This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and MBU Intelligence operating as PeopleOS ("Processor"). It applies wherever PeopleOS processes personal data on behalf of the Customer.
Controller: the Customer entity that determines the purposes and means of processing personal data.
Processor: MBU Intelligence / PeopleOS, which processes personal data on behalf of the Controller.
Data Subject: any identified or identifiable natural person whose data is processed — including employees, candidates, and contractors of the Controller.
Processing: any operation on personal data including collection, storage, analysis, transmission, deletion.
Sub-processor: any third party engaged by the Processor to carry out processing on behalf of the Controller.
The Processor shall process personal data solely to provide the PeopleOS platform services described in the Terms of Service, which include: psychometric assessments (OCEAN, EQ, Cognitive Bias, Johari Window, Values, Leadership), AI-assisted HR analysis, and associated administration tools.
Processing activities include: collection of assessment responses, scoring and profiling, storage and retrieval, display to authorised HR users, AI-assisted analysis, and deletion in accordance with retention policies.
Data categories: name, email address, assessment responses, psychometric profile scores (OCEAN, EQ, Bias, Johari, Values, Leadership), AI conversation logs (where opted in), usage telemetry.
Special-category data (GDPR Art.9): psychometric profiles constitute special-category data. The Controller must ensure a valid legal basis under Art.9(2) before using PeopleOS to collect such data.
Data subjects: employees, job candidates, contractors, and other natural persons designated by the Controller.
The Controller shall: (a) ensure a valid legal basis for processing under GDPR Art.6 and, where applicable, Art.9; (b) provide data subjects with appropriate privacy information before assessment; (c) obtain any necessary consents; (d) not instruct the Processor to process data in a manner that would violate applicable law.
The Controller is responsible for determining the appropriate use of assessment outputs in employment decisions. The Controller must implement the human oversight required by EU AI Act Art.14.
The Processor shall: (a) process personal data only on documented instructions from the Controller; (b) ensure all personnel are bound by confidentiality obligations; (c) implement appropriate technical and organisational security measures (Art.32); (d) assist the Controller in fulfilling data subject rights requests within 72 hours of receipt; (e) notify the Controller of any personal data breach within 72 hours of becoming aware; (f) delete or return all personal data on termination of the agreement.
The Processor has implemented the following security measures: encryption in transit (TLS 1.2+), encryption at rest (Supabase AES-256), Row Level Security on all database tables, RBAC with admin access restricted to named users, CSRF protection on all mutation endpoints, per-user rate limiting on AI and billing routes, HTTP security headers (CSP, HSTS, X-Frame-Options), session management via Clerk with SameSite=Lax cookies, automated vulnerability scanning via npm audit in CI.
The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall: (a) impose the same data protection obligations on sub-processors; (b) notify the Controller of intended changes to sub-processors at least 14 days in advance; (c) remain liable for sub-processor acts and omissions.
Where personal data is transferred to a third country, the Processor shall ensure appropriate safeguards are in place under GDPR Art.46. Current transfers to the USA are covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914). A copy of applicable SCCs is available on request.
The Processor shall assist the Controller in responding to data subject rights requests (access, erasure, portability, restriction, rectification, objection) within 72 hours of notification by the Controller. The Processor provides a built-in DSR workflow at /dashboard/privacy for end users.
The Processor shall notify the Controller without undue delay, and no later than 72 hours after becoming aware of a personal data breach. Notification shall include: nature of the breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed.
Upon termination of the agreement, the Processor shall, at the Controller's choice, delete or return all personal data and certify deletion in writing within 30 days. Data required to be retained for legal or regulatory purposes shall be clearly documented and deleted as soon as the obligation ceases.
The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or its designated auditor, with 30 days' advance notice. The Processor may refuse requests that unreasonably interfere with its operations or compromise confidentiality of other customers.
The Processor maintains an internal QMS (Quality Management System) at /admin/qms which can be made available to auditors under NDA.
| Sub-processor | Country | Purpose | Their DPA |
|---|---|---|---|
| Vercel Inc. | USA | Application hosting, serverless compute | vercel.com/legal/dpa |
| Supabase Inc. | USA | PostgreSQL database, storage, auth helpers | supabase.com/legal/dpa |
| Clerk Inc. | USA | Authentication, user identity, sessions | clerk.com/legal/privacy |
| Stripe Inc. | USA | Payment processing, subscription management | stripe.com/legal/dpa |
| Anthropic PBC | USA | LLM inference for AI Assistant feature | anthropic.com/privacy |
To execute this DPA, email privacy@peopleos.health with your company name, registered address, and the email of your authorised signatory. A countersigned copy will be returned within 5 business days.
← Back to Privacy Notice