Data Processing Addendum
This is the standard-form GTMHack Data Processing Addendum. A signed, executable version is available on request — email privacy@gtmhack.ai. A tailored DPA for enterprise customers is available on the Enterprise plan.
1. Roles
The Customer is the Controller of Personal Data it inputs into or generates through the Service. GTMHack is the Processor. Where required, back-to-back terms apply to Sub-processors we engage.
2. Subject-matter and duration
The subject-matter of processing is the performance of the Service under the Terms of Service. Duration matches the subscription term plus a limited post-termination window for export and deletion.
3. Nature and purpose
We process Personal Data to research accounts, generate outreach drafts, deliver approved emails, triage replies, populate pipeline records, provide analytics, and provide support — strictly on the Controller’s documented instructions.
4. Categories of data subjects and data
Data subjects: the Controller’s employees, prospects, customers, and end recipients of outreach.
Personal Data categories: names, business contact details, employment data, publicly available professional profile information, message content and metadata, engagement telemetry.
We do not intentionally process special-category data. Do not upload it.
5. Sub-processors
The Controller authorises GTMHack to use Sub-processors for hosting, infrastructure, model inference, email delivery, payment processing, analytics, and support. We maintain an up-to-date list and will give reasonable notice of any material change.
Current Sub-processors:
- Vercel Inc. · hosting · US (with EU/UK edge)
- Supabase Inc. · database and auth · EU region
- Anthropic PBC · model inference · US
- Stripe Payments Europe Ltd · payments · UK/EU
- Resend Inc. · transactional email · US
- Vapi Inc. · voice · US
- Twilio Inc. · telephony · US
6. International transfers
Where Personal Data is transferred outside the UK/EEA, we rely on the UK IDTA, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses (Module 2) as appropriate, supplemented by transfer impact assessments and technical safeguards.
7. Security measures
Encryption in transit (TLS 1.3) and at rest (AES-256-GCM). Row-level security in the primary database, isolating each customer workspace. Least-privilege access with MFA on privileged systems. Immutable audit logging. Secrets managed via KMS. Regular vulnerability scanning and dependency review. Written incident-response plan.
8. Data-subject requests
We will assist the Controller in responding to data-subject requests, providing reasonable technical means within the Service and, where necessary, additional support.
9. Breach notification
We will notify the Controller of any Personal Data breach without undue delay after becoming aware, and in any event within 72 hours where feasible, with the information reasonably available at that time.
10. Audits
The Controller may audit our compliance with this DPA once per year on reasonable notice, or more frequently where required by regulation, subject to reasonable confidentiality and scoping.
11. Return and deletion
On termination, we will make Customer Data available for export for 30 days, then delete it from active systems within a further 30 days, with rolling deletion from backups within 90 days. Certain records may be retained where law requires.
12. Order of precedence
In case of conflict, the terms of this DPA prevail over the Terms of Service with respect to processing of Personal Data.
A more detailed enterprise DPA, including bespoke sub-processor lists and additional security schedules, is available for customers on the Enterprise plan.