Data Processing Agreement
Effective: April 2026 | Version 1.0 | Covers: Custom21, Center21, Dominion Engine
1. Definitions
"Controller" means the Subscriber (client) who determines the purposes and means of processing personal data through the platform.
"Processor" means Beltech Corp Holdings, operating as Custom21 / Center21 / Dominion Engine, which processes personal data on behalf of the Controller.
"Sub-processor" means a third-party service provider engaged by the Processor to process personal data.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1) and CCPA Section 1798.140(o).
"Data Subject" means the individual whose personal data is processed (e.g., a contact captured through Center21 webhook).
2. Scope of Processing
2.1 Categories of Data Subjects: Website visitors, leads, contacts, and customers of the Controller.
2.2 Types of Personal Data: Name, email address, phone number, IP address, user agent, UTM parameters, form submission data, behavioral events, engagement scores, message delivery status.
2.3 Purpose: Lead capture, pipeline management, automated sequence delivery (email, SMS, WhatsApp), lead scoring, engagement tracking, content generation, ad campaign management, social media distribution, and performance reporting.
2.4 Duration: Processing continues for the duration of the subscription. Upon termination, data is retained for 30 days (export window) then deleted within 60 days unless legally required.
3. Processor Obligations
3.1 Process personal data only on documented instructions from the Controller, unless required by law.
3.2 Ensure that persons authorized to process data are bound by confidentiality obligations.
3.3 Implement appropriate technical and organizational security measures (see Section 5).
3.4 Engage sub-processors only with prior written authorization (general authorization granted in Section 4).
3.5 Assist the Controller in fulfilling data subject access requests (DSAR) within 30 days.
3.6 Delete or return all personal data upon termination, at Controller's choice.
3.7 Make available all information necessary to demonstrate compliance and allow for audits.
4. Sub-processors
Controller grants general authorization for the following sub-processors. Processor will notify Controller 30 days before adding new sub-processors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication | USA (AWS us-east-1) |
| Stripe Inc. | Payment processing, subscription billing | USA |
| Twilio / SendGrid | Email and SMS delivery | USA |
| Anthropic PBC | AI content generation (Claude) | USA |
| Meta Platforms | WhatsApp, Instagram, Facebook distribution | USA/EU |
| DigitalOcean | Application hosting, MCP servers | USA |
| Netlify | Static site hosting | USA |
5. Security Measures
Encryption: TLS 1.3 in transit. AES-256 at rest (Supabase managed encryption).
Access Control: Row-level security (RLS) on all tables. Role-based access (admin, client, agency). JWT authentication with short-lived tokens.
API Security: Cryptographically secure API keys. HMAC-SHA256 webhook signature verification. Rate limiting on all endpoints. CSRF protection. Input sanitization.
Infrastructure: SOC 2 compliant hosting (Supabase, DigitalOcean). Automated backups. Point-in-time recovery.
Monitoring: Request logging. Suspicious pattern detection. Brute force protection (5 attempts / 15 minutes). Audit log on all data modifications.
Embeddings: pgvector embeddings are generated from content text for similarity search. Embeddings are mathematical representations and cannot be reversed to reconstruct the original text.
6. Breach Notification
6.1 Processor will notify Controller within 72 hours of becoming aware of a confirmed personal data breach.
6.2 Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
6.3 Processor will cooperate with Controller in notifying supervisory authorities and data subjects as required by applicable law.
7. International Transfers
All primary data processing occurs in the United States (AWS us-east-1 region). For Controllers located in the EU/EEA, data transfers to the US are conducted under the EU-US Data Privacy Framework. Where required, Standard Contractual Clauses (SCCs) are available upon request.
8. Data Subject Rights
Processor supports Controller in fulfilling data subject rights under GDPR and CCPA:
- Access: Export contact data via API or dashboard
- Rectification: Edit contact records directly
- Erasure: Delete individual contacts or full account data
- Portability: CSV/JSON export of all data
- Restriction: Pause sequences for individual contacts
- Objection: Unsubscribe mechanisms in all sequence emails
9. Contact
Data Protection Contact:
Beltech Corp Holdings
Email: privacy@custom21.io
Response time: 30 days for DSARs, 72 hours for breach notification