The processor terms governing Nine·Tails' handling of end-client personal data on behalf of agency customers.
Draft. This document is the initial pre-launch version of the Nine·Tails Data Processing Addendum. It will be reviewed by counsel and the subprocessor list will be cross-checked against the production stack before any paid customer signs up. If your agency requires a signed copy, write to hello@ninetailsagency.com — we will execute via DocuSign.
This Data Processing Addendum ("DPA") is between the customer ("Controller") and Nine Tails ("Processor," "Nine·Tails"). It is incorporated by reference into the Terms of Service the Controller has accepted at ninetailsagency.com/legal/terms.
This DPA applies whenever the Controller's use of the Service results in Nine·Tails processing Personal Data of the Controller's end clients, employees, or other identified or identifiable natural persons (collectively, "Data Subjects").
Capitalized terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) and the UK GDPR.
Nine·Tails processes Personal Data on the Controller's behalf for the duration of the active subscription, plus a 30-day window for export, plus any retention required by law.
Processing is limited to what is necessary to provide the Service:
Typically: end-client business name, business email address, period covered. Reports do not generally include the Personal Data of the Controller's end customers (i.e. the agency's clients' clients) — they are aggregate metric reports. If a Controller intentionally embeds end-customer Personal Data into a Report, the Controller is solely responsible for the lawful basis to do so.
The Controller is responsible for the lawful basis for processing — including, where required, obtaining valid consent from Data Subjects. The Controller will provide its own privacy notices to Data Subjects.
Nine·Tails will:
The Controller authorizes Nine·Tails to engage the subprocessors listed in Appendix A. We will notify the Controller of any new subprocessor at least 30 days before engagement; the Controller may object on reasonable grounds during that window.
Nine·Tails imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA, and remains liable for the subprocessors' performance.
Where Personal Data is transferred outside the EEA / UK to a country without an adequacy decision, the parties rely on the Standard Contractual Clauses (Module 2: Controller-to-Processor) approved by the European Commission, as incorporated by reference here. Equivalent UK addendum applies for UK transfers.
Without limiting Section 8, Nine·Tails will implement and maintain:
If a Data Subject exercises their rights (access, correction, deletion, portability, restriction, objection) directly with Nine·Tails, we will forward the request to the Controller without responding on its own initiative. Nine·Tails will assist the Controller in responding to such requests.
Nine·Tails will provide the Controller, on request and not more than once per twelve months, with a copy of its most recent SOC 2 / ISO 27001 attestation if available, or with reasonable written evidence of compliance with this DPA. Audits beyond that scope are subject to mutual agreement, advance notice, and reimbursement of reasonable costs.
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA does not extend the parties' overall liability cap.
This DPA is governed by the laws of the State of Florida, USA, except that for processing subject to GDPR or UK GDPR, the relevant European or UK supervisory authority's jurisdiction is preserved.
| Subprocessor | Service | Location | |---|---|---| | Vercel | Application hosting + edge delivery | United States | | Neon | Managed Postgres database | United States | | Upstash | Redis (rate limiting, caching) | United States | | Clerk | Authentication | United States | | Stripe | Payment processing | United States / Ireland | | Anthropic | Large-language-model API for report drafting | United States | | Resend | Transactional email delivery (planned) | United States |
The current list is mirrored at ninetailsagency.com/legal/privacy §5. Adding a subprocessor follows the notice procedure in Section 9 above.
For DPA execution, audit requests, or related matters — write to hello@ninetailsagency.com.