Data Processing Agreement

Version 2026-04-22 · Effective 2026-04-22

Draft. This text has not yet been through legal review. The structure is final but the wording may change before customers sign at this version. Do not point procurement at this page.

This Data Processing Agreement ("DPA") forms part of the SupportCore Terms of Service between Lord Systems, LLC ("Processor") and the customer accepting it through the SupportCore app ("Controller") and applies whenever Processor processes Personal Data on behalf of Controller as described in the Service.

Capitalised terms not defined here have the meanings given in the GDPR.

1. Subject matter & duration

Processor will process Personal Data on Controller's behalf for the duration of Controller's subscription to the Service. Processing ends when the subscription ends, subject to the post-termination retention described in Section 9.

2. Nature & purpose

Processor processes Personal Data only to provide and maintain the Service: hosting tickets and conversations, sending and receiving email on Controller's behalf, routing live chats, generating AI suggestions and summaries when enabled, and exposing the underlying data to Controller's authorised agents through the Service interfaces.

3. Categories of data subjects & data

Data subjects: Controller's end users (the people contacting

Controller for support), Controller's agents (who log into the Service), and Controller's contacts (people stored in the contact records for marketing or support purposes).

Categories: identifiers (name, email, optional phone), free-text

message content, attachments, IP address and user-agent for chat visitors, optional location and device telemetry where Controller has enabled visitor session telemetry.

4. Controller obligations

Controller:

warrants that it has a lawful basis for the processing it instructs

Processor to perform;

will provide its end users with a privacy notice that covers the

processing carried out through the Service;

is responsible for the lawfulness of the content its agents and

end users submit.

5. Processor obligations

Processor will:

process Personal Data only on documented instructions from

Controller (including these terms and Controller's use of the Service);

ensure that personnel with access to Personal Data are bound by

confidentiality obligations;

implement and maintain appropriate technical and organisational

measures (Section 7);

not engage another sub-processor without Controller's general

authorisation as described in Section 6;

assist Controller in fulfilling its obligations regarding data

subject requests, security incident notifications, data protection impact assessments, and prior consultations with supervisory authorities;

delete or return Personal Data at the end of the engagement

(Section 9);

make available to Controller all information necessary to

demonstrate compliance with Article 28 GDPR.

6. Sub-processors

Controller authorises Processor to engage the sub-processors listed at [/legal/sub-processors](/legal/sub-processors). Processor will:

notify Controller (via in-app banner + email to the workspace OWNER)

at least 30 days before adding a new sub-processor with access to workspace content;

impose data protection obligations on each sub-processor that are

no less protective than those in this DPA;

remain responsible for sub-processor performance.

If Controller objects to a new sub-processor in good faith on reasonable grounds, Controller may terminate the affected portion of the Service for convenience during the notice period.

7. Security

Processor will maintain technical and organisational measures including: TLS in transit, at-rest encryption for attachments, least-privilege database access, per-tenant logical isolation, audit logs on permission-sensitive actions, optional 2FA enforcement, optional IP allow-listing, optional SAML SSO, periodic vulnerability scanning, and a security incident response process.

8. Personal Data Breach notification

Processor will notify Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's data, providing the information Controller needs to comply with its own Article 33 / 34 obligations.

9. Return & deletion

On termination of the Service, Processor will retain workspace content for a 90-day grace window during which Controller may export or re-activate. After the grace window, Processor will delete all Personal Data except where retention is required by law (e.g. tax, billing). Backups are purged on the rolling PITR window of our hosting provider.

For erasure of an individual data subject (Article 17), the disclosed worst-case end-to-end SLA is 45 days, dominated by the natural retention of our outbound mail provider's message archive. Live database erasure completes in under one minute. A defense-in-depth re-scrub task runs daily to ensure that any backup restore that re-introduces an erased subject's PII is re-anonymised within 24 hours. The full per-record retention catalogue is maintained in our ops-facing Data Retention Policy and is available to Controller on request.

10. Audits

Controller may, on reasonable notice, request information necessary to verify Processor's compliance with this DPA. Where formal audits are required by law, the parties will agree on scope, timing, and cost in advance.

11. International transfers

Where Personal Data is transferred outside the EEA / UK, the parties rely on the Standard Contractual Clauses (Module 2 controller → processor) which are incorporated by reference. Sub-processors located outside the EEA / UK are bound by equivalent terms.

12. Liability

Liability under this DPA is subject to the limitations in the SupportCore Terms of Service.

13. Changes

Processor may update this DPA. Material changes are announced in-app and emailed to the workspace OWNER at least 30 days before they take effect, and require fresh acceptance by the OWNER through the SupportCore app. The current version + effective date are visible at the top of this page.