v0.9 — draft of 2026-07-05 — under counsel review
This is a working draft published for transparency during early access. It has not yet been finalized by counsel and will be versioned when it is.
1. Roles and scope
For personal data the Customer submits to the Service about its workers, contacts, vendors, and staff (“Customer Personal Data”), the Customer is the controller and PoPayOne is the processor. PoPayOne acts as an independent controller only for its own account administration, billing, and security telemetry. This addendum supplements the Terms of Service.
2. Processing details
- Subject matter and duration: operation of the PoPayOne back office for the Customer, for the term of the agreement plus the retention periods in Exhibit A.
- Nature and purpose: hosting, storage, display, workflow automation, and AI-assisted processing of back-office records as instructed by the Customer through the Service.
- Categories of data subjects: the Customer's staff, placed workers and consultants, and business contacts at clients, vendors, insurance agencies, and immigration providers.
- Categories of data: contact and account data; employment records (assignments, timesheets, pay/bill records); identity and work-authorization documents (passport, EAD, visa, I-9 supporting documents); immigration case data; insurance certificates; voice audio when voice features are enabled.
3. Processor obligations
PoPayOne will:
- process Customer Personal Data only on the Customer's documented instructions — given through the Service's controls — unless law requires otherwise, in which case we notify the Customer where legally permitted;
- ensure persons authorized to process the data are bound by confidentiality;
- implement the technical and organizational measures in section 5;
- not sell Customer Personal Data or use it for advertising or for training AI models.
4. Subprocessors
The Customer authorizes the subprocessors below. Entries marked as enable-gated run only when the corresponding feature is enabled. We will give notice before adding or replacing a subprocessor, with a right to object on reasonable data-protection grounds.
| Provider | What it does | Data it touches | When |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All application data, account data, uploaded documents | Always |
| Vercel | Application hosting and delivery | Request metadata (IP address, user agent), application traffic | Always |
| Anthropic | AI model processing for Gyani | Conversation text and the workspace context you give Gyani | Only when AI processing is enabled; a deterministic offline mock runs otherwise |
| Voyage AI | Text embeddings for AI retrieval | Text snippets submitted for indexing | Only when enabled |
| Deepgram | Voice speech-to-text | Voice audio you record while talking to Gyani | Only when voice input is enabled |
| ElevenLabs | Voice synthesis (Gyani speaking aloud) | Gyani's reply text | Only when studio voice is enabled |
| Cloudflare Turnstile | Bot and abuse check on public onboarding | Browser challenge signals, IP address | Only when enabled |
| OpenCorporates | Business-registry (KYB) lookups | The company name and state you enter for verification | Only when live KYB is enabled; a clearly labelled simulation runs otherwise |
| Google Fonts | Font delivery (fonts.googleapis.com) | Your browser's font request (IP address, user agent) | Always, requested directly by your browser |
5. Security measures
Summary of technical and organizational measures (detail: Security overview):
- per-tenant isolation enforced by database row-level security, with capability-scoped policies on every table;
- least-privilege capability model resolved server-side per user, organization, and persona;
- single-use, resource-bound confirmations, capability checks, and dual approval on money-class actions; hash-chained, tamper-evident audit log — enforced now; MFA step-up enforced in real-money mode;
- content-addressed document storage with class-based PII access gates, legal holds, and write-once locks on verified compliance snapshots;
- encryption in transit; encryption at rest via our storage subprocessor;
- built to SOC 2 controls; certification is on the roadmap and we do not claim it today.
6. Personal data breach notification
PoPayOne will notify the Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data — including the nature of the breach, categories and approximate volumes affected, likely consequences, and measures taken or proposed. We will cooperate with the Customer's own notification obligations.
7. Assistance with data subject requests
Taking into account the nature of processing, PoPayOne will assist the Customer in responding to data subject requests (access, export, correction, deletion, restriction). The Service records erasure requests with a GDPR or CCPA basis and enforces masking-then-purge, subject to the legal holds in Exhibit A. Requests reaching PoPayOne directly from a Customer's data subject are forwarded to the Customer.
8. Audits and information
PoPayOne will make available information reasonably necessary to demonstrate compliance with this addendum, including our published security documentation and, when available, third-party audit reports. Audits beyond that are subject to reasonable notice, scope, and confidentiality terms to be fixed in the counsel-reviewed version.
9. Deletion and return on termination
On termination, at the Customer's choice, PoPayOne will return Customer Personal Data in a reasonable machine-readable export and/or delete it — except data under an active legal hold or statutory retention duty (Exhibit A), which is deleted when the hold expires via the platform's two-phase purge. Deletion timelines and certification mechanics will be fixed in the counsel-reviewed version.
10. Exhibit A — retention schedule (provisional)
Retention classes are enforced as data in the platform's database and are provisional pending counsel sign-off. Clocks are anchored to real events (verification, engagement end) and can be extended but never shortened.
| Class | Covers | Retain (months) | Legal hold by default | Notes |
|---|---|---|---|---|
| identity | Identity / work-authorization | 60 | Yes | USCIS / I-9 point-in-time evidence. Verified copies are retained to the later of 3 years from verification or 1 year after the engagement ends. |
| insurance | Insurance certificate (COI) | 84 | Yes | Coverage-period proof plus tail. |
| contract | Executed contract / MSA | 84 | Yes | Each signatory retains its executed copy. |
| employment | Employment record | 48 | No | Offers, verifications, approvals. |
| none | No mandated retention | 0 | No | Ordinary documents. |
11. Contact
DPA execution requests and questions: support@popayapp.com.