Data Processing Agreement
Last updated: January 7, 2026
Need a DPA or BAA?
We provide Data Processing Agreements (DPAs) for GDPR compliance and Business Associate Agreements (BAAs) for HIPAA compliance. Contact our compliance team to request the appropriate agreement for your needs.
This page provides information about our Data Processing Agreement (DPA) and Business Associate Agreement (BAA) for customers who need to comply with data protection regulations.
Overview
When you use Dashboard AI to process personal data, we act as a data processor on your behalf. A Data Processing Agreement establishes the terms under which we process data and ensures compliance with applicable data protection laws.
Data Processing Agreement (DPA)
Our DPA is designed to meet the requirements of the General Data Protection Regulation (GDPR) and other data protection laws. It covers:
Scope of Processing
- Categories of data subjects (your customers, employees, etc.)
- Types of personal data processed (names, emails, business data, etc.)
- Purpose of processing (dashboard creation, analytics, reporting)
- Duration of processing (while you have an active account)
Processor Obligations
As your data processor, Dashboard AI commits to:
- Process data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist with data subject rights requests
- Support your compliance obligations (audits, DPIAs, etc.)
- Delete or return data upon termination of services
- Notify you promptly of any data breaches
Sub-processors
We use carefully vetted sub-processors to provide our services. Our DPA includes:
- List of approved sub-processors
- Procedure for adding new sub-processors
- Your right to object to new sub-processors
- Our obligation to impose data protection terms on sub-processors
International Data Transfers
For transfers of personal data outside the EEA, our DPA incorporates:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional safeguards as required by Schrems II decision
- Transfer impact assessments
Business Associate Agreement (BAA)
For customers who process Protected Health Information (PHI) under HIPAA, we offer a Business Associate Agreement that covers:
HIPAA Compliance Obligations
- Use and disclosure limitations for PHI
- Appropriate safeguards to protect PHI
- Reporting of security incidents and breaches
- Ensuring sub-contractors comply with BAA terms
- Access to PHI for compliance verification
- Return or destruction of PHI upon termination
Security Rule Compliance
Our BAA documents our compliance with HIPAA Security Rule requirements:
- Administrative Safeguards: Security policies, workforce training, access management
- Physical Safeguards: Facility access controls, workstation security
- Technical Safeguards: Access controls, audit controls, transmission security, encryption
Our Sub-processors
We use the following sub-processors to provide our services. All sub-processors are bound by data protection agreements:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Cloud infrastructure and hosting | United States |
| Clerk | User authentication | United States |
| Stripe | Payment processing | United States |
| Anthropic | AI processing for insights | United States |
| Neon | Database hosting | United States |
We will notify you before adding new sub-processors, giving you the opportunity to object. Subscribe to sub-processor updates by emailing compliance@dashboard-ai.co.
Technical and Organizational Measures
Our DPA and BAA reference the technical and organizational measures we implement to protect your data. These include:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Control: Role-based access, MFA for employees
- Monitoring: 24/7 security monitoring and logging
- Backup: Daily encrypted backups with geographic redundancy
- Incident Response: Documented procedures for security incidents
- Employee Training: Regular security and privacy training
For full details, see our Security page.
How to Request an Agreement
DPA (GDPR)
Email compliance@dashboard-ai.co with:
- Your company name and address
- Contact person for data protection matters
- Your Dashboard AI account email
- Any specific requirements or customizations
BAA (HIPAA)
Email compliance@dashboard-ai.co with:
- Your covered entity or business associate status
- Company name and address
- Privacy officer contact information
- Description of PHI you plan to process
Processing Time
Standard DPA requests are typically processed within 5 business days. Custom agreements or BAAs may take 10-15 business days depending on complexity.
Frequently Asked Questions
Is the DPA included in my subscription?
Yes, our standard DPA is available at no additional cost to all customers. Custom agreements may incur additional fees for legal review.
Can I use my own DPA template?
We prefer to use our standard DPA as it has been reviewed by our legal team. However, we can review customer DPAs on a case-by-case basis, which may incur legal review fees.
Do I need a DPA?
If you're processing personal data of EU residents, you likely need a DPA to comply with GDPR. If you're processing PHI under HIPAA, you need a BAA. Contact us if you're unsure about your requirements.
How are updates to sub-processors communicated?
We maintain a list of sub-processors on this page and notify customers via email at least 30 days before adding new sub-processors. You can object to new sub-processors within this period.
Contact Us
For questions about data processing agreements or compliance matters, contact:
Dashboard AI
15 Benton Drive
East Longmeadow, MA 01028
Compliance Team: compliance@dashboard-ai.co
Privacy Officer: privacy@dashboard-ai.co