1. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR. "Customer" is the entity that subscribes to ExecOS. "We" or "ExecOS" act as Processor in respect of Customer Personal Data.

2. Subject matter and duration

We process Personal Data only to provide the service for the duration of the Customer's subscription and as instructed through Customer's use of the service.

3. Nature and purpose of processing

Hosting, storage, retrieval, generation of AI-assisted summaries, transactional email, and any other processing reasonably necessary to operate the features the Customer enables.

4. Categories of Data Subjects and Personal Data

• Data Subjects: Customer's employees, contractors, executives, and the contacts they record.
• Personal Data: names, business email addresses, calendar entries, meeting notes, contact details, and any content Customer chooses to upload.

5. Processor obligations

• Process Personal Data only on documented Customer instructions.
• Ensure personnel authorised to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (Schedule 1).
• Assist Customer in responding to Data Subject requests via the in-product export and delete tools.
• Notify Customer without undue delay (and in any event within 72 hours) of a confirmed Personal Data Breach.
• Delete or return Personal Data at the end of the service, subject to legal retention requirements.

6. Sub-processors

Customer authorises ExecOS to engage sub-processors listed in the current Privacy Policy. We will give 30 days' notice of changes; the Customer may object on reasonable data-protection grounds.

7. International transfers

Where Personal Data is transferred outside the EEA/UK, transfers rely on the European Commission's Standard Contractual Clauses (2021/914) or an equivalent UK mechanism.

8. Audits

On reasonable notice and no more than once per year, Customer may request information needed to demonstrate compliance with this DPA. Independent third-party reports may be provided in lieu of on-site audits.

9. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service.

Schedule 1 — Security measures

• Encryption in transit (TLS 1.2+) and at rest (managed database provider).
• Row-level security policies enforcing per-workspace tenant isolation.
• Role-based access via a dedicated user_roles table and security-definer checks.
• Server-only service-role credentials; never shipped to browsers.
• Audit logging of sensitive workspace actions (role changes, invites, deletions, exports).
• Least-privilege admin access and quarterly access reviews.

10. Signing

To execute this DPA, email legal@execos.app with your company name, billing email, and ExecOS workspace ID. We will return a counter-signed copy within 5 business days.