Data Processing Agreement

1. Parties & Subject Matter

This DPA forms part of the agreement between the Controller (the customer entity using Off Hours) and the Processor (OJOS, LLC, a Utah limited liability company affiliated with TCN Group). The DPA governs the Processor’s processing of Personal Data on behalf of the Controller in connection with the provision of the Off Hours service (“Services”) — Amazon Ads scheduling and rule-automation software offered at off-hours.app and dashboard.off-hours.app.

In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Personal Data.

2. Duration

This DPA takes effect on the date of countersignature and remains in force for the duration of the Controller’s subscription to the Services, plus the retention periods described in Section 8 (Retention & Deletion).

3. Nature & Purpose of Processing

The Processor processes Personal Data on behalf of the Controller solely to provide the Services. This includes:

• Authenticating users and managing workspace access.
• Storing rule definitions and executing them against the Controller’s connected Amazon Advertising profiles via the Amazon Advertising API.
• Processing payments via Stripe and managing subscription state.
• Sending transactional email (sign-up confirmation, password reset, trial reminders, deletion confirmations) via Resend.
• Operating the AI rule-builder feature when the Controller’s users invoke it (sending prompts to Anthropic).
• Operating the cron pipeline that executes rules on schedule (Trigger.dev).
• Server-side logging for service reliability and security auditing.

The Processor will not process Personal Data for any purpose other than as instructed by the Controller and as necessary to provide the Services, except as required by applicable law.

4. Categories of Personal Data & Data Subjects

Categories of Data Subjects: the Controller’s personnel and authorized end-users who hold accounts in the Off Hours service and any individuals invited as workspace members.

Categories of Personal Data:

• Identity data: name and email address.
• Authentication data: hashed passwords, OAuth refresh tokens (Amazon, Google), session tokens.
• Billing data: Stripe customer ID, subscription status, billing address (collected and stored by Stripe; the Processor never sees card numbers).
• Workspace metadata: workspace name, workspace type, team-member emails.
• Amazon Ads metadata: profile names, profile IDs, marketplace IDs, campaign names, and campaign IDs accessed via the Amazon Advertising API under the advertising::campaign_management scope.
• Usage data: server-side request logs (IP address, user agent, request path, timestamps) and cron execution logs.
• Communications: the Controller’s users’ AI rule-builder prompts and responses.

The Processor does not process special category data (Article 9 GDPR), criminal-offense data (Article 10 GDPR), or knowingly process the personal data of children under 16.

5. Subprocessors

The Controller authorizes the Processor to engage the following subprocessors, each of whom processes Personal Data on the Processor’s behalf under written agreements providing GDPR Article 28 protections:

• Stripe, Inc. (United States) — payment processing.
• Supabase, Inc. (United States) — database (PostgreSQL), authentication, file storage.
• Vercel, Inc. (United States) — application hosting, serverless functions, edge middleware.
• Resend, Inc. (United States) — transactional email delivery.
• Anthropic, PBC (United States) — Claude API for the AI rule-builder feature.
• Trigger.dev, Inc. (United States) — cron task orchestration for rule execution.

The Processor will give the Controller at least 30 days’ prior notice of any new subprocessor by updating this list and notifying active customers by email. The Controller may object to the addition of a new subprocessor on reasonable grounds; if the parties cannot resolve the objection, the Controller may terminate the affected Services without penalty.

6. International Data Transfers

All processing currently occurs in the United States. For Personal Data transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, the Processor relies on:

• The EU-US Data Privacy Framework (and the UK and Swiss extensions thereto) where the recipient is DPF-certified.
• The European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor, Module Three: Processor-to-Subprocessor) where DPF certification is not available, incorporated by reference into this DPA.
• The UK Addendum to the Standard Contractual Clauses for transfers from the United Kingdom.

7. Security Measures

The Processor implements technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures currently in place include:

• TLS 1.2 or higher for all data in transit; HTTPS-only for the Services.
• At-rest encryption for the database (Supabase) and deployment artifacts (Vercel).
• Row-level security policies enforcing per-user and per-workspace data scoping in the database.
• Bcrypt password hashing; mandatory email confirmation on sign-up.
• OAuth scope minimization (Amazon Advertising API access limited to advertising::campaign_management — no reporting, search-term, or keyword data accessed).
• 30-day soft-delete reversal window before hard-delete of customer data.
• Rate limiting on AI features and external APIs.
• Audit logging of schedule executions, OAuth state changes, and admin actions.
• Production secrets stored in encrypted environment variables; no secrets in version control.
• Least-privilege access controls for production database; admin actions gated through audited admin-tool routes.

The Processor reviews these measures periodically and updates them to maintain appropriate security in light of the state of the art and the nature of the processing.

8. Retention & Deletion

Personal Data is retained for the duration of the Controller’s subscription. On termination or on the Controller’s deletion request, the Processor will:

• Apply a 30-day soft-delete reversal window during which the account can be restored by the Controller.
• Hard-delete account data within 30 days of the soft-delete window expiring.
• Retain billing records (Stripe transaction records and invoices) for 7 years to comply with US tax law (IRC § 6001) and applicable state requirements.
• Delete or anonymize all other Personal Data per the Privacy Policy retention schedule.

On request, the Processor will certify in writing that the deletion has been completed.

9. Data Subject Rights

The Processor will assist the Controller, by appropriate technical and organizational measures and to the extent reasonably possible, in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection laws (Articles 15-22 GDPR), including:

• Right of access (Article 15).
• Right to rectification (Article 16).
• Right to erasure (Article 17).
• Right to restriction (Article 18).
• Right to data portability (Article 20).
• Right to object (Article 21).

The Processor will respond to data subject requests within 30 days, with the billing records retention exception noted above.

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay (and in any case within 72 hours where feasible) after becoming aware of a Personal Data breach affecting the Controller’s data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

11. Audit Rights

The Processor will make available to the Controller, on reasonable request, all information necessary to demonstrate compliance with this DPA. Where the Controller’s applicable law requires it, the Processor will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality obligations and at the Controller’s expense, and limited to one audit per calendar year absent reasonable grounds for additional audits.

The Processor may satisfy this obligation by providing the Controller with the audit reports of its subprocessors (e.g., SOC 2 Type II reports for Supabase and Trigger.dev) in lieu of a direct audit, where such reports are reasonably current and address the Controller’s concerns.

12. Liability & Termination

Each party’s liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA terminates automatically on termination of the Terms of Service.

13. Governing Law

This DPA is governed by the laws of the State of Utah, United States, except that where mandatory provisions of the data subject’s home jurisdiction (such as the GDPR for EEA data subjects) apply, those provisions take precedence.

Execution