This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Company”, “Controller”, “you”) and BETTERGROUP HOLDING INC, operator of Patricia (“Patricia”, “Processor”, “we”, “us”), under which Patricia provides its services (the “Principal Agreement”). It governs Patricia's processing of personal data on the Company's behalf.
To request a countersigned copy, email access@patricia.app. Patricia's registered office is 1111B S Governors Ave, STE 37790, Dover, Delaware 19904, United States. The current list of subprocessors is published at patricia.app/legal/subprocessors.
1. Definitions
Capitalized terms not defined here have the meaning given in the Principal Agreement or in applicable Data Protection Laws.
- Data Protection Laws mean all laws applicable to the processing of Company Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), and applicable U.S. state privacy laws.
- Controller, Processor, Subprocessor, Data Subject, Personal Data, Processing, and Personal Data Breach have the meaning given in the GDPR and their equivalents under other Data Protection Laws.
- Company Personal Datameans Personal Data that Patricia processes on the Company's behalf in the course of providing the services, as described in Annex I.
- SCCs mean the Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914).
- UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.
2. Roles and scope
2.1 As between the parties, the Company is the Controller and Patricia is the Processor of Company Personal Data. Where the Company is itself a processor for a third party, Patricia acts as subprocessor and the same obligations apply.
2.2 Documented instructions.Patricia processes Company Personal Data only on the Company's documented instructions, including as set out in this DPA and the Principal Agreement, and as necessary to provide and support the services. If Patricia believes an instruction violates Data Protection Laws, it will inform the Company (unless legally prohibited). If a law requires Patricia to process beyond the Company's instructions, Patricia will inform the Company of that requirement before processing, unless the law prohibits it.
2.3 No sale, no sharing, no secondary use.Patricia does not sell or “share” Company Personal Data (as those terms are defined under U.S. state privacy laws), does not retain, use, or disclose it for any purpose other than providing the services, and does not combine it with data from other sources except as needed to perform the services for the Company.
2.4 AI processing and no training on your data.Patricia uses third-party large-language-model and embedding providers (see Annex III) to generate responses and to index content so the assistant can retrieve it. Under those providers' commercial and API terms, inputs and outputs submitted through their APIs are not used to train or improve their models; providers may retain limited data transiently for security and abuse monitoring under their own terms. Patricia does not use Company Personal Data to train or improve any model that is made available to other customers.Any learning the assistant performs from a Company's own content stays within that Company's tenant. Patricia binds its subprocessors to protections at least as protective as those in this DPA (Section 6).
3. Confidentiality
Patricia ensures that personnel authorized to process Company Personal Data are bound by an appropriate obligation of confidentiality and access it only on a need-to-know basis under the role-based controls described in Annex II.
4. Security
Patricia implements and maintains the technical and organizational measures set out in Annex II, designed to protect Company Personal Data against a Personal Data Breach, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing. Patricia may update these measures provided the level of protection is not materially reduced.
5. Assistance to the Company
Taking into account the nature of the processing, Patricia will:
5.1 Data-subject requests. Provide reasonable assistance, including through appropriate technical and organizational measures, to help the Company respond to requests from Data Subjects to exercise their rights (access, correction, deletion, restriction, portability, and objection). If a Data Subject contacts Patricia directly, Patricia will refer them to the Company, or forward the request, unless otherwise instructed.
5.2 Compliance support. Provide the Company with reasonable assistance for data protection impact assessments and prior consultations with supervisory authorities, and make available the information reasonably necessary to demonstrate compliance with this DPA.
6. Subprocessors
6.1 General authorization. The Company authorizes Patricia to engage subprocessors to process Company Personal Data. Patricia maintains a current list at patricia.app/legal/subprocessors.
6.2 Flow-down.Patricia enters into a written agreement with each subprocessor imposing data-protection obligations at least as protective as those in this DPA, and remains responsible for each subprocessor's performance.
6.3 Change notice and objection. Patricia will give the Company at least 14 days' advance notice of a new or replacement subprocessor (by updating the subprocessor page and, where the Company has subscribed to notifications, by email). The Company may object on reasonable data-protection grounds within that period by writing to access@patricia.app. The parties will work in good faith to resolve the objection; if they cannot, the Company may terminate the affected service as its exclusive remedy.
7. Personal Data Breach
Patricia will notify the Company without undue delayafter becoming aware of a Personal Data Breach affecting Company Personal Data, and will provide the information reasonably available to help the Company meet its own notification obligations, together with the measures Patricia is taking to address the breach. Patricia's notification is not an acknowledgement of fault or liability.
8. Audits
Patricia will make available the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Company or an auditor it mandates. Audits take place on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a Personal Data Breach), during business hours, subject to confidentiality obligations, without unreasonable disruption to Patricia's operations, and at the Company's cost. Patricia may satisfy an audit request by providing then-current documentation of its security measures.
9. Return or deletion of data
9.1 On termination or expiry of the services, or on the Company's written request, Patricia will delete or return Company Personal Data within 30 days, and delete existing copies, unless retention is required by law.
9.2 Retention exception.The append-only audit log described in Annex II is retained as an integrity and security record and is not modified or deleted on request; it does not contain the substance of Company content. Operational retention windows for cached workspace content and other data categories are described in Patricia's Privacy Policy, and cached-content retention is a configurable operational control.
9.3 Deletion and data-subject erasure requests are handled by Patricia's team on request (contact privacy@patricia.app); Patricia does not currently offer a self-service bulk-erasure tool.
10. International data transfers
10.1 Patricia is based in the United States and processes Company Personal Data in the United States and, for certain infrastructure, in the European Union (see Annex III). Where the provision of the services involves a transfer of Company Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the following transfer mechanisms are incorporated into this DPA by reference:
- the EU SCCs, Module Two (controller to processor), with the Company as data exporter and Patricia as data importer; the docking clause applies; Clause 17 governing law and Clause 18 forum follow the SCCs as completed by the Annexes of this DPA;
- for UK transfers, the UK Addendum to the EU SCCs;
- for Swiss transfers, the SCCs as adapted for the FADP (references to the GDPR read as the FADP; the Swiss FDPIC is the supervisory authority; “member state” includes Switzerland).
10.2 Patricia makes no claim of certification under the EU-U.S., UK, or Swiss-U.S. Data Privacy Framework. Transfers rely on the mechanisms in Section 10.1.
10.3 Where the SCCs require details, Annex I of this DPA supplies the parties and processing details, and Annex II supplies the technical and organizational measures.
11. Liability and governing law
The liability of each party under this DPA is subject to the limitations and exclusions of liability in the Principal Agreement. This DPA is governed by the law and subject to the venue stated in the Principal Agreement; if none is stated, it is governed by the laws of the State of Delaware, United States (without regard to the SCC-specific choices in Section 10.1, which continue to apply to the SCCs).
12. General
12.1 Order of precedence. If there is a conflict, the SCCs prevail over the body of this DPA, this DPA prevails over the Principal Agreement on data-protection matters, and the Principal Agreement prevails on all other matters.
12.2 Term. This DPA takes effect when the Company accepts the Principal Agreement or this DPA (whichever is earlier) and continues while Patricia processes Company Personal Data.
12.3 Changes. Patricia may update this DPA to reflect changes in law, the services, or its subprocessors, provided the level of protection is not materially reduced; the version and date at the top of this document indicate the current version.
Annex I: Details of processing
- Roles. Company = Controller (or processor); Patricia = Processor (or subprocessor).
- Subject matter.Patricia's provision of an AI teammate that works inside the Company's messaging workspace (Slack and, where enabled, Microsoft Teams) and connected tools.
- Duration. For the term of the Principal Agreement and until deletion or return under Section 9.
- Nature and purpose. Receiving instructions directed to the assistant; generating responses and deliverables (such as copy, summaries, and drafts); indexing and retrieving relevant content; performing the tasks and integrations the Company asks the assistant to perform; and providing support, security, and billing for the service.
- Categories of Data Subjects.The Company's personnel, contractors, and workspace members; and individuals referenced in the messages, files, and connected-tool data the Company directs to or shares with the assistant (which may include the Company's own customers and contacts).
- Categories of Personal Data. Workspace messages and threads addressed to, or cached for, the assistant, and files shared with it; member roster and profile information from the connected workspace (names, handles, email addresses, roles); account, authentication, and billing information for the service; and, where the Company enables them, meeting transcripts and recordings captured by the meeting assistant and data from third-party tools the Company connects (for example CRM, advertising, social, and analytics platforms), limited to what is needed to perform the requested tasks.
- Special-category data. Not intentionally processed. The Company should not direct special-category personal data to the assistant unless separately agreed.
- Frequency. Continuous, for the duration of the services.
Annex II: Technical and organizational measures
Patricia implements the following measures. They may evolve as the service develops, provided the level of protection is not materially reduced.
- Tenant data isolation. Company Personal Data is segregated by tenant and access is scoped by tenant at the data-access (repository) layer; queries that are not correctly tenant-scoped fail closed rather than return data.
- Role-based access control. Least-privilege roles (owner, admin, member, viewer) govern what users can do; cross-tenant administrative access is restricted to authorized Patricia personnel on a need-to-know basis.
- Human approval gates. Higher-risk actions (such as writes to connected tools) are subject to configurable human-in-the-loop approval, with a non-overridable approval requirement for the most sensitive (critical) actions.
- Audit logging. Security-relevant events are recorded in an append-only audit log enforced at the database layer, which cannot be modified or deleted through the application.
- Encryption in transit. Traffic is served over TLS with HTTP Strict Transport Security; session cookies are secure and HTTP-only in production.
- Encryption at rest. Platform credentials and connected-tool secrets are encrypted at the application layer using AES-256-GCM envelope encryption; the primary database and stored files are encrypted at rest by the underlying infrastructure providers.
- Secrets management.Secrets are held in the hosting platform's managed configuration and are not stored in source code; the repository manifest documents variable names only.
- Secure development and change control. Changes are reviewed before release and pass an automated security pipeline in continuous integration, including static analysis, dependency scanning, and secret scanning.
- Confidentiality. Personnel with access to Company Personal Data are bound by confidentiality obligations.
Annex III: Subprocessors
The authoritative, current list is published at patricia.app/legal/subprocessors. As of the version date, Patricia engages the subprocessors listed there to process Company Personal Data, each bound by a data processing agreement and permitted to process only as needed to provide the service. Subprocessors that are part of optional features process Company Personal Data only when the Company enables that feature.