Data Processing Agreement

This Data Processing Agreement ("DPA") applies when Feedbaxster processes personal data on behalf of a business customer ("Controller").

1. Definitions

• "Processing" — any operation on personal data
• "Controller" — the business using Feedbaxster to collect customer feedback
• "Processor" — Feedbaxster LLC
• "Data Subject" — the individual providing feedback

2. Scope of Processing

• Data types: feedback text, optional name/email, survey responses, sentiment scores
• Purpose: enable Controller to collect, analyze, and respond to customer feedback
• Duration: for the term of the Controller's subscription + 30 days for deletion

3. Processor Obligations

• Process data only on documented instructions from Controller
• Ensure persons authorized to process data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Assist Controller in responding to data subject rights requests
• Delete or return all personal data upon termination of services
• Make available to Controller all information necessary to demonstrate compliance

4. Subprocessors

A full list of our current subprocessors is available in our Privacy Policy.

Controller is notified of subprocessor changes via email 30 days in advance.

5. Data Transfers

• Data is stored in the United States (Supabase US-East region)
• For EU data subjects: transfers rely on Standard Contractual Clauses or adequacy decisions

6. Security Measures

• Encryption at rest (Supabase) and in transit (TLS 1.2+)
• Access controls: role-based, least privilege
• Incident notification: within 72 hours of becoming aware of a personal data breach

7. Data Subject Rights

• Controller can export all data via the self-serve export feature
• Controller can request deletion of all business data by contacting support@feedbaxster.com

8. Contact