Data Processing Agreement
Effective Date: April 15, 2026 | Version 1.0
Processor: ShowOpsAI, Inc.
Contact: legal@showops.ai
Applies To: All enterprise clients using the ShowOps.AI platform where ShowOps.AI processes personal data on behalf of the Client
Governing Law: State of California — see Section 11
1.Definitions
- "Controller" — The Client (enterprise customer) that determines the purposes and means of processing personal data.
- "Processor" — ShowOps.AI, which processes personal data on behalf of the Controller.
- "Data Subject" — An identified or identifiable natural person whose personal data is processed under this Agreement.
- "Personal Data" — Any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
- "Processing" — Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" — Any third party engaged by the Processor to process personal data on the Controller's behalf.
- "Supervisory Authority" — A competent public authority responsible for monitoring the application of applicable data protection law.
2.Scope and Purpose
ShowOps.AI processes personal data on behalf of the Client (Controller) solely to operate and deliver the ShowOps.AI platform and related services. The categories of personal data processed include:
- User account data: names, email addresses, job titles, and assigned roles
- Venue operational data: venue configurations, equipment records, and milestone information
- Staffing records: crew names, certifications, availability, and day rates
- Agent interaction logs: prompts, AI-generated responses, and associated metadata
3.Processor Obligations
3.1 Documented Instructions. ShowOps.AI will process personal data only on documented instructions from the Controller, including with respect to transfers of personal data to third countries, unless required to do so by applicable law.
3.2 Confidentiality. ShowOps.AI will ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
3.3 Security Measures. ShowOps.AI implements and maintains the following technical and organizational security measures:
- Encryption at rest: AES-256
- Encryption in transit: TLS 1.3
- Session authentication: HMAC-SHA256 signed tokens with 12-hour expiry
- Rate limiting on all API endpoints
- Comprehensive audit logging of all data mutations
- Role-based access controls with least-privilege principles
3.4 Data Minimization. ShowOps.AI will collect and process only the personal data necessary to deliver the Services and will not use personal data for any purpose incompatible with those instructions.
4.Sub-processors
ShowOps.AI engages the following sub-processors to deliver the Services. Each sub-processor is bound by data protection obligations no less protective than those in this Agreement.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | PostgreSQL database hosting | AWS us-east-2 (US) |
| Vercel | Application hosting and CDN | US |
| Anthropic | AI agent processing | US |
| Resend | Transactional email delivery | US |
| Sentry | Error monitoring and diagnostics | US |
| BetterStack | Uptime monitoring | US |
| Google Cloud | Sheets/Drive sync | US |
| Microsoft (Graph API) | Optional, per-tenant. OneDrive / SharePoint speaker content ingestion when the tenant enables Microsoft 365 as a content source. | US / EU (tenant region) |
We will notify the Controller at least 30 days before adding a new sub-processor, providing the Controller the opportunity to object on reasonable grounds related to data protection. Optional sub-processors are listed for transparency even when not currently activated; activation requires explicit Controller configuration (e.g. setting integration credentials).
5.Data Subject Rights
ShowOps.AI will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law, including:
- Right of access (Art. 15): Providing a copy of personal data held about the Data Subject
- Right to rectification (Art. 16): Correcting inaccurate or incomplete personal data
- Right to erasure (Art. 17): Deleting personal data on request — supported via the
/api/user/deleteendpoint - Right to restriction (Art. 18): Limiting processing of personal data in specified circumstances
- Right to data portability (Art. 20): Exporting personal data in a structured, machine-readable format — supported via the
/api/user/exportendpoint
6.Data Breach Notification
6.1 ShowOps.AI will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Controller's personal data.
6.2 The notification will include, to the extent available: a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of personal data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.
6.3 ShowOps.AI will cooperate with the Controller and provide reasonable assistance in fulfilling the Controller's own notification obligations to supervisory authorities and Data Subjects.
7.International Data Transfers
All processing under this Agreement occurs in US data centers (see Section 4 sub-processor table). For personal data originating from EU/EEA Data Subjects, ShowOps.AI will ensure that transfers comply with applicable law. Standard Contractual Clauses (SCCs) as approved by the European Commission are available on request by contacting legal@showops.ai.
8.Data Retention
Retention periods are governed by the ShowOps.AI Privacy Policy Section 6. Key periods include: audit logs 24 months, sync logs 24 months, notification records 6–12 months.
Upon termination of the main Services Agreement, ShowOps.AI will, at the Controller's election, return or securely delete all personal data within 30 days, and provide written confirmation of deletion upon request.
9.Audit Rights
The Controller may audit ShowOps.AI's compliance with this Agreement upon reasonable written notice (at least 30 days), during normal business hours, no more than once per calendar year, and at the Controller's expense. ShowOps.AI may satisfy audit obligations by providing third-party audit reports (e.g., SOC 2) in lieu of on-site audits where available.
10.Term and Termination
This Agreement is coterminous with the main Services Agreement between the parties. It takes effect on the date the Controller first uses the Services and remains in force until all Services Agreements expire or are terminated.
Upon termination for any reason, ShowOps.AI will return or delete personal data per Section 8, and this Agreement will terminate automatically.
11.Liability
Each party's liability under this Agreement is subject to the limitations and exclusions set out in the main Services Agreement between the parties. This Agreement does not expand either party's liability beyond what is provided in the main Services Agreement, except to the extent required by applicable data protection law.
This Data Processing Agreement was last updated on April 15, 2026. For questions, contact legal@showops.ai.