Data Processing Addendum (DPA)

Last updated March 9, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Caddy Technologies Inc (“Caddy”, “Processor”) and the customer entity using the Caddy Service (“Customer”, “Controller”).

This DPA applies when Caddy processes Personal Data on behalf of Customer in connection with the Caddy Service.

This DPA supplements the Caddy Terms of Service or any applicable Order Form between the parties.

1. Definitions

For purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person processed in connection with the Service, as defined under applicable data protection laws including the General Data Protection Regulation (GDPR).

“Processing”, “Controller”, and “Processor” have the meanings set forth in the GDPR.

“Subprocessor” means any third party engaged by Caddy to process Personal Data on behalf of Customer.

2. Roles of the Parties

For purposes of this DPA:

Customer acts as the Controller of Personal Data.

Caddy acts as a Processor, processing Personal Data on behalf of Customer in order to provide the Service.

3. Processing Instructions

Customer instructs Caddy to process Personal Data as necessary to operate the Caddy automation platform, including monitoring integrations, generating summaries, and executing user-configured automations.

Caddy will process Personal Data only:

  • to provide and maintain the Service
  • to support Customer use of the Service
  • to comply with applicable law
  • in accordance with Customer instructions as reflected in the agreement between the parties

If Caddy believes that a processing instruction from Customer infringes applicable data protection law, Caddy will inform Customer without undue delay.

4. Confidentiality

Caddy ensures that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

Access to Personal Data is limited to personnel who require access in order to operate, maintain, or secure the Service.

5. Security Measures

Caddy maintains administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized access, loss, or disclosure.

Security measures include:

  • encryption in transit (TLS)
  • encryption at rest
  • application-level access controls
  • system monitoring and logging

Caddy is currently working toward SOC 2 Type II certification.

6. Subprocessors

Customer authorizes Caddy to engage Subprocessors to assist in providing the Service.

Subprocessors may include infrastructure providers, analytics providers, authentication providers, and AI model providers.

Examples include:

  • Amazon Web Services (infrastructure hosting)
  • Supabase (database infrastructure)
  • Render (application hosting)
  • Anthropic (AI model provider)
  • OpenAI (AI model provider)
  • Groq (AI model provider)
  • PostHog (product analytics)
  • Braintrust (LLM evaluation)
  • Google (integration APIs)
  • Composio (integration authentication and OAuth management)

A current list of Subprocessors is available on our Subprocessors page.

Caddy will ensure that Subprocessors are bound by contractual obligations consistent with this DPA.

7. AI Model Processing

The Service may send prompts and related context to third-party AI model providers in order to generate outputs.

These providers may include:

  • Anthropic
  • OpenAI
  • Groq

These providers act as Subprocessors and process data solely to generate responses for the Service.

Where supported, Caddy configures model providers to limit retention of prompts and outputs.

For example:

  • Requests sent to Anthropic are processed under a zero data retention configuration.
  • Requests sent to Groq may also be processed under zero data retention configurations where supported.

Model providers may still process prompts temporarily in order to generate responses.

Caddy does not train foundation models using Customer Data.

8. Data Subject Requests

To the extent required by applicable law, Caddy will assist Customer in responding to requests from individuals exercising data protection rights.

Such assistance may include providing access to Personal Data stored within the Service.

9. Personal Data Breach

Caddy will notify Customer of a Personal Data Breach without undue delay and no later than seventy-two (72) hours after becoming aware of the breach.

Caddy will provide available information regarding:

  • the nature of the breach
  • categories of affected data
  • remediation measures taken

10. International Transfers

Customer acknowledges that Personal Data may be transferred to the United States in order to provide the Service.

Where Personal Data originating in the European Economic Area is transferred outside the EEA, such transfers will rely on appropriate safeguards including Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

11. Data Deletion

Upon termination of the Service or Customer request, Caddy will, at the Customer’s direction, delete or return Personal Data within 30 days unless retention is required by law.

System backups may persist for up to 30 additional days before deletion.

12. Audits

Upon reasonable request, Caddy will provide information reasonably necessary to demonstrate compliance with this DPA, including summaries of security practices and certifications where available.

Customer may request such information no more than once per twelve (12) month period, unless required by a regulatory authority or in response to a confirmed security incident.

Requests must be made with reasonable advance notice and conducted in a manner that does not materially disrupt Caddy’s operations.

13. Liability

Each party’s liability under this DPA is subject to the liability limitations set forth in the governing agreement between the parties.

Annex 1 — Details of Processing

Controller: Customer

Processor: Caddy Technologies Inc

Purpose of Processing

Providing the Caddy automation service, including:

  • monitoring integrations
  • generating summaries
  • executing user-configured automations

Categories of Personal Data

Personal Data processed may include:

  • account identifiers (name, email address)
  • communications content (emails, messages)
  • documents and files
  • integration data from connected services
  • usage analytics

Categories of Data Subjects

Data subjects may include:

  • customer employees
  • customer contractors
  • individuals appearing in communications within integrations

Duration of Processing

Personal Data is processed for the duration of the customer’s use of the Service unless otherwise required by law.