Data Processing Agreement

1. Scope and Applicability

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Social Protocol Labs LLC ("Processor," "we," "us") and the customer ("Controller," "you") who uses MigrateForce services. This DPA applies to the extent that we process Personal Data on your behalf in connection with the Services.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Services.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.

"Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Data Processing Details

Categories of Data Subjects: End users of the Controller's account, including employees and authorized agents.

Types of Personal Data: Account information (name, email address), usage metadata, IP addresses, and any personal data contained within OpenAPI specifications or configuration files uploaded to the Services.

Purpose of Processing: To provide the MigrateForce Services as described in the Terms of Service, including parsing OpenAPI specifications, generating MCP server code, and providing the web dashboard.

Duration: For the duration of the service agreement, plus any retention period described in our Privacy Policy.

4. Processor Obligations

We shall:

• Process Personal Data only on your documented instructions, unless required by applicable law
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest
• Not engage another processor (Sub-processor) without your prior general written authorization, and inform you of any intended changes to Sub-processors, giving you the opportunity to object
• Assist you in responding to data subject requests to exercise their rights under applicable data protection law
• Assist you in ensuring compliance with obligations related to security, breach notification, impact assessments, and consultations with supervisory authorities
• At your choice, delete or return all Personal Data upon termination of the Services, unless retention is required by applicable law
• Make available to you all information necessary to demonstrate compliance with this DPA

5. Controller Obligations

You shall:

• Ensure that you have a lawful basis for processing Personal Data and for instructing us to process it on your behalf
• Provide us with documented instructions regarding the processing of Personal Data
• Ensure that data subjects have been informed of the processing in accordance with applicable data protection law
• Notify us promptly if you become aware of any data subject requests or regulatory inquiries relating to our processing

6. Sub-processors

You provide general authorization for us to engage Sub-processors to perform specific processing activities. Our current Sub-processors are:

• Supabase Inc. — Database hosting, authentication services (United States)
• Google Cloud Platform (Google LLC) — Cloud infrastructure (United States)
• Resend Inc. — Transactional email delivery (United States)

We will notify you at least 30 days in advance of any intended addition or replacement of Sub-processors by updating this page or notifying you via email. If you object to a new Sub-processor, you may terminate the affected Services by providing written notice within 30 days of our notification.

7. Security Measures

We implement and maintain appropriate technical and organizational security measures, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication mechanisms, including role-based access and multi-factor authentication for administrative access
• Regular security assessments and vulnerability scanning
• Logical separation of customer data
• Incident response and disaster recovery procedures
• Employee security awareness training

8. Data Breach Notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting your Personal Data. The notification will include:

• A description of the nature of the Data Breach
• The categories and approximate number of data subjects and records affected
• The likely consequences of the Data Breach
• The measures taken or proposed to address the Data Breach, including measures to mitigate its effects

9. International Data Transfers

Personal Data is processed primarily in the United States. To the extent that Personal Data is transferred from the European Economic Area ("EEA"), United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

10. Audits

Upon reasonable request and subject to confidentiality obligations, we will make available to you information necessary to demonstrate compliance with this DPA. You may conduct an audit, or appoint a qualified third-party auditor (subject to reasonable confidentiality obligations) to conduct an audit, no more than once per calendar year, with at least 30 days' prior written notice, during normal business hours, and in a manner that does not unreasonably disrupt our operations.

11. Data Retention and Deletion

Upon termination of the Services, and at your written request, we will delete or return all Personal Data within 30 days, unless applicable law requires further retention. We will provide written confirmation of deletion upon request.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, consistent with the governing law provisions of the Terms of Service. To the extent required by applicable data protection law (such as GDPR), the data protection laws of the relevant jurisdiction shall apply to the data protection aspects of this DPA.

13. Contact

For questions about this DPA or data processing practices, contact us:

• Privacy inquiries: privacy@sociallabs.com
• Legal inquiries: legal@sociallabs.com

Social Protocol Labs LLC
A Delaware Limited Liability Company
Attn: Data Protection