Data Processing Agreement (DPA)

• “Controller” / “Data Fiduciary”: the Agency customer who determines the purposes and means of processing client personal data.
• “Processor” / “Data Processor”: FounderSkies, which processes personal data on behalf of the Controller.
• “Data Subject” / “Data Principal”: the founder or client whose personal data is processed (e.g. their name, LinkedIn content, professional information).
• “Personal Data”: any information relating to an identified or identifiable natural person as defined under GDPR Art. 4(1) and DPDP Act Section 2(t).
• “Sub-processor”: any third party engaged by FounderSkies to assist in processing personal data (see Section 7).

FounderSkies processes personal data on behalf of the Agency solely to provide the FounderSkies platform — including AI content generation, LinkedIn publishing, and profile page hosting — for each client profile managed under the Agency plan. This DPA remains in force for as long as the Agency maintains an active Agency plan subscription. Upon termination, Section 9 (Data return and deletion) applies.

Processing activities carried out by FounderSkies on behalf of the Agency include:

• Storing and processing Knowledge Base data (professional expertise, customer information, beliefs) for each client profile.
• Generating AI content ideas and post drafts using client Knowledge Base data via the Claude API (Anthropic).
• Storing and managing post drafts, scheduled posts, and published post history per client profile.
• Publishing posts to LinkedIn on behalf of client profiles using OAuth tokens provided by those clients.
• Hosting public profile pages (founderskies.com/handle) displaying published posts for each client.

Categories of personal data processed:

• Professional identity data: name, handle, job title, niche, one-liner bio
• Professional expertise data: Knowledge Base answers (ICP, customer problems, beliefs, wins)
• Social media data: LinkedIn member ID, OAuth access token, profile picture URL
• Content data: AI-generated ideas, post drafts, published post text

Categories of data subjects: founder clients of the Agency whose LinkedIn profiles are managed through the platform.

Sensitive data: None. FounderSkies does not process special-category data (GDPR Art. 9) or sensitive personal data as defined under DPDP.

The Agency (Controller) agrees to:

• Obtain all necessary consents from their clients (Data Subjects) before providing their personal data to FounderSkies, including consent to use AI tools for content generation and to publish on their behalf.
• Ensure clients are informed of this DPA and FounderSkies' Privacy Policy.
• Ensure that the personal data provided is accurate, relevant, and limited to what is necessary for the service.
• Handle all Data Subject rights requests directed to the Agency regarding data processed through FounderSkies, coordinating with FounderSkies as needed.
• Not instruct FounderSkies to process data in a manner that would violate applicable law.

FounderSkies agrees to:

• Documented instructions: process personal data only on documented instructions from the Controller, except where required by law.
• Confidentiality: ensure all personnel with access to personal data are bound by confidentiality obligations.
• Security: implement appropriate technical and organisational measures (see Section 8).
• Sub-processors: engage sub-processors only as listed in Section 7, and ensure equivalent data protection obligations apply to them.
• Data Subject rights: assist the Controller in fulfilling Data Subject rights requests (access, rectification, erasure, portability) within 5 business days of a written request.
• Data breach notification: notify the Controller without undue delay (and within 48 hours) upon becoming aware of a personal data breach affecting Controller's client data.
• Data Protection Impact Assessment: provide reasonable assistance to the Controller for any DPIA required under GDPR Art. 35.
• Audit rights: make available all information necessary to demonstrate compliance, and allow for audits or inspections by the Controller or a mandated third party upon 30 days' written notice.

The Agency authorises FounderSkies to engage the following sub-processors. FounderSkies will notify the Agency of any intended changes (addition or replacement) at least 14 days in advance, giving the Agency the opportunity to object.

FounderSkies implements and maintains the following technical and organisational measures (TOMs):

• Encryption in transit: all data transmitted over HTTPS/TLS 1.2+.
• Encryption at rest: database encryption via Supabase/AWS at-rest encryption.
• Access control: row-level security (RLS) ensuring client data is isolated per user. Production access restricted to authorised personnel with MFA.
• Data isolation: each client profile's Knowledge Base, posts, and LinkedIn tokens are logically isolated — Agency staff cannot access one client's data from another's account.
• Vulnerability management: regular dependency audits, security patching, and monitoring.
• Incident response: documented breach response plan with 48-hour Controller notification SLA.

Upon termination of the Agency plan or upon written request from the Controller:

• FounderSkies will provide an export of all client profile data in JSON format within 5 business days.
• FounderSkies will permanently delete all client personal data from its systems within 30 days of termination, except where retention is required by law.
• FounderSkies will provide written confirmation of deletion upon request.

This DPA is governed by Indian law. For Controllers in the EEA, GDPR provisions apply and take precedence over conflicting provisions of this DPA. Any disputes shall be resolved in accordance with the governing law clause in the main Terms of Use.

For DPA-related queries, audit requests, or breach notifications, contact:

FounderSkies Data Protection
Email: privacy@founderskies.com
Response within 2 business days.