The standard DPA between you (data controller) and Draftrow (data processor). Free for all Pro and Hibernation tier customers.
Not legal advice. Last updated: June 3, 2026
What this is
A standard Data Processing Agreement between Draftrow (as data processor) and you (as data controller). Operators who need a formal DPA for their own compliance documentation or for their customers' regulatory requirements can use this template.
If you require an executed (counter-signed) copy, email hello@draftrow.com.
DATA PROCESSING AGREEMENT
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Draftrow (operated by AQM Hub, Toronto, Ontario, Canada) ("Processor") and you ("Controller").
1. Definitions
"Personal Information" means information about identifiable individuals, including but not limited to names, contact details, addresses, event details, and conversation content.
"Processing" means any operation performed on Personal Information, including collection, recording, organization, storage, retrieval, use, disclosure, erasure, or destruction.
"Subprocessor" means any third party engaged by Processor to assist in providing services to Controller.
2. Roles
Controller is the data controller for Personal Information processed through Draftrow.
Processor is a data processor acting on Controller's documented instructions.
3. Scope and purpose of processing
Processor processes Personal Information solely for the purposes of:
- Extracting structured booking details from conversations submitted by Controller
- Detecting capacity conflicts against Controller's inventory
- Storing structured booking records as directed by Controller
- Generating suggested replies in Controller's voice
- Providing data export and account management features
4. Categories of personal information processed
- Customer names
- Customer phone numbers
- Customer Messenger handles or social media handles
- Event locations and addresses
- Event dates and times
- Service or rental details
- Pricing and payment information
- Conversation content (processed in memory only, never persisted)
5. Subprocessors
Controller authorizes Processor to engage the following Subprocessors:
- Anthropic PBC (United States): AI extraction service under commercial API terms with no training and 30-day retention
- OpenAI (United States): Fallback AI extraction service under equivalent terms
- Neon Inc. (database hosting, AWS ca-central-1 Canada)
- Vercel Inc. (application hosting, edge network)
- Stripe Inc. (payment processing)
- Resend Inc. (transactional email)
- Clerk Inc. (authentication)
- Sentry Inc. (error monitoring, request bodies excluded)
- Upstash Inc. (rate limiting, no PII)
Processor will notify Controller of new Subprocessors at least 30 days before engagement, providing Controller opportunity to object. Material objection may result in service modification or termination.
6. Security measures
Processor implements:
- Encryption in transit (TLS 1.3) for all data flows
- Encryption at rest (AES-256-GCM) for personal information columns (customer name, phone, handle, location, notes)
- Access controls (Clerk authentication, role-based access)
- Audit logging for all access to encrypted personal information
- Subprocessor due diligence and contractual safeguards
- Regular security review and incident response procedures
7. Data subject rights
Processor will assist Controller in responding to Data Subject requests for access, correction, deletion, and portability by:
- Providing data export functionality (CSV, JSON)
- Allowing record-level deletion with 30-day soft delete period
- Allowing complete account deletion with 30-day recovery window
- Responding to Controller inquiries about Data Subject requests within 5 business days
8. Data retention and deletion
- Active booking records: retained for the duration of Controller's account
- Soft-deleted records: 30 days, then hard deleted
- Deleted accounts: 30-day recovery window, then complete data deletion
- Audit logs: retained 12 months from event date
- Anonymous usage metrics: retained indefinitely (no personal information)
9. International transfers
Controller's Personal Information is processed in Canada (Neon ca-central-1, AWS). Conversation extraction is performed by Anthropic in the United States. Anthropic operates under Standard Contractual Clauses for European data transfers and SOC 2 Type II certification.
10. Breach notification
In the event of a security incident affecting Personal Information, Processor will:
- Notify Controller within 72 hours of discovery
- Provide details about the nature of the incident, affected data, and mitigation steps
- Cooperate with Controller in any required notifications to Data Subjects or regulators
11. Audit rights
Controller may request:
- Annual summary of security practices
- Subprocessor list updates
- Confirmation of specific compliance certifications
- Response to written security questionnaires
On-site audits are not available given the company size. Independent third-party audit reports (when available) will be shared on request.
12. Term and termination
This DPA remains in effect for the duration of Controller's subscription to Draftrow. Upon termination, Processor will:
- Provide Controller 30 days to export their data
- Delete all Personal Information within 60 days of termination
- Provide written confirmation of deletion upon request
13. Governing law
This DPA is governed by the laws of the Province of Ontario, Canada and the federal laws of Canada applicable therein.
Using this DPA
To execute this DPA:
- Email hello@draftrow.com requesting the DPA
- We will send you a counter-signed copy
- Keep the executed copy with your compliance records
For most operators using Draftrow for their own business, the published DPA is sufficient documentation without requiring an executed copy. Larger operators or those with specific compliance requirements (HIPAA, financial services, government) should request an executed copy and may need additional terms.