Data Processing Agreement

Last updated: April 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between Daylight OS ("Processor") and the entity that has agreed to the Terms of Service ("Controller"). This DPA forms part of the Terms of Service and governs the processing of personal data by Daylight OS on behalf of the Controller.

2. Definitions

Terms used in this DPA have the meanings given in the EU General Data Protection Regulation (GDPR) (Regulation 2016/679). "Personal Data" means any information relating to an identified or identifiable natural person processed by Daylight OS under this agreement.

3. Scope of Processing

Daylight OS processes Personal Data solely for the purpose of providing the platform services described in the Terms of Service. Categories of data processed include:

  • Account and profile information (name, email address, business name)
  • Workspace configuration and preferences
  • Content you submit through the platform (work orders, client records, communications)
  • Usage data necessary to operate and improve the service

4. Controller Obligations

The Controller is responsible for: (a) ensuring there is a lawful basis for transferring Personal Data to Daylight OS; (b) complying with applicable data protection laws in its own right; and (c) ensuring the accuracy of Personal Data provided to Daylight OS.

5. Processor Obligations

Daylight OS will: (a) process Personal Data only on the documented instructions of the Controller; (b) ensure that persons authorized to process Personal Data are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist the Controller in fulfilling its obligations regarding data subject rights; and (e) delete or return Personal Data upon termination of the agreement.

6. Sub-processors

Daylight OS uses the following sub-processors to deliver the service:

  • Supabase — Database hosting (EU and US regions)
  • Anthropic — AI processing (Claude API)
  • Clerk — Authentication and identity
  • Resend — Transactional email delivery
  • Google — Document storage (Drive, Docs)
  • Vercel — Application hosting and edge delivery

Daylight OS will notify the Controller of any intended changes to this list and provide the Controller opportunity to object.

7. Data Subject Rights

Daylight OS will assist the Controller in responding to requests from data subjects exercising rights under GDPR (access, rectification, erasure, restriction, portability, objection). Requests may be submitted to danny@daylight-os.com.

8. Security

Daylight OS implements technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, including encryption in transit (TLS), encrypted storage, and access controls limited to authorized personnel.

9. Data Breach Notification

Daylight OS will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons.

10. International Transfers

Where Personal Data is transferred outside the European Economic Area, Daylight OS will ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses where required.

11. Termination

Upon termination of the Terms of Service, Daylight OS will, at the Controller's election, delete or return all Personal Data and delete existing copies, unless applicable law requires retention.

12. Contact

For DPA-related inquiries, contact danny@daylight-os.com.