Effective 1 May 2026

Data Processing Agreement

This Data Processing Agreement (DPA) supplements the Terms of Service and governs the processing of personal data by DDI - TheDesignPhase LLC on behalf of its customers.

1. Introduction

This Data Processing Agreement ("DPA") is entered into between DDI - TheDesignPhase LLC, a Wyoming limited liability company ("DDI", "Processor"), and the customer entity that has agreed to the Terms of Service ("Controller"). It supplements and forms part of the Terms of Service.

For the purposes of applicable data protection law, where DDI processes personal data on behalf of the Controller in connection with the delivery of the Platform, DDI acts as a Data Processor and the Customer acts as the Data Controller.

This DPA applies to all personal data processed by DDI on behalf of the Controller in connection with the Platform services. It is effective from the date the Controller first accepts the Terms of Service.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR Article 4(1)).

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, as defined under applicable data protection law.

"Controller" means the natural or legal person which determines the purposes and means of the processing of personal data.

"Processor" means a natural or legal person which processes personal data on behalf of the controller.

"Sub-processor" means any processor engaged by DDI to process personal data on behalf of the Controller.

All other capitalised terms used but not defined herein have the meanings given in the Terms of Service.

3. Details of Processing

Purpose of processing: DDI processes personal data for the sole purpose of delivering the Platform services to the Controller, including storing project data, facilitating design sessions, generating audit trails, and sending system notifications.

Categories of data subjects: Users of the Platform (employees, contractors, or other individuals authorised by the Controller to access the Platform); and individuals referenced in project content entered by users (e.g. stakeholder names referenced in design decisions or RAID entries).

Categories of personal data: Names and work email addresses of platform users; job titles and organisational roles; session participation and activity records; design decisions, RAID entries, and sign-off records attributable to named individuals; and any personal data contained in project content uploaded by the Controller.

Duration of processing: DDI processes personal data for the duration of the Controller's Subscription, plus 30 days following termination to allow for data export.

4. Data Security

DDI shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

Encryption of personal data at rest using AES-256 and in transit using TLS 1.2 or higher; Row-Level Security (RLS) enforced at the database level to prevent cross-tenant data access; role-based access controls within the Platform with five distinct permission levels; multi-factor authentication (MFA/TOTP) support with workspace-level enforcement available; comprehensive audit logging of data access and modification events; access to personal data restricted to DDI personnel who require it for operational purposes, subject to confidentiality obligations; infrastructure hosted on Supabase and Vercel, both of which maintain SOC 2 Type II certifications.

These measures are reviewed periodically and updated as the threat landscape evolves. DDI's security practices are described in further detail at /security.

5. Sub-processors

The Controller provides general authorisation for DDI to engage sub-processors for the delivery of Platform services. DDI will notify the Controller of any new sub-processors with at least 30 days' advance notice, during which time the Controller may object in writing on reasonable grounds relating to data protection.

Current sub-processors: Supabase, Inc. (database infrastructure and authentication, hosted on AWS); Stripe, Inc. (payment processing, PCI DSS Level 1 certified); Resend, Inc. (transactional email delivery); and Vercel, Inc. (platform hosting and edge network).

DDI has entered into data processing agreements with each sub-processor that impose data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

Taking into account the nature of the processing, DDI shall assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, portability, and objection).

DDI will acknowledge requests for assistance within 72 hours and will provide the Controller with the information necessary to respond to data subject requests, to the extent that such information is within DDI's control.

Where a data subject contacts DDI directly with a rights request, DDI will forward the request to the Controller and will not respond to the data subject directly without the Controller's instruction, except as required by law.

7. Data Breach Notification

DDI shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data.

Such notification shall include, to the extent available at the time of notification: a description of the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate number of personal data records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.

The Controller is responsible for notifying relevant supervisory authorities and affected data subjects as required under applicable data protection law. DDI's notification to the Controller does not constitute an admission of fault or liability.

8. Deletion & Return

Upon termination of the Subscription for any reason, DDI will make the Controller's Customer Data available for export for 30 days following the termination date. The Controller is responsible for initiating the export during this window.

After the 30-day export window, DDI will securely delete all personal data processed on behalf of the Controller, unless retention is required by applicable law. DDI will provide written confirmation of deletion upon request.

Anonymised or aggregated data that cannot be attributed to the Controller or any individual will not be subject to this deletion obligation.

9. International Data Transfers

DDI - TheDesignPhase LLC is incorporated in Wyoming, USA. Personal data may be processed in the United States by DDI and its sub-processors. For Controllers subject to GDPR or UK GDPR, DDI relies on applicable transfer mechanisms including EU Standard Contractual Clauses (SCCs) where required.

Controller's who require copies of applicable transfer mechanism documentation may request them at support@thedesignphase.app.

10. Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions set out in the Terms of Service. DDI's total liability to the Controller under this DPA shall not exceed the fees paid by the Controller in the one (1) calendar month immediately preceding the event giving rise to the claim.

DDI shall not be liable for any breach of this DPA caused by the Controller's instructions, the Controller's failure to comply with applicable data protection law, or any acts or omissions of the Controller's own users.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of the State of Wyoming, United States of America, and forms part of the Terms of Service between the parties. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

Any dispute arising under this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.

12. Contact & Countersigning

This DPA is incorporated by reference into the Terms of Service. For most customers, no separate countersigned agreement is required — acceptance of the Terms of Service constitutes acceptance of this DPA.

Enterprise customers who require a countersigned DPA (e.g. for procurement or compliance purposes) may request one by emailing support@thedesignphase.app. Please include your organisation name and Workspace ID in your request.

DDI - TheDesignPhase LLC | support@thedesignphase.app