Legal

Data Processing Addendum

A DPA template covering PoPayOne's role as a processor of your workers' and contacts' personal data. Provisional — the executable version ships after counsel review.

v0.9 — draft of 2026-07-05 — under counsel review

This is a working draft published for transparency during early access. It has not yet been finalized by counsel and will be versioned when it is.

DPA template — provisional. This page shows the substance of the addendum we intend to execute with business customers. It is not yet a signed agreement; a countersignable version (with SCCs where applicable) will be available once counsel review completes. Customers who need a DPA now can contact support@popayapp.com.

1. Roles and scope

For personal data the Customer submits to the Service about its workers, contacts, vendors, and staff (“Customer Personal Data”), the Customer is the controller and PoPayOne is the processor. PoPayOne acts as an independent controller only for its own account administration, billing, and security telemetry. This addendum supplements the Terms of Service.

2. Processing details

  • Subject matter and duration: operation of the PoPayOne back office for the Customer, for the term of the agreement plus the retention periods in Exhibit A.
  • Nature and purpose: hosting, storage, display, workflow automation, and AI-assisted processing of back-office records as instructed by the Customer through the Service.
  • Categories of data subjects: the Customer's staff, placed workers and consultants, and business contacts at clients, vendors, insurance agencies, and immigration providers.
  • Categories of data: contact and account data; employment records (assignments, timesheets, pay/bill records); identity and work-authorization documents (passport, EAD, visa, I-9 supporting documents); immigration case data; insurance certificates; voice audio when voice features are enabled.

3. Processor obligations

PoPayOne will:

  • process Customer Personal Data only on the Customer's documented instructions — given through the Service's controls — unless law requires otherwise, in which case we notify the Customer where legally permitted;
  • ensure persons authorized to process the data are bound by confidentiality;
  • implement the technical and organizational measures in section 5;
  • not sell Customer Personal Data or use it for advertising or for training AI models.

4. Subprocessors

The Customer authorizes the subprocessors below. Entries marked as enable-gated run only when the corresponding feature is enabled. We will give notice before adding or replacing a subprocessor, with a right to object on reasonable data-protection grounds.

ProviderWhat it doesData it touchesWhen
SupabaseDatabase, authentication, file storageAll application data, account data, uploaded documentsAlways
VercelApplication hosting and deliveryRequest metadata (IP address, user agent), application trafficAlways
AnthropicAI model processing for GyaniConversation text and the workspace context you give GyaniOnly when AI processing is enabled; a deterministic offline mock runs otherwise
Voyage AIText embeddings for AI retrievalText snippets submitted for indexingOnly when enabled
DeepgramVoice speech-to-textVoice audio you record while talking to GyaniOnly when voice input is enabled
ElevenLabsVoice synthesis (Gyani speaking aloud)Gyani's reply textOnly when studio voice is enabled
Cloudflare TurnstileBot and abuse check on public onboardingBrowser challenge signals, IP addressOnly when enabled
OpenCorporatesBusiness-registry (KYB) lookupsThe company name and state you enter for verificationOnly when live KYB is enabled; a clearly labelled simulation runs otherwise
Google FontsFont delivery (fonts.googleapis.com)Your browser's font request (IP address, user agent)Always, requested directly by your browser

5. Security measures

Summary of technical and organizational measures (detail: Security overview):

  • per-tenant isolation enforced by database row-level security, with capability-scoped policies on every table;
  • least-privilege capability model resolved server-side per user, organization, and persona;
  • single-use, resource-bound confirmations, capability checks, and dual approval on money-class actions; hash-chained, tamper-evident audit log — enforced now; MFA step-up enforced in real-money mode;
  • content-addressed document storage with class-based PII access gates, legal holds, and write-once locks on verified compliance snapshots;
  • encryption in transit; encryption at rest via our storage subprocessor;
  • built to SOC 2 controls; certification is on the roadmap and we do not claim it today.

6. Personal data breach notification

PoPayOne will notify the Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data — including the nature of the breach, categories and approximate volumes affected, likely consequences, and measures taken or proposed. We will cooperate with the Customer's own notification obligations.

7. Assistance with data subject requests

Taking into account the nature of processing, PoPayOne will assist the Customer in responding to data subject requests (access, export, correction, deletion, restriction). The Service records erasure requests with a GDPR or CCPA basis and enforces masking-then-purge, subject to the legal holds in Exhibit A. Requests reaching PoPayOne directly from a Customer's data subject are forwarded to the Customer.

8. Audits and information

PoPayOne will make available information reasonably necessary to demonstrate compliance with this addendum, including our published security documentation and, when available, third-party audit reports. Audits beyond that are subject to reasonable notice, scope, and confidentiality terms to be fixed in the counsel-reviewed version.

9. Deletion and return on termination

On termination, at the Customer's choice, PoPayOne will return Customer Personal Data in a reasonable machine-readable export and/or delete it — except data under an active legal hold or statutory retention duty (Exhibit A), which is deleted when the hold expires via the platform's two-phase purge. Deletion timelines and certification mechanics will be fixed in the counsel-reviewed version.

10. Exhibit A — retention schedule (provisional)

Retention classes are enforced as data in the platform's database and are provisional pending counsel sign-off. Clocks are anchored to real events (verification, engagement end) and can be extended but never shortened.

ClassCoversRetain (months)Legal hold by defaultNotes
identityIdentity / work-authorization60YesUSCIS / I-9 point-in-time evidence. Verified copies are retained to the later of 3 years from verification or 1 year after the engagement ends.
insuranceInsurance certificate (COI)84YesCoverage-period proof plus tail.
contractExecuted contract / MSA84YesEach signatory retains its executed copy.
employmentEmployment record48NoOffers, verifications, approvals.
noneNo mandated retention0NoOrdinary documents.

11. Contact

DPA execution requests and questions: support@popayapp.com.