saasbrowser.ai
Daily InsightIdeas VaultValidate IdeaPricing
Login
Login
Daily InsightIdeas VaultValidate IdeaPricing
saasbrowser.ai

Where tomorrow's SaaS companies find their first idea.

Product

  • Ideas Vault
  • Daily Insight
  • Validate Idea
  • Weekly Top 10
  • Pricing

Popular Categories

  • Developer Tools
  • B2B Software
  • Marketing Tech
  • FinTech
  • Productivity
  • E-commerce
  • Data & Analytics
  • Security & Compliance

Company

  • Contact
  • Terms of Service
  • Privacy Policy
  • Cookie Policy

© 2026 Drok AI LLC. All rights reserved.

Back to Home

Data Processing Agreement

Effective Date: March 19, 2026

Last Updated: March 19, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Drok AI LLC ("Processor", "we," "our," or "us") and the entity or person ("Controller", "you," or "your") accessing or using our Services.

1. Definitions

Terms used in this DPA have the meanings set forth in this DPA. Capitalized terms not otherwise defined have the meaning given in the Agreement or the EU General Data Protection Regulation (GDPR) or UK GDPR as applicable.

  • "Applicable Data Protection Law" means all applicable privacy and data protection laws including GDPR, UK GDPR, CCPA, and any other applicable privacy laws.
  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Processing" means any operation performed on Personal Data.
  • "Sub-processor" means any third party engaged by Processor to Process Personal Data.
  • "Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Processing of Personal Data

2.1 Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller, including transfers to third countries;
  • Ensure persons authorized to process Personal Data have committed to confidentiality;
  • Implement appropriate technical and organizational measures to ensure security of Processing;
  • Not engage Sub-processors without Controller's prior written consent;
  • Assist Controller in responding to Data Subject requests;
  • Assist Controller in ensuring compliance with security, breach notification, and privacy impact assessments;
  • Delete or return all Personal Data after end of services;
  • Make available information necessary to demonstrate compliance.

2.2 Controller Obligations

Controller shall:

  • Provide lawful Processing instructions;
  • Have obtained all necessary consents and have a lawful basis for Processing;
  • Comply with all Applicable Data Protection Laws;
  • Not provide Personal Data of individuals under 13 without proper parental consent.

3. Nature and Purpose of Processing

3.1 Subject Matter

The Processing of Personal Data as necessary to provide the Services pursuant to the Agreement.

3.2 Duration

The duration of the Agreement plus the period until deletion of all Personal Data.

3.3 Types of Personal Data

  • Contact information (name, email address)
  • Account credentials
  • Usage data and analytics
  • Communication preferences
  • Content created within the Services
  • Payment information (processed via third-party payment processors)
  • IP addresses and device information

3.4 Categories of Data Subjects

  • Controller's customers and users
  • Controller's employees and contractors
  • Controller's prospects and leads

4. Security Measures

4.1 Technical and Organizational Measures

Processor implements and maintains the following security measures:

  • Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Access Control: Role-based access control, multi-factor authentication, principle of least privilege
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Monitoring: Continuous security monitoring, vulnerability scanning, penetration testing
  • Incident Response: Documented incident response procedures, dedicated security team
  • Business Continuity: Regular backups, disaster recovery procedures, redundancy
  • Employee Training: Regular security and privacy training for all personnel

5. Sub-processors

5.1 Authorized Sub-processors

Controller consents to the following Sub-processors:

  • Supabase - Database services
  • Stripe - Payment processing
  • Resend - Email services
  • Cloudflare - Cloud infrastructure, CDN and security services
  • Anthropic - AI language model processing - Processes prompts and generates responses
  • OpenAI - AI language model processing - Processes prompts and generates responses
  • Google AI - AI and machine learning services - Processes prompts and generates responses

Note on AI Providers: When Controller or its users utilize AI features, prompts and associated data are transmitted to the selected AI provider for processing. These providers process data according to their own terms and privacy policies. Controller acknowledges that AI providers may use data for model improvement unless opted out per their policies.

5.2 New Sub-processors

Processor shall notify Controller of any intended changes concerning the addition or replacement of Sub-processors, giving Controller the opportunity to object to such changes within 30 days. If Controller reasonably objects, the parties shall work together in good faith to address concerns.

6. International Data Transfers

6.1 Transfer Mechanisms

For transfers of Personal Data outside the EEA/UK, Processor relies on:

  • EU-US Data Privacy Framework where applicable
  • Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) for UK transfers

6.2 Supplementary Measures

Additional safeguards include encryption, pseudonymization where appropriate, and contractual commitments from Sub-processors.

7. Data Subject Rights

7.1 Assistance with Requests

Processor shall assist Controller in fulfilling Data Subject requests for:

  • Access to Personal Data
  • Rectification or erasure
  • Restriction of Processing
  • Data portability
  • Objection to Processing
  • Not being subject to automated decision-making

7.2 Response Timeline

Processor shall respond to Controller requests within 5 business days or as required to meet legal deadlines.

8. Security Incidents

8.1 Notification

Processor shall notify Controller without undue delay and within 48 hours after becoming aware of a Security Incident affecting Controller's Personal Data.

8.2 Information Provided

Notification shall include:

  • Nature of the Security Incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences
  • Measures taken or proposed to address the incident
  • Contact point for more information

8.3 Cooperation

Processor shall cooperate with Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Security Incident.

9. Audits and Inspections

9.1 Audit Rights

Controller may audit Processor's compliance with this DPA up to once per year with 30 days' written notice, unless required more frequently by Applicable Data Protection Law or following a Security Incident.

9.2 Audit Process

  • Audits conducted during business hours
  • Minimize disruption to Processor's operations
  • Subject to confidentiality obligations
  • Controller bears audit costs unless material non-compliance found

9.3 Certifications

Processor may provide relevant third-party certifications and audit reports in lieu of on-site audits where appropriate.

10. Data Retention and Deletion

10.1 Retention Periods

  • Active account data: Duration of Agreement
  • Backup data: 90 days after deletion request
  • Log data: 12 months
  • Analytics data: 24 months
  • Legal hold data: As required by law

10.2 Deletion

Upon termination, Processor shall promptly delete or return all Personal Data unless retention required by law. Certificate of deletion provided upon request.

11. Liability and Indemnification

11.1 Liability Cap

Each party's liability under this DPA is subject to the limitations in the Agreement, except for:

  • Gross negligence or willful misconduct
  • Regulatory fines directly resulting from party's breach
  • Indemnification obligations

11.2 Indemnification

Each party shall indemnify the other against third-party claims arising from that party's breach of this DPA or Applicable Data Protection Law.

12. Standard Contractual Clauses

12.1 Incorporation

The EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by Commission Implementing Decision (EU) 2021/914 are incorporated by reference and form part of this DPA for transfers of Personal Data from the EEA.

12.2 Interpretation

In case of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail for Personal Data originating from the EEA/UK.

12.3 Annexes to SCCs

  • Annex I: As described in Sections 2-3 of this DPA
  • Annex II: As described in Section 4 of this DPA
  • Annex III: As described in Section 5 of this DPA

13. Miscellaneous

13.1 Order of Precedence

In case of conflict: (1) Applicable Data Protection Law, (2) Standard Contractual Clauses, (3) this DPA, (4) the Agreement.

13.2 Modification

Modifications to this DPA must be in writing and signed by both parties, except updates to Sub-processor list with proper notice.

13.3 Severability

If any provision is held invalid, the remainder continues in full force and effect.

13.4 Entire Agreement

This DPA, including incorporated Standard Contractual Clauses, constitutes the entire agreement regarding Processing of Personal Data.

14. Contact Information

Data Protection Officer

Drok AI LLC Email: privacy@saasbrowser.ai Address: 30 N Gould St, Ste R, Sheridan, WY 82801, USA

EU/UK Representative

To be appointed if required based on user base.

Agreement Execution

By accepting the Terms of Service, you agree to be bound by this Data Processing Agreement including the Standard Contractual Clauses incorporated herein.