Data Processing Agreement

1. Definitions

"Agreement" means this Data Processing Agreement and any schedules attached.

"Company" means the business or agency that has entered into a service agreement with DayClerk.

"Processor" / "DayClerk" means Miguel Rosario, operating as DayClerk, New York, NY.

"Services" means the AI-powered marketing campaign generation platform provided at dayclerk.com.

"Personal Data" means any information relating to an identified or identifiable natural person that the Company uploads or processes through the Services.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Applicable Data Protection Laws" means all applicable US federal and state data protection and privacy laws, including the New York SHIELD Act, the California Consumer Privacy Act (CCPA), and any sector-specific laws applicable to the Company's industry.

2. Roles and Processing Obligations

The Company is the data controller of any Personal Data it provides to DayClerk through the Services. DayClerk acts as a data processor, processing Personal Data only on behalf of and under the instructions of the Company.

DayClerk shall process Personal Data only as necessary to provide the Services described in the applicable service agreement, and shall not process Personal Data for any other purpose without the Company's prior written consent.

DayClerk shall promptly notify the Company if it receives instructions that, in its reasonable judgment, violate Applicable Data Protection Laws.

3. Personnel and Confidentiality

DayClerk shall ensure that any personnel authorized to process Personal Data on behalf of the Company are subject to appropriate confidentiality obligations and are informed of the applicable data protection requirements.

Access to Personal Data shall be limited to personnel who require such access for the purposes of providing the Services.

4. Security Measures

DayClerk shall implement and maintain reasonable and appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

Encryption of data in transit (TLS) and at rest
Access controls and authentication requirements
Use of infrastructure providers with SOC 2 Type II certifications (Supabase, Vercel, Resend)
Anthropic API usage with default no-retention policy for API inputs
Regular security assessments of infrastructure and access controls

DayClerk shall take reasonable steps to ensure that any third-party subprocessors it engages maintain equivalent security standards.

5. Subprocessors

The Company authorizes DayClerk to engage the following subprocessors in connection with the Services:

Anthropic — AI content generation (campaign briefs and audience descriptions only; API inputs not retained for model training by default)
Supabase — Database and authentication infrastructure (US region; SOC 2 Type II)
Vercel — Application hosting (SOC 2 Type II)
Resend — Transactional email delivery (SOC 2 Type II)

DayClerk shall notify the Company of any intended changes to this list of subprocessors and provide the Company a reasonable opportunity to object. DayClerk shall enter into written agreements with subprocessors that impose data protection obligations no less protective than those in this Agreement.

6. Data Subject Rights

DayClerk shall, to the extent reasonably practicable and consistent with applicable law, assist the Company in responding to requests from individuals exercising their rights under Applicable Data Protection Laws (including rights to access, correction, deletion, and data portability). DayClerk shall promptly forward to the Company any such requests it receives directly from individuals whose data it processes on the Company's behalf.

7. Personal Data Breach Notification

DayClerk shall notify the Company without undue delay, and in no event later than 72 hours after becoming aware, of any confirmed or reasonably suspected breach involving Personal Data processed under this Agreement. Notification shall include, to the extent known at the time: a description of the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and measures taken or proposed to address the breach.

8. Data Deletion and Return

Upon termination of the service agreement, or upon the Company's written request, DayClerk shall delete or return all Personal Data processed under this Agreement within 10 business days, and shall certify such deletion in writing upon request.

DayClerk may retain Personal Data beyond this period only to the extent required by applicable law, and shall notify the Company of such retention and the legal basis for it.

9. Audit Rights

Upon reasonable written notice (no less than 30 days), DayClerk shall cooperate with the Company's reasonable requests to audit or inspect DayClerk's data processing activities to confirm compliance with this Agreement. DayClerk may satisfy this obligation by providing current third-party audit reports (SOC 2 or equivalent) in lieu of a direct audit, where those reports cover the relevant controls.

10. Data Location

All Personal Data processed under this Agreement is stored and processed within the United States. DayClerk shall not transfer Personal Data outside the United States without the Company's prior written consent and without appropriate safeguards in place consistent with Applicable Data Protection Laws.

11. HIPAA Notice

Healthcare clients

If the Company's use of the Services involves the Processing of Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), the parties agree to execute a separate Business Associate Agreement (BAA) prior to any such Processing. DayClerk does not accept PHI through the Services absent a signed BAA. Refer to Section 4 of the DayClerk Terms of Use for restrictions on uploading regulated health data.

12. Confidentiality

Each party agrees to keep confidential the terms of this Agreement and any Personal Data disclosed under it, and to use such information only as permitted by this Agreement. This confidentiality obligation survives termination of the service agreement.

13. Governing Law and Signatures

This Agreement shall be governed by and construed in accordance with the laws of the State of New York, United States, consistent with DayClerk's Terms of Use. Any disputes shall be subject to the exclusive jurisdiction of the courts in New York County, New York.

This Agreement takes effect upon execution by both parties (Company and DayClerk) and supersedes any prior data processing terms between the parties. To request a countersigned copy, use the form below.