Data Processing Agreement

This Data Processing Addendum ("DPA") forms part of the agreement between Super Mega Lab LLC, doing business as tidbiits ("Processor," "we," "us," or "our"), and the entity or individual agreeing to these terms ("Controller," "you," or "your") (each a "Party" and together the "Parties").

This DPA supplements and is incorporated into the Terms of Service available at tidbiits.com/legal/terms (the "Agreement") and applies to the extent that we process Personal Data on your behalf as a data processor in connection with providing the tidbiits platform and related services (the "Services").

By using the Services, you agree to this DPA. If you are accepting this DPA on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these terms.

1. DEFINITIONS

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (as applicable) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and any other applicable data protection or privacy laws.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data and, for the purposes of this DPA, refers to you, the customer.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Personal Data" means any information relating to a Data Subject that is processed by us on your behalf in connection with the Services. This includes information contained within Customer Content (as defined below).

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processor" means the entity that processes Personal Data on behalf of the Controller and, for the purposes of this DPA, refers to us, Super Mega Lab LLC.

"Sub-processor" means any third-party processor engaged by us to process Personal Data on your behalf.

"Customer Content" means all content, data, and materials that you or your authorized users submit to the Services for processing, including documents, URLs, text, files, annotations, notes, and other collaborative contributions.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).

2. SCOPE AND ROLES

2.1 Roles of the Parties

You are the Controller and we are the Processor with respect to Personal Data processed through the Services. You determine the purposes and means of processing by choosing to use the Services and configuring how your workspace operates. We process Personal Data only on your documented instructions as described in this DPA and the Agreement.

2.2 Details of Processing

The details of the data processing carried out under this DPA are described in Annex 1 (Description of Processing) attached to this DPA.

2.3 Your Responsibilities

You are responsible for ensuring that your use of the Services and your instructions to us comply with Applicable Data Protection Law, including ensuring that you have a lawful basis for submitting Personal Data to the Services and that any necessary consents have been obtained from Data Subjects.

3. PROCESSOR OBLIGATIONS

3.1 Instructions

We will process Personal Data only on your documented instructions, unless required to do so by applicable law. The Agreement (including this DPA) constitutes your initial documented instructions. Additional instructions may be agreed in writing between the Parties.

If we believe that an instruction from you infringes Applicable Data Protection Law, we will promptly notify you and may suspend performance of the relevant instruction until you confirm or modify it.

3.2 Purpose Limitation

We will process Personal Data solely for the purposes of providing the Services as described in the Agreement and this DPA, and in accordance with your documented instructions. We will not process Personal Data for any other purpose, including for our own purposes, unless required by applicable law, in which case we will inform you of that legal requirement before processing (unless prohibited by law from doing so).

3.3 No Selling or Sharing of Personal Data

We will not sell, share (as defined under the CCPA), or otherwise make available Personal Data to third parties for monetary or other valuable consideration. We will not use Personal Data for targeted advertising, cross-context behavioral advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects.

3.4 No Use for Model Training

We will not use Customer Content or Personal Data to train, improve, or develop artificial intelligence or machine learning models, whether our own or those of third parties. Our AI model providers are contractually prohibited from using Customer Content for model training purposes.

3.5 Confidentiality

We will ensure that any person we authorize to process Personal Data has committed to confidentiality obligations or is under an appropriate statutory obligation of confidentiality.

3.6 Cooperation

We will provide reasonable assistance to you, taking into account the nature of the processing and the information available to us, in fulfilling your obligations under Applicable Data Protection Law, including with respect to Data Subject rights requests, data protection impact assessments, and consultations with supervisory authorities.

4. SECURITY

4.1 Security Measures

We will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures include, but are not limited to:

Encryption in transit — all data transmitted between your devices and our servers is encrypted using TLS
Encryption at rest — Personal Data stored in our databases and object storage is encrypted at rest
Access controls — role-based access controls within the Services (owner, admin, member permissions) and internal access controls limiting employee access to Personal Data on a need-to-know basis
Authentication security — passwords are stored using bcrypt hashing; authentication tokens are hashed using SHA-256; session cookies use HttpOnly, Secure, and SameSite attributes
API security — API and MCP server access is secured via OAuth 2.1 with PKCE or API key authentication
Log sanitization — server logs are sanitized to redact authorization headers, tokens, passwords, and other sensitive fields
Infrastructure — the Services are hosted on Vercel with data stored in the United States

4.2 Security Updates

We will periodically review and update our security measures to address evolving threats and industry best practices. We will not materially decrease the overall level of security of the Services during the term of the Agreement.

5. SUB-PROCESSORS

5.1 Authorization

You provide general written authorization for us to engage Sub-processors to process Personal Data on your behalf. Our current list of Sub-processors is available at tidbiits.com/legal/subprocessors (the "Sub-processor List").

5.2 Sub-processor Obligations

We will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA. We remain fully liable to you for the performance of each Sub-processor's obligations.

5.3 Changes to Sub-processors

We will notify you at least thirty (30) days before engaging a new Sub-processor or making a material change to an existing Sub-processor by updating the Sub-processor List and notifying you by email.

5.4 Objection Right

If you have a reasonable, good-faith objection to a new Sub-processor based on data protection grounds, you must notify us in writing within fifteen (15) days of receiving our notice. We will work with you in good faith to address your concerns, which may include offering an alternative Sub-processor configuration or implementing additional safeguards.

If we are unable to address your objection within thirty (30) days, you may terminate the affected portion of the Services by providing written notice. We will refund any prepaid fees covering the remainder of the billing period after the effective date of termination.

6. DATA SUBJECT RIGHTS

6.1 Assistance with Requests

If we receive a request from a Data Subject to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, or objection), we will promptly notify you and will not respond to the request directly unless authorized by you or required by law.

6.2 Self-Service Tools

The Services provide you with tools to manage certain Data Subject rights directly, including the ability to access and view Personal Data within your workspace, export data, delete content, and manage user accounts. You are responsible for using these tools to respond to Data Subject requests where possible.

6.3 Reasonable Assistance

Where you are unable to address a Data Subject request through the self-service tools, we will provide you with reasonable assistance, taking into account the nature of the processing, to help you fulfill the request within the timeframes required by Applicable Data Protection Law.

7. PERSONAL DATA BREACH NOTIFICATION

7.1 Notification

We will notify you without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on your behalf.

7.2 Content of Notification

The notification will include, to the extent reasonably available:

A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
The name and contact details of the point of contact where more information can be obtained
A description of the likely consequences of the Personal Data Breach
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

7.3 Cooperation

We will provide you with reasonable cooperation and assistance in relation to any Personal Data Breach, including in your efforts to comply with your notification obligations under Applicable Data Protection Law. Our notification of a Personal Data Breach is not an acknowledgment of fault or liability.

8. DATA TRANSFERS

8.1 Processing Locations

Personal Data may be processed in the locations identified in the Sub-processor List. Our primary infrastructure is located in the United States.

8.2 Transfer Mechanisms

To the extent that the processing of Personal Data involves a transfer from the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland to a country that has not been recognized as providing an adequate level of data protection, we will ensure that appropriate safeguards are in place, including:

EU-US Data Privacy Framework: Where applicable, we rely on certifications under the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and/or the Swiss-US Data Privacy Framework.
Standard Contractual Clauses: Where the Data Privacy Framework does not apply, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference and apply to transfers of Personal Data from the EEA, UK, or Switzerland. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs applies. For transfers subject to the Swiss FADP, the SCCs apply with the modifications required under Swiss law.

8.3 Additional Safeguards

In addition to the transfer mechanisms above, we implement supplementary measures as described in Section 4 (Security) to ensure that Personal Data transferred internationally is protected to a standard essentially equivalent to that guaranteed within the EEA.

9. AUDITS

9.1 Audit Information

Upon your written request (no more than once per twelve-month period, unless a Personal Data Breach has occurred or a supervisory authority requires an additional audit), we will make available to you information reasonably necessary to demonstrate our compliance with this DPA.

9.2 Audit Process

If the information provided under Section 9.1 is not reasonably sufficient to confirm compliance, you may conduct or commission an audit of our processing activities, subject to the following conditions:

You must provide at least thirty (30) days written notice of any audit
The audit must be conducted during normal business hours and may not unreasonably interfere with our operations
You will bear the costs of any audit (unless the audit reveals a material breach of this DPA by us)
Any third-party auditor must execute a confidentiality agreement acceptable to us before conducting the audit
Audit findings and reports are confidential and may not be disclosed to third parties without our prior written consent, except to the extent required by Applicable Data Protection Law or a supervisory authority

9.3 Certifications and Reports

We may satisfy audit requests by providing relevant third-party certifications, audit reports, or summaries thereof (such as SOC 2 Type II reports, if available) instead of permitting a physical audit, provided such documentation reasonably addresses your compliance concerns.

10. DATA RETENTION AND DELETION

10.1 During the Agreement

During the term of the Agreement, we will retain Personal Data for as long as necessary to provide the Services and in accordance with the retention practices described in our Privacy Policy.

10.2 Upon Termination

Upon termination or expiration of the Agreement, or upon your written request, we will:

Return: Make Personal Data available for export in a commonly used, machine-readable format (such as JSON or CSV), and provide you with a reasonable period (no less than thirty (30) days after termination) to retrieve your data.
Delete: After the retrieval period, delete or anonymize Personal Data from our active systems within a reasonable timeframe, except to the extent that retention is required by applicable law.

10.3 Post-Deletion Retention

We may retain limited Personal Data after deletion for up to twelve (12) months to comply with legal obligations, resolve disputes, and enforce the Agreement, as described in our Privacy Policy. Retained data will be isolated from active processing and securely deleted at the end of the retention period.

10.4 Certification

Upon your written request, we will provide written confirmation that Personal Data has been deleted in accordance with this Section 10.

11. GENERAL

11.1 Precedence

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.

11.2 Amendments

We may update this DPA from time to time to reflect changes in Applicable Data Protection Law or our processing practices. We will notify you of material changes at least thirty (30) days before they take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated DPA.

11.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

11.4 Governing Law

This DPA is governed by the same law that governs the Agreement, except that the Standard Contractual Clauses (where applicable) are governed by the law of the EU Member State in which the Controller is established, or, where the Controller is not established in the EEA, by the laws of Ireland.

11.5 Contact

For questions about this DPA, please contact us at contact@supermegalab.com.

ANNEX 1: DESCRIPTION OF PROCESSING

This Annex describes the processing of Personal Data carried out under the DPA.

A. List of Parties

Controller (Data Exporter):

Name: The entity or individual identified in the Agreement
Activities: Uses the Services to ingest, summarize, and collaborate on external content with their team

Processor (Data Importer):

Name: Super Mega Lab LLC, doing business as tidbiits
Address: 16192 Coastal Highway, Lewes, Delaware 19958, United States
Contact: contact@supermegalab.com
Activities: Provides AI-powered content summarization, knowledge graph generation, and team collaboration platform

B. Description of Processing

Categories of Data Subjects:

Controller's employees, contractors, and team members who use the Services
Third parties whose Personal Data may be incidentally contained in content submitted by the Controller for processing

Categories of Personal Data:

Account information: names, email addresses, usernames, profile pictures
Authentication data: hashed passwords, OAuth tokens, session identifiers
Workspace and team membership information
Payment-related contact information (payment card details are processed by Stripe and are not accessed or stored by us)
Content submitted for processing (which may incidentally contain Personal Data of third parties, such as names, contact details, or other information present in documents, articles, or videos)
AI-generated outputs: summaries, knowledge graph entities, intelligence signals, synthesis documents
User-generated collaborative content: annotations, notes, comments, reactions, insights, action items
Usage data: IP addresses, browser information, device information, feature usage logs
Activity feed data: sharing events, mentions, reactions, and notification records

Sensitive Data:

We do not intentionally collect or process sensitive (special category) Personal Data. Customer Content submitted for processing may incidentally contain sensitive data; the Controller is responsible for ensuring appropriate legal bases exist for such processing.

Nature and Purpose of Processing:

Providing the Services, including AI-powered content summarization and analysis
Generating knowledge graphs, intelligence signals, and synthesis documents from submitted content
Enabling team collaboration features (annotations, insights, activity feeds, @mentions)
Managing user accounts and authentication
Processing subscription billing (via Stripe)
Sending transactional communications (account verification, billing notifications, activity alerts)
Maintaining security and preventing fraud
Where enabled, providing anonymized, cookieless analytics to improve the Services (no Personal Data is sent to analytics providers)

Duration of Processing:

Personal Data is processed for the duration of the Agreement. Upon termination, data is handled in accordance with Section 10 of this DPA.

C. Technical and Organizational Security Measures

See Section 4 of this DPA for a description of the technical and organizational security measures implemented to protect Personal Data.

D. Sub-processors

See our Sub-processor List at tidbiits.com/legal/subprocessors for the current list of authorized Sub-processors.