, including:

Right of access: Conversation history and stored data retrievable on request;
Right to erasure: Staffinity will delete all Personal Data for a given user upon documented Controller instruction within 30 days;
Right to restriction: Processing for specific users can be suspended on instruction;
Data portability: Export of conversation history available in JSON format on request.

§8 Breach Notification

8.1 Processor Notification

In the event of a Personal Data Breach (as defined in GDPR Article 4(12)) affecting Personal Data processed under this DPA, Staffinity shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach. This timeline supports the Controller's obligation to notify the competent supervisory authority within 72 hours under GDPR Article 33.

8.2 Notification Content

Breach notification shall include, to the extent available at the time of notification:

A description of the nature of the breach, including (where possible) the categories and approximate number of Data Subjects concerned and the categories and approximate number of records concerned;
The name and contact details of the Data Protection contact at Staffinity;
A description of the likely consequences of the breach;
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

8.3 Cooperation

Staffinity shall cooperate fully with the Controller and take such steps as may be reasonably required to assist in the investigation, mitigation, and remediation of a breach. Notification to the Controller does not constitute an admission of fault or liability by Staffinity.

8.4 Security Contact

All security and breach matters should be directed to: security@staffinity.io. Staffinity maintains a 24/7 incident response process monitored via AWS GuardDuty, CloudWatch Synthetics canaries, and automated alerting.

§9 Audit Rights

9.1 Documentation

Staffinity shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and GDPR Article 28. This includes providing access to: this DPA and associated annexes; Staffinity's sub-processor agreements (subject to redaction of commercially sensitive terms); security certifications and audit reports; and processing records under GDPR Article 30(2).

9.2 Third-Party Audit Reports

Staffinity shall provide, upon written request and under NDA, copies of available third-party audit reports and certifications, including: CSA STAR Level 1 self-assessment; AWS Well-Architected Framework Review (publicly available at trust.staffinity.io); and, once completed, SOC 2 Type I audit report.

9.3 On-Site Audits

In the event that the Controller reasonably determines that third-party reports do not provide sufficient assurance, the Controller may conduct (or appoint a qualified third-party auditor to conduct) an audit of Staffinity's processing operations, subject to: (a) a minimum of 30 days written notice; (b) the audit occurring during normal business hours; (c) the auditor being subject to confidentiality obligations; and (d) reimbursement by the Controller of Staffinity's reasonable costs. Audits may not occur more than once per calendar year absent a documented security incident.

§10 Data Deletion & Return

10.1 Upon Termination

Upon termination of the MSA or upon written request of the Controller, Staffinity shall, at the Controller's election, either:

Delete all Personal Data processed under this DPA, including any copies thereof held by sub-processors, within 30 days; or
Return all Personal Data to the Controller in a portable format (JSON or CSV), whereupon Staffinity shall delete all copies within 30 days of confirmed receipt by the Controller.

10.2 Retention for Legal Obligations

Notwithstanding Section 10.1, Staffinity may retain Personal Data to the extent required by applicable law (including audit log data required for regulatory compliance). Any such retained data shall be subject to the confidentiality and security obligations of this DPA and deleted as soon as the legal obligation ceases to apply. Staffinity shall notify the Controller of any such retained data and the applicable legal basis.

10.3 Certification

Upon completion of deletion, Staffinity shall provide the Controller with written certification that all Personal Data has been deleted or returned in accordance with this Section.

Annex A Technical & Organizational Measures (TOMs)

Current as of May 15, 2026 — reviewed annually

Staffinity implements the following technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage:

🔐

Encryption at Rest

All data encrypted with AES-256. Per-client AWS KMS Customer Managed Keys (CMKs) with annual rotation. Separate CMKs for each client account (no shared keys).

🔒

Encryption in Transit

TLS 1.3 enforced on all connections. ELBSecurityPolicy-TLS13-1-2-2021-06. HTTP redirected to HTTPS. Redis connections TLS-only (port 6380).

🏢

Account-Level Isolation

Each enterprise client is provisioned in a dedicated AWS account. No shared compute, storage, databases, or encryption keys between clients. Physical account separation.

🧱

Network Security

VPC isolation with NAT gateway, security groups, and NACLs. AWS WAF on all public endpoints. No direct internet access to compute or databases. VPC Link for internal service communication.

🪪

Identity & Access

Microsoft Entra ID authentication with MFA enforcement. Conditional Access policies. Intune MDM compliance. Quarterly access reviews. Principle of least privilege enforced.

🛡️

Threat Detection

AWS GuardDuty enabled (S3 + malware protection). AWS Config compliance rules. EventBridge alerts to SNS. CloudWatch Synthetics health monitoring. Security alerts to on-call personnel.

🧾

Audit Logging

Immutable audit trail: DynamoDB + S3 WORM (Object Lock COMPLIANCE, 7-year retention). CloudTrail data events. Queryable via Athena. Logs encrypted with CMK.

🔍

PII Detection

Automated PII detection layer on all inbound/outbound data (SSN, credit cards, health data, 20+ pattern types). HIPAA-extended patterns for healthcare clients. Audit-logged on detection.

💉

Prompt Injection Protection

External content wrapped with boundary markers before AI processing. Rate limiting (30/min, 200/hr per user). Input validation and sanitization at middleware layer.

♻️

Backup & Recovery

3-tier backup: daily/35d, weekly/90d, monthly/1yr. DynamoDB PITR enabled. RTO <15 min, RPO near-zero. Deletion protection enabled on all production databases.

📦

Supply Chain Security

ECR image scanning (scanOnPush=true). Tag immutability on all image repositories. Pinned image digests in production task definitions. No untrusted registries.

👤

Personnel Measures

All personnel with data access subject to confidentiality obligations. Annual security training. Background checks on employees with system access. Access revocation within 24h of role change.

Annex B Processing Details

Categories of Data Subjects

The Controller's employees, contractors, and authorized users who interact with the Staffinity AI agent via Microsoft Teams, Slack, or other connected channels;
Third parties whose Personal Data may be incidentally referenced in communications processed by the platform (e.g., contacts, customers mentioned in messages).

Categories of Personal Data

Identity data: Name, email address, Microsoft/Entra ID object ID, display name, department;
Interaction data: Message content, timestamps, conversation history, file attachments processed by the agent;
Usage data: Session identifiers, feature usage metrics, error logs (no content stored in metrics);
Preference data: User-expressed preferences and settings stored in agent memory;
Special categories: Not intentionally collected. HIPAA-sensitive data only processed under separate BAA and with explicit client configuration.

Processing Operations

Authentication and authorization via Microsoft Entra ID;
Storage and retrieval of conversation history (Redis, DynamoDB — 7-day rolling window);
AI inference: forwarding of message context to Anthropic Claude for response generation;
Knowledge retrieval: semantic search against client-provided documents (RAG, pgvector);
Optional web search: forwarding of search queries to Perplexity API;
Scheduling and task execution via EventBridge and Lambda;
Audit logging: metadata-only records (no message content in audit logs);
PII detection and flagging at middleware layer.

Retention Periods

Conversation history: 7-day rolling retention in Redis; DynamoDB with configurable TTL;
Audit logs: 7 years (WORM-protected S3 archive);
User preferences: Duration of service agreement;
Knowledge base (RAG) documents: As configured by Controller; deleted on termination;
Backup data: Per backup tier (max 1 year for monthly backups).

Annex C Standard Contractual Clauses (SCCs)

Applicable Framework

For transfers of Personal Data from the European Union / European Economic Area to Staffinity (established in the United States) or to US-based sub-processors (Anthropic, Perplexity), the Parties agree that the Standard Contractual Clauses adopted by the European Commission via Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference into this DPA as follows:

Module 2 (Controller to Processor) applies to transfers from the Controller (EU/EEA entity) to Staffinity;
Module 3 (Processor to Processor) applies to onward transfers from Staffinity to US-based sub-processors (Anthropic, Perplexity).

Clause 7 — Docking Clause

The docking clause of the 2021 SCCs (Clause 7) is activated, allowing additional controllers or processors to accede to the SCCs as required during the term of this DPA without requiring a new DPA to be negotiated.

Clause 9 — Sub-Processors

Option 2 (General Written Authorization) applies. Staffinity provides general authorization as described in Section 5 of this DPA, with 30 days advance notice of changes.

Clause 11 — Redress

The optional redress mechanism is not activated. Data Subjects shall exercise rights through the Controller as described in Section 7 of this DPA.

Clause 17 — Governing Law

The SCCs shall be governed by the law of the EU Member State in which the Controller is established. For Controllers not established in an EU Member State, the SCCs shall be governed by the law of the Republic of Ireland.

Clause 18 — Jurisdiction

Any disputes arising from the SCCs shall be resolved by the courts of the EU Member State in which the Controller is established, or, for Controllers not established in an EU Member State, the courts of the Republic of Ireland.

UK GDPR Addendum

For transfers subject to UK GDPR (post-Brexit), the International Data Transfer Addendum issued by the UK Information Commissioner's Office (ICO) — version B1.0 — is incorporated into the SCCs. The Parties agree to all compulsory clauses and select: (a) Table 1 — as specified in this DPA; (b) Table 2 — 2021 SCCs Module 2; (c) Table 4 — Processor.

Full SCC text: The complete, unmodified text of the 2021 SCCs is available from the European Commission at commission.europa.eu. Staffinity provides a countersigned copy with Annexes I–III populated upon request to privacy@staffinity.io.

General Provisions

Liability

Each Party's liability under this DPA shall be subject to the limitations and exclusions set out in the MSA, to the extent permitted by applicable law. Nothing in this DPA limits either Party's liability for death, personal injury, fraud, or any liability that cannot be limited by applicable law.

Amendments

Staffinity may update this DPA to reflect changes in applicable law or to its processing activities. Material changes will be communicated to the Controller at least 30 days before taking effect. Continued use of the Services after the effective date constitutes acceptance. For clients with signed countersigned DPAs, amendments require mutual written agreement.

Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The Parties shall negotiate in good faith to replace any invalid provision with a valid provision that achieves, as closely as possible, the same purpose.

Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to conflict of law provisions, except to the extent that the SCCs in Annex C specify a different governing law for cross-border transfer purposes.

Contact

Questions regarding this DPA should be directed to: privacy@staffinity.io

Need a Countersigned DPA?

Enterprise clients requiring a countersigned PDF, custom annexes, or BAA (for HIPAA use cases) can request one directly. We turn around standard DPAs within 3 business days.

Request Countersigned DPA Back to Trust Center