Data Processing Addendum
Effective date: 7 May 2026 Last updated: 8 May 2026
Note on the current contracting party. This Data Processing Addendum is currently entered into by 1fifty BV (Belgium, VAT BE1038210695) during the formation of a dedicated 1fifty legal entity. References to “we”, “us”, “our”, and “Processor” in this Addendum refer to 1fifty BV. Once the dedicated 1fifty legal entity is incorporated, this Addendum will be assigned to that new entity and you will be notified through the Service.
1. About this Addendum
This Data Processing Addendum (the “DPA” or “Addendum”) forms part of, and is incorporated by reference into, the Terms of Service (the “Agreement”) between you (“Customer”, “you”, “Controller”) and 1fifty BV (“we”, “us”, “our”, “Processor”, or “1fifty”).
It applies whenever you, in your use of the 1fifty mobile application or any related services (collectively, the “Service”), upload, store, or otherwise instruct us to process personal data of third parties (for example, your contacts, prospects, the representatives of companies you track, or the attendees of events you log) — together “Customer Personal Data”. For that data you act as a controller, joint controller, or processor under applicable data-protection law, and we act as a processor (or sub-processor, where you yourself are a processor for someone else) on your behalf.
This Addendum does not govern personal data for which we act as an independent controller, including:
- account, authentication, billing, security, audit-log, and operational-telemetry data we collect from you to operate the Service (governed by our Privacy Policy); and
- personal data you upload about yourself as the data subject (governed by our Privacy Policy).
This Addendum is binding upon your acceptance of the Agreement, or upon your separate execution of this Addendum, whichever occurs first, and remains in force for the term of the Agreement and as long as we process Customer Personal Data on your behalf.
This Addendum is made available in English only.
2. Definitions
Capitalised terms used in this Addendum that are not defined below have the meanings given in the Agreement, or, if not defined there, in the Privacy Policy or in Regulation (EU) 2016/679 (the “GDPR”). For the purposes of this Addendum:
- “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data under the Agreement, including the GDPR; the United Kingdom General Data Protection Regulation as it forms part of UK law (the “UK GDPR”); the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection (“FADP”); and, where applicable, the California Consumer Privacy Act as amended (“CCPA/CPRA”).
- “Customer Personal Data” has the meaning given in Section 1.
- “Data Subject”, “personal data”, “processing”, “controller”, “processor”, “sub-processor”, “personal data breach”, and “supervisory authority” have the meanings given in the GDPR.
- “EEA” means the European Economic Area.
- “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended from time to time.
- “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018.
- “Standard Contractual Clauses” means, together, the EU SCCs, the EU SCCs as adapted for Switzerland under Section 6.5, and the EU SCCs as amended by the UK Addendum.
- “Sub-processor” means any third party engaged by us to process Customer Personal Data on your behalf in connection with the Service.
- “EU-U.S. DPF” means the EU-U.S. Data Privacy Framework adopted by Commission Implementing Decision (EU) 2023/1795, including the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF where applicable.
- “Service Provider” has the meaning given in the CCPA/CPRA.
3. Roles of the parties
3.1 Controller / processor relationship
For Customer Personal Data, you are the controller (or, where you are yourself acting as a processor for another controller, you are a processor and we are a sub-processor — in which case the obligations imposed on us under this Addendum mirror, and are no greater than, the obligations imposed on you by the relevant upstream controller). We are the processor.
We process Customer Personal Data only on your documented instructions, which are deemed to consist of:
- the Agreement and the Privacy Policy;
- this Addendum;
- the configuration choices you make within the Service (e.g., the contacts and companies you import, the AI features you trigger, the labels and templates you create); and
- any further written instructions you give us through the in-app interfaces or via support correspondence at support@1fifty.ai or privacy@1fifty.ai.
If we believe an instruction infringes Applicable Data Protection Law, we will inform you without undue delay (Article 28(3)(h) GDPR).
3.2 What we do not do with Customer Personal Data
We do not:
- sell Customer Personal Data;
- share Customer Personal Data for cross-context behavioural advertising;
- use Customer Personal Data for our own commercial purposes (including profiling, advertising, or model training) outside the scope of providing, maintaining, securing, supporting, and improving the Service solely for the benefit of the Customer, and not for cross-customer behavioural profiling or generalised model training;
- combine Customer Personal Data received from you with personal data we receive from other customers, except for aggregated and anonymised information that can no longer reasonably be used to identify a data subject; or
- process Customer Personal Data outside the geographic scope authorised by Section 12.
We provide the certifications required by §1798.140(j)(1) and §1798.140(ag)(1) of the CCPA/CPRA and act as a Service Provider in respect of Customer Personal Data processed on behalf of California residents.
3.3 Customer responsibilities
You are responsible for:
- having a lawful basis (Article 6 GDPR or equivalent) for the processing you instruct us to carry out;
- ensuring you have provided the privacy notices, and obtained the consents, required by Applicable Data Protection Law in respect of the data subjects whose personal data you upload;
- not uploading any special category of personal data (Article 9 GDPR — including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data; biometric data processed for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation), personal data relating to criminal convictions and offences (Article 10 GDPR), national-identification or other government-issued identifiers, financial-account credentials, or personal-health records, except where you have a lawful basis to do so and have specifically agreed those categories with us in writing;
- not uploading Protected Health Information (“PHI”) subject to the U.S. Health Insurance Portability and Accountability Act (“HIPAA”). The Service is not designed to process PHI, we do not enter into Business Associate Agreements (“BAAs”), and HIPAA workloads are not supported. Any use of the Service to process PHI is a breach of this Addendum and the Agreement;
- not uploading any personal data of children below the applicable digital-consent age threshold;
- the accuracy, quality, and legality of Customer Personal Data and the means by which you obtained it; and
- responding to data-subject-rights requests addressed to you under the Agreement and Applicable Data Protection Law.
4. Details of processing (Article 28(3))
The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are set out in Annex 1 to this Addendum. Annex 1 is part of this Addendum.
5. Confidentiality
We ensure that any person we authorise to process Customer Personal Data is subject to a written, statutory, or other binding obligation of confidentiality at least as protective as the obligations in this Addendum. We grant access to Customer Personal Data only on a strict need-to-know basis and revoke access promptly when it is no longer needed.
6. Sub-processors
6.1 General authorisation to engage sub-processors
You provide your general written authorisation (Article 28(2) GDPR) for us to engage Sub-processors to process Customer Personal Data, subject to the following conditions:
- the current canonical list of Sub-processors is set out in Annex 3 to this Addendum, which is the authoritative legal source. The Privacy Policy may include a public-facing summary that mirrors Annex 3, but the Annex 3 list governs in any case of conflict;
- we will inform you of any intended addition or replacement of a Sub-processor at least fourteen (14) days in advance (by updating Annex 3, by an in-app notice, or by email to the address associated with your account), thereby giving you sufficient time to object before the Sub-processor is engaged;
- if you reasonably object to a new Sub-processor on data-protection grounds, you may notify us in writing at legal@1fifty.ai. We will work with you in good faith to find a workable resolution within thirty (30) days of your objection. If no resolution can be reached within that period, you may terminate the affected portion of the Service in accordance with the Agreement, without liability to us beyond fees due for the period before termination;
- we impose data-protection obligations on each Sub-processor that are at least as protective as those in this Addendum, including, where required, Article 28(3) provisions and the Standard Contractual Clauses;
- Sub-processors may process Customer Personal Data only for the specific purposes instructed by us under this Addendum, and may not use Customer Personal Data for their own independent commercial, analytical, or model-training purposes; and
- we remain fully liable to you for the acts and omissions of our Sub-processors as if they were our own.
6.2 AI Sub-processors — zero-retention and no-training posture
In addition to the obligations in Section 6.1, where a Sub-processor processes Customer Personal Data on our behalf for the purpose of generative-AI inference (extraction, cleanup, enrichment, or similar):
- we configure routing such that, where supported by the selected AI provider, zero-data-retention (“ZDR”) and no-training modes are enabled for AI processing of Customer Personal Data, and we reject requests that cannot be processed under those settings;
- Customer Personal Data submitted to AI Sub-processors is not used by us for generalised model training, and we contractually require AI Sub-processors not to use it for training, fine-tuning, or improvement of their own models without our (and your) explicit further authorisation;
- prompt and response content is not persistently logged on our own servers; only feature-usage metadata (action type, timestamp, anonymised user identifier) is logged for billing and security; and
- the current AI Sub-processor configuration is described in Annex 3.
6.3 Sub-processors and merchants of record acting as independent controllers
Some recipients listed in Annex 3 — in particular Apple App Store and Google Play acting as merchants of record — act as independent controllers, not as our Sub-processors, for the parts of the processing they carry out under their own terms. Identity providers used for third-party sign-in (e.g., Google, Apple, LinkedIn, Facebook, X) may act as independent controllers for the authentication-event data they process under their own terms, depending on the configuration and on the identity provider’s own role allocation. Their relationship with you is governed by their own terms and privacy notices and is outside the scope of this Addendum.
7. Security of Customer Personal Data
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk (Article 32 GDPR).
The canonical technical and organisational measures are set out in Annex 2 to this Addendum. The Privacy Policy may include a public-facing summary that mirrors Annex 2, but Annex 2 governs in any case of conflict. We may update Annex 2 from time to time provided that the level of security is not materially diminished.
8. Personal data breaches
We will notify you of any Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it, in any case in time to allow you to comply with any applicable notification obligations under Article 33 GDPR or equivalent law. Our notification will, to the extent reasonably available at the time, include:
- the nature of the breach, including, where possible, the categories and approximate number of data subjects and records concerned;
- the contact point at 1fifty for further information;
- the likely consequences of the breach; and
- the measures taken or proposed to address the breach and to mitigate its possible adverse effects.
We will reasonably cooperate with you in your investigation, mitigation, and notification of the breach, taking into account the nature of the processing and the information available to us. Our internal breach-response procedure is documented in docs/legal/DATA-BREACH-PROCEDURE.md (internal document available to the supervisory authority on request).
The fact of, and our cooperation with, any breach notification is not an admission of fault or liability. Our breach-related obligations do not apply to incidents caused by your acts or omissions.
9. Assistance with data-subject rights
Taking into account the nature of the processing, we will assist you, by appropriate technical and organisational measures and insofar as possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated individual decision-making).
In practice, the Service makes available to you:
- self-service export of Customer Personal Data via Profile → Download My Data (Article 20);
- self-service rectification by editing records directly within the App (Article 16);
- self-service erasure via Profile → Delete Data (per category) and Profile → Delete Account (full account) (Article 17); and
- self-service restriction by removing categories of data or by ceasing to use specific AI features (Articles 18 and 21).
If a data subject contacts us directly with a request that relates to Customer Personal Data, we will, to the extent permitted by law, refer them to you and notify you of the request without undue delay so you can respond.
You bear any costs and expenses arising from the assistance described in this Section, except to the extent that the request results from our breach of this Addendum or of Applicable Data Protection Law.
10. Assistance with DPIAs and prior consultation
We will provide you, taking into account the nature of the processing and the information available to us, with reasonable assistance to comply with your obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities). Our existing Data Protection Impact Assessment for the AI-powered features of the Service is documented in docs/legal/DATA-PROTECTION-IMPACT-ASSESSMENT.md.
You bear any costs and expenses arising from the assistance described in this Section, except to the extent that the assistance is required as a direct consequence of our breach of this Addendum or of Applicable Data Protection Law.
11. Audits
We will make available to you all information necessary to demonstrate compliance with our obligations under this Addendum and Article 28 GDPR, and we will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you (Article 28(3)(h) GDPR), subject to the following:
- we will respond to reasonable written audit requests sent to legal@1fifty.ai by providing the most recent independent third-party audit reports, certifications, and security questionnaires available to us, through available third-party reports and certifications in the first instance;
- if those reports do not provide sufficient information for you to demonstrate compliance, you may request a further audit (no more than once per twelve-month period unless required by Applicable Data Protection Law or following a Personal Data Breach), to be carried out at a mutually agreed time, during regular business hours, with reasonable prior notice (no less than thirty (30) days), under reasonable confidentiality obligations, in a manner that does not unreasonably disrupt our business or compromise the confidentiality, security, or availability of other customers’ data, and at your cost;
- you may use a qualified independent third party to conduct the audit, provided that auditor is not a competitor of ours and is bound by appropriate confidentiality obligations;
- the audits described in Clause 8.9 of the EU SCCs (where the Standard Contractual Clauses apply) will be conducted in accordance with this Section.
12. International transfers
12.1 Permitted transfers and EEA residency
Customer Personal Data is primarily hosted within the EEA, unless otherwise stated in Annex 3 (which lists each Sub-processor and its processing region) or where transfers outside the EEA are required for support, security, or infrastructure operations carried out by Sub-processors located outside the EEA as listed in Annex 3.
You acknowledge that the Service relies on Sub-processors located in the EEA, the United Kingdom, and the United States, as set out in Annex 3. Where personal data is transferred outside the EEA, the United Kingdom, or Switzerland, we rely on the following transfer mechanisms, in order of preference:
- an applicable European Commission, UK, or Swiss adequacy decision (including the EU-U.S. DPF and its UK Extension and the Swiss-U.S. DPF where the Sub-processor is certified);
- otherwise, the Standard Contractual Clauses as supplemented by appropriate technical and organisational measures (Schrems II safeguards), described below.
12.2 EU SCCs
Where Customer Personal Data is transferred from the EEA to a country not covered by an adequacy decision, the EU SCCs are deemed entered into and are incorporated into this Addendum by reference, with the following selections:
- Module 2 (Controller to Processor) applies when you act as a controller and we act as your processor.
- Module 3 (Processor to Sub-processor) applies when you act as a processor and we act as your sub-processor.
- The optional docking clause in Clause 7 does not apply.
- In Clause 9, Option 2 (general written authorisation) applies, with the prior-notice period set out in Section 6.1 of this Addendum (14 days).
- In Clause 11, the optional independent dispute-resolution body language does not apply.
- In Clause 17 (Option 1), the EU SCCs are governed by the law of Belgium.
- In Clause 18(b), disputes are resolved before the courts of the judicial district of Antwerp, division Mechelen, Belgium.
- Annex I.A is populated by the parties’ contact details set out in the Agreement and in §1 of this Addendum.
- Annex I.B is populated by Annex 1 to this Addendum.
- Annex I.C is populated by the supervisory authority identified in §12 of the Privacy Policy (the Belgian Data Protection Authority).
- Annex II is populated by Annex 2 to this Addendum.
- Annex III is populated by Annex 3 to this Addendum.
12.3 UK Addendum
Where Customer Personal Data is transferred from the United Kingdom to a country not covered by a UK adequacy decision, the EU SCCs are amended and supplemented by the UK Addendum, which is deemed entered into and incorporated into this Addendum by reference, with the start date being the date this Addendum becomes binding under Section 1.
12.4 Switzerland
Transfers from Switzerland to a country not covered by a Swiss adequacy decision rely on the EU SCCs with the following adaptations:
- references to the GDPR are read as including the FADP;
- the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority for transfers governed by the FADP;
- references to “EU Member State” are not interpreted to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence under Clause 18(c) of the EU SCCs.
12.5 Supplementary measures (Schrems II)
In support of any transfer governed by the Standard Contractual Clauses, we apply, and require Sub-processors to apply, supplementary technical, contractual, and organisational measures including:
- TLS encryption in transit and at-rest encryption for stored data;
- access controls limiting access to authorised personnel on a need-to-know basis;
- documented procedures to challenge disproportionate or unlawful access requests by public authorities;
- we interpret government-access requests narrowly and disclose only the minimum information legally required to comply with the specific binding legal request, refusing requests that are over-broad, fishing expeditions, or otherwise not strictly necessary;
- a commitment to notify you, where lawfully permitted, of any binding government-access request received in respect of Customer Personal Data, and to push back on such requests by all available legal means, including by exhausting available judicial remedies before disclosure;
- a commitment to publish (subject to applicable law and gag orders) periodic transparency information regarding the volume and types of government-access requests received, to the extent legally permissible; and
- the absence, as of the date this Addendum becomes binding, of any government-access request that has resulted in disclosure of Customer Personal Data without an appropriate safeguard.
13. Term, termination, and return or deletion of Customer Personal Data
13.1 Term
This Addendum starts on the date it becomes binding under Section 1 and continues for the duration of the Agreement and for as long as we process Customer Personal Data on your behalf.
13.2 Return or deletion
Upon termination of the Agreement or your account, and at your choice, we will return or delete Customer Personal Data, except where (i) further storage is required by Applicable Data Protection Law or other applicable law (for example, the Belgian accounting and tax retention obligations described in §5 of the Privacy Policy) or (ii) deletion is technically infeasible without disproportionate effort, in which case we will continue to protect Customer Personal Data and will limit its further processing to what is necessary to comply with the legal obligation. The default behaviour of the Service is deletion when you delete your account; the practical effect is described in §5 of the Privacy Policy.
Deleted Customer Personal Data may persist temporarily in encrypted backups until those backups are overwritten in the ordinary backup-rotation cycle, after which it is permanently deleted. During the residual retention window, the data remains protected by the security measures set out in Annex 2 and is not used for any other purpose, and we will not restore it to the live system except where strictly necessary to remedy a data-loss incident affecting other customers.
The certification of deletion described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (where applicable) will be provided upon written request to legal@1fifty.ai.
14. Liability
The liability of each party arising out of or in connection with this Addendum is subject to the limitations and exclusions set out in the Agreement. Nothing in this Addendum excludes or limits any liability that cannot be excluded or limited under mandatory law, including liability under Article 82 GDPR or for breach of Applicable Data Protection Law.
15. Conflict and order of precedence
In the event of any conflict or inconsistency among the documents that govern the processing of Customer Personal Data, the order of precedence is:
- the applicable Standard Contractual Clauses (where they apply);
- this Addendum;
- the Agreement; and
- the Privacy Policy.
This Addendum amends the Agreement only to the extent of any conflict; in all other respects the Agreement remains in full force and effect.
16. Signatures and binding effect
This Addendum becomes legally binding upon your acceptance of the Agreement, upon your separate execution of this Addendum (for example, by countersignature on a copy you request from us), or upon any other unequivocal expression of acceptance, whichever occurs first. The signature blocks below are provided for reference only; in line with Article 28(9) GDPR, this Addendum is concluded “in writing, including in electronic form” without any requirement for handwritten or electronic signatures.
| Processor (1fifty) | |
| Entity | 1fifty BV |
| Registered office | 1fifty BV, Oude Antwerpsebaan 109 bus 102, 2800 Mechelen, Belgium |
| Enterprise / VAT № | BE1038210695 |
| Contact | legal@1fifty.ai |
| Controller (Customer) | |
| Entity | As identified in your account registration |
| Contact | The email address associated with your account |
Annex 1 — Description of the processing
Subject matter
The processing of Customer Personal Data necessary for us to provide the Service to you under the Agreement, including storing, organising, indexing, searching, displaying, synchronising across devices, transforming (image format conversion, thumbnail generation, EXIF re-encoding), and, when you trigger AI features, sending data to our LLM Sub-processor for extraction, cleanup, or enrichment.
Duration
The duration of the Agreement and any continuation or post-termination retention required by Applicable Data Protection Law.
Nature and purpose
To provide the Service: a contact-management application that enables you to capture, structure, organise, search, and follow up with the contacts, companies, tasks, and events you store in the App.
Categories of data subjects
- Customer (the account holder);
- the Customer’s contacts (typically the people the Customer wants to keep in touch with for personal or professional reasons);
- representatives of companies that the Customer adds or enriches in the App (for example, leadership names and job titles obtained from third-party enrichment sources);
- attendees of events that the Customer logs in the App; and
- recipients of any messages sent through templates that the Customer creates.
Categories of personal data
- contact data (names, email addresses, phone numbers, physical addresses, websites, social-media handles);
- professional data (job titles, employment history, company affiliations, education, skills);
- imagery (business-card photos, avatars, contact photos, company logos, optionally with geographic coordinates);
- free-text content (notes, descriptions, AI prompts, message templates);
- relational data (links between contacts and companies, between contacts and events, between contacts and tasks);
- usage data necessary to provide the Service (timestamps of last interaction, follow-up reminders); and
- in the limited cases where you choose to store it, special-category data (Article 9 GDPR) under your sole responsibility.
Special categories of data
The Service is not designed to process special categories of personal data, and you contractually agree not to upload such data unless you have a lawful basis to do so under your sole responsibility (see §7.2 of the Terms of Service). Where such data is nonetheless processed, the security measures set out in Annex 2 apply.
Frequency of the processing
Continuous, for the duration of the Agreement.
Retention
As set out in §5 of the Privacy Policy. On account deletion, Customer Personal Data is cascade-deleted; statutory-retention carve-outs apply only to the limited categories listed in that Section.
Annex 2 — Technical and organisational measures (Article 32)
This Annex sets out the canonical technical and organisational measures we maintain to ensure a level of security appropriate to the risk for the processing of Customer Personal Data, as required by Article 32 GDPR. Measures are reviewed periodically and updated to reflect the state of the art, the cost of implementation, and the risks to data subjects, and we will not materially diminish the level of security without notice to you.
The measures described below are described at the level of control objective rather than at the level of specific tooling, so that the legal commitment remains stable as our underlying infrastructure evolves. Lower-level implementation specifics (current vendors, exact configuration values, current tool names) are made available on request through our security documentation.
A. Encryption
- In transit: TLS for all network traffic between the App, our backend services, and Sub-processors, including for cache and message-bus traffic. HTTP Strict Transport Security (HSTS) is enforced for production web surfaces.
- At rest: industry-standard symmetric encryption (e.g., AES-256 or equivalent) for data stored in databases, object storage, and backups, as configured by our infrastructure providers.
- On-device credentials: authentication tokens are stored on user devices in the operating-system secure enclave / hardware-backed key store.
B. Access control and authentication
- Tenant isolation: row-level access controls on user-scoped database tables ensure each user can access only their own data.
- Privileged access: elevated database / service-role access is restricted to defined server-side operations and is not used for routine application reads or writes.
- End-user authentication: identity verification using JWT and refresh-token-based session management, with one-time passcodes, third-party OAuth sign-in, and optional time-based one-time-password (“TOTP”) multi-factor authentication.
- Operator authentication: operator-facing surfaces use HttpOnly, Secure, SameSite=Strict cookie-based authentication with refresh-token rotation and step-up multi-factor checks for sensitive operations.
- CSRF protection: double-submit-cookie pattern combined with a custom-header check on mutation requests.
- Rate limiting: per-IP and per-user rate limits across authentication, billing, AI, and external-API code paths. Authentication, billing, AI, and external paths fail closed when the rate-limiting infrastructure is unavailable.
- Secrets management: API keys and credentials are managed through a centralised secrets-management system with per-environment scoping; secrets are not committed to source control.
C. Resilience, integrity, and observability
- Input validation: all API inputs are validated against typed schemas; HTML and known-unsafe content is stripped; per-route body-size limits are enforced; queries against the database are parameterised.
- Webhook integrity: webhooks from payment and subscription providers are verified via cryptographic signatures (e.g., HMAC) or timing-safe shared-secret comparison; duplicate events are detected via an INSERT-first deduplication table.
- Centralised logging: structured server-side request logs are routed to a centralised log store within the EEA, with personally-identifying free-text content filtered at the source.
- Error monitoring: crash and performance data is routed to a third-party error-monitoring service configured for EU storage.
- Session-replay PII masking: where session replay is used for diagnostic purposes, all text inputs and images are masked by default, and surfaces that present freeform user content (notes, AI output, OCR output, multi-factor codes echoed as text, payment-card numbers) are masked at the view-tree level so their content is not captured.
- Backups and disaster recovery: infrastructure-managed encrypted backups with documented retention windows and restore-testing cadence.
D. Organisational measures
- Incident response: documented breach-response procedure with a defined Breach Response Lead, severity matrix, and 72-hour supervisory-authority notification commitment under Article 33 GDPR.
- Data Protection Impact Assessment: a DPIA is maintained for the AI-powered features of the Service and is reviewed annually or on material change.
- Sub-processor governance: every Sub-processor is onboarded under a written processing agreement with appropriate transfer safeguards; the Sub-processor list, breach-notification flows, and audit rights are reviewed annually.
- Confidentiality: all personnel with access to Customer Personal Data are bound by binding confidentiality obligations and need-to-know access discipline.
- Personnel security: access to production systems is provisioned on a least-privilege basis and revoked promptly when no longer required.
E. Account-deletion and data-erasure cascade
When a Customer deletes their account or specific data categories:
- database records associated with the Customer are cascade-deleted via referential-integrity constraints;
- storage objects under the Customer’s identifier are purged from each storage bucket;
- per-Customer cached state in the key/value cache layer is removed both by exact-key deletion and by pattern-based scan;
- the Customer’s profile, timeline events, and linked chat conversations held by the customer-support Sub-processor are deleted via REST API request, with retry-on-failure operator alerting;
- CSRF and step-up tokens are revoked;
- a session-revocation marker is written so that any in-flight session is invalidated;
- backup-resident copies are subject to the residual-retention window described in Section 13.2.
Annex 3 — Authorised Sub-processors
This Annex sets out the canonical list of authorised Sub-processors at the date of this Addendum. The Privacy Policy may include a public-facing summary that mirrors this Annex, but Annex 3 governs in any case of conflict. We will inform you of any addition or replacement at least fourteen (14) days in advance, in accordance with Section 6.1 of this Addendum.
| Sub-processor | Purpose | Processing region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage, Realtime | EU North — Stockholm, Sweden (AWS eu-north-1) |
| PostHog Inc. | Product analytics, session-replay diagnostics | EU cluster — Frankfurt, Germany |
| Functional Software Inc. (Sentry) | Error and crash monitoring, in-app feedback | EU storage region |
| Resend, Inc. | Transactional email | Ireland sending region; United States account-data storage |
| Axiom, Inc. | Centralised structured logging | EU Central — Frankfurt, Germany (AWS eu-central-1) |
| Railway Corp. | Backend hosting, Redis, rate-limiting, distributed locks | EU West — Amsterdam, Netherlands |
| Better Stack, Inc. (BetterStack) | External uptime, heartbeat, public status page | EU storage where configured; distributed edge probes |
| Crisp IM SAS | Customer-support chat, proactive support, support-ops timeline | European Union — Nantes, France |
| Cloudflare, Inc. | DNS, CDN, security, static hosting (landing + admin frontends) | Global edge network / United States |
| CoreSignal UAB | Employee and company search/collect | Lithuania (EU) |
| apilayer GmbH (Mediastack) | News article retrieval | Austria (EU) |
| OpenRouter, Inc. (AI — see note) | AI extraction, cleanup, enrichment via LLM APIs | United States |
| Google LLC (Places API) | Address autocomplete | United States |
| Open Exchange Rates Ltd. | Currency conversion (no personal data transferred) | United States |
| RevenueCat, Inc. | In-app purchase orchestration | United States |
| Stripe, Inc. | Future web checkout (currently inactive) | United States |
| Expo, Inc. (EAS) | Mobile build, submission, OTA infrastructure (no user-account data) | United States |
Note on AI Sub-processors (per Section 6.2)
For OpenRouter, Inc. and any other AI Sub-processors:
- our account is configured to enforce zero-data-retention (“ZDR”) routing for all Customer Personal Data sent for AI inference, such that requests that cannot be processed under ZDR are rejected rather than routed to a logging or training-enabled provider;
- we have disabled all account-level toggles that would allow paid or free model providers to retain or train on request data, or to publish prompts or completions to public datasets;
- we have declined any product-improvement consent that would allow OpenRouter to use Customer Personal Data to improve its own product;
- prompt and response content is not persistently logged on our own servers; only feature-usage metadata is logged for billing and security; and
- routing to underlying model providers (e.g., OpenAI, Anthropic, Google Vertex) is performed by OpenRouter under its own terms; we configure routing to favour providers offering ZDR and contractual no-training commitments.
Note on independent controllers (per Section 6.3)
Apple Inc. (App Store) and Google LLC (Google Play) act as independent controllers as merchants of record for in-app purchases on iOS and Android respectively, and are not Sub-processors under this Addendum. Their processing is governed by their own terms of service and privacy notices.
Identity providers used for third-party sign-in (Google, Apple, LinkedIn, Facebook, X) may act as independent controllers for the authentication-event data they process under their own terms.
Annex 4 — Standard Contractual Clauses (incorporation)
By accepting this Addendum, the parties are deemed to have signed the EU SCCs (as adapted under Section 12.2), the UK Addendum (as adapted under Section 12.3), and the FADP-adapted EU SCCs (as adapted under Section 12.4), each as applicable. The Annexes to those Standard Contractual Clauses are populated by Annexes 1, 2, and 3 of this Addendum. The Standard Contractual Clauses prevail over conflicting terms of this Addendum to the extent required by Applicable Data Protection Law.
Contact
| Processor | 1fifty BV |
| Email (legal / DPA) | legal@1fifty.ai |
| Email (privacy / DSR) | privacy@1fifty.ai |
| Mailing address | 1fifty BV, Oude Antwerpsebaan 109 bus 102, 2800 Mechelen, Belgium |
| VAT / CBE № | BE1038210695 |
This Data Processing Addendum is made available at https://1fifty.ai/dpa and is incorporated by reference into the Terms of Service. It applies in addition to, and not in place of, the Privacy Policy.