Last updated: April 23, 2025

Data processing agreement

Data processing agreement

Data processing agreement

This Data Processing Agreement (“DPA”) is entered into between:

  1. Jetlabs, Inc., doing business as mysite.ai (“Processor”, “Jetlabs”, “we”, or “us”), a Delaware corporation with its registered address at 8 The Green, Suite A, Dover, Kent County, Delaware 19901, United States; and

  2. You, the entity or individual accepting this DPA as part of our service terms (“Controller” or “Customer”).

This DPA is an integral part of, and is hereby incorporated by reference into, the applicable Jetlabs Terms of Service, Privacy Policy, or other written or electronic agreement (collectively, the “Principal Agreement”) governing your use of our Services.

In the event of a conflict between the terms of this DPA and the terms of the Principal Agreement with respect to the processing of Personal Data, the provisions of this DPA shall prevail to the extent of the conflict.

This DPA reflects the parties’ agreement with respect to the processing and protection of Personal Data in accordance with applicable Data Protection Laws (as defined below), including where required, the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, and other applicable legislation.

1. Definitions

  1. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

    1. Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where control means ownership of more than 50% of the shares or other equity interests.

    2. Applicable Data Protection Law means all worldwide data protection and privacy laws applicable to the Processing of Personal Data under the Principal Agreement, including (where applicable) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"), and any other similar laws in jurisdictions where Jetlabs operates or from which Personal Data is collected.

    3. Controller or Data Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller unless otherwise specified.

    4. Processor or Data Processor means the entity which processes Personal Data on behalf of the Controller. For purposes of this DPA, Jetlabs is the Processor unless otherwise specified.

    5. Customer Data or Personal Data means any information relating to an identified or identifiable natural person that is submitted by or on behalf of Customer (including Customer’s own clients, employees, or other end users) to Jetlabs via the Services, and which Jetlabs Processes on Customer’s behalf as a Processor in the course of providing the Services. This includes, for example, names, email addresses, chat logs, behavioural data, payment details, tokens, or other data that may be provided by Customer or its end users.

    6. Subprocessor means any third party (including any Jetlabs Affiliate) appointed by or on behalf of Jetlabs to Process Personal Data on behalf of Customer in connection with the Services.

    7. Services means the AI-based products, mobile apps, web apps, software, and related services provided by Jetlabs to Customer under the Principal Agreement.

    8. Standard Contractual Clauses (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries as updated or replaced from time to time.

    9. Data Subject means any identified or identifiable natural person whose Personal Data is being Processed, such as the Customer’s employees, contractors, or end users.

    10. Data Breach or Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

  2. In this DPA, unless the context requires otherwise, words importing the singular include the plural and vice versa.

  3. In this DPA, unless the context requires otherwise, a reference to the Article, Clause or Annex is the reference to the specific article, clause or annex of this DPA.

  4. Title of the DPA or section headings are for convenience only and have no impact on the interpretation of any provision of the DPA.

2. Roles of the Parties

  1. The parties acknowledge that Customer is acting as the Controller and Jetlabs is acting as the Processor with respect to the Processing of Personal Data under this DPA. Where required under Applicable Data Protection Law, Jetlabs may act as a Controller for limited sets of data (e.g., for its own account management, billing, or marketing purposes), but for all Customer-submitted data, Jetlabs acts as a Processor on behalf of Customer.

  2. Jetlabs shall Process Personal Data only in accordance with Customer’s documented instructions (including those provided via the Services and the Principal Agreement). Jetlabs will not Process Personal Data for any other purpose unless required by law, in which case Jetlabs will (to the extent permitted by law) inform Customer of such legal requirement before Processing.

3. Details of Processing

  1. The subject matter of the Processing is the provision of the Services to the Customer under the Principal Agreement.

  2. The duration of data processing is limited to the term of the Principal Agreement. Upon termination or expiration of the agreement, Jetlabs will remove Personal Data from active systems within 30 days, with possible retention in backups for a limited period. Data will only be retained beyond this period if required by law, subject to strict confidentiality and security measures.

  3. Nature and Purpose of Processing:

    1. To provide the AI-based services and functionalities (including personalization, chat-based interactions, content creation, product analytics, improvements, marketing insights, etc.).

    2. To allow Customer to manage subscriptions, user profiles, billing, analytics, and other account-related activities.

    3. To fulfill any other documented, lawful instructions from Customer.

  4. Customer Data may include the following categories:

    1. Contact Information: names, email addresses, phone numbers.

    2. Account Data: user IDs, login credentials (hashed).

    3. Chat/Content Data: chat logs, business content, messages, user prompts and responses.

    4. Behavioral/Analytics Data: usage data, IP addresses, timestamps, user actions within the platform.

    5. Financial Data: payment info (where applicable, but typically handled via third-party payment processors like Stripe).

    6. Tokens/Integrations Data: access tokens for integrations, if any.

  5. Categories of Data Subjects:

    1. Customer’s Authorized Users: individuals who are granted access to Jetlabs’ platform at mysite.ai.

    2. Customer’s Clients/End Users: if the Customer inputs or uploads their clients’ data or interactions.

    3. Other Individuals: any other data subjects whose Personal Data is transmitted by or on behalf of Customer through the Services.

  6. Customer should not intentionally submit special categories of data (e.g., health, genetic, biometric, children’s data) unless the parties have agreed in writing to necessary safeguards. If such data is submitted inadvertently, Jetlabs will treat it with appropriate security measures and will process it as directed by Customer.

4. Jetlabs’ obligations

  1. Jetlabs shall ensure that any persons authorized to Process Personal Data are subject to confidentiality obligations and receive training on data protection and information security.

  2. Taking into account the nature, scope, context, and purposes of Processing as well as the risk to Data Subjects, Jetlabs shall implement appropriate technical and organizational measures to protect Personal Data, including:

    1. Encryption of data at rest and in transit where appropriate.

    2. Access controls using user IDs instead of plain emails, hashing credentials.

    3. Regular risk assessments and vulnerability scanning.

    4. Employee security awareness training.

    5. Intrusion detection and monitoring.

    6. Logical separation of data.

    7. Secure data backups, with retention as per Customer instructions.

    8. Additional details regarding Jetlabs’ technical and organizational measures may be provided upon Customer’s request or made available in Jetlabs’ documentation or security policy.

  3. Appointment of Subprocessors:

    1. Customer acknowledges and agrees that Jetlabs uses third parties (Subprocessors) to provide the Services. A list of current Subprocessors (e.g., OpenAI, Anthropic, Stripe, GCP, AWS, etc.) will be maintained and updated by Jetlabs.

    2. Jetlabs shall ensure each Subprocessor is bound by data protection obligations consistent with this DPA, including confidentiality and sufficient technical and organizational measures.

    3. Jetlabs shall provide notice of new Subprocessors by posting updates or via email. If Customer reasonably objects to a new Subprocessor on legitimate data protection grounds, Jetlabs will work with Customer in good faith to address such objections, which may include offering an alternative arrangement or the option for Customer to terminate the affected Services.

  4. International Transfers:

    1. Personal Data may be stored and processed in the United States or European Union, as well as any country in which Jetlabs or its Subprocessors operate.

    2. Where required by Applicable Data Protection Law for cross-border transfers (e.g., EU/EEA, UK, or Swiss Personal Data), Jetlabs relies on legally recognized transfer mechanisms such as Standard Contractual Clauses or other adequacy frameworks.

    3. Jetlabs shall provide a copy of the relevant transfer mechanism upon request, subject to redactions for confidentiality.

  5. Taking into account the nature of the Processing, Jetlabs shall promptly inform Customer if it receives any request from a Data Subject regarding their Personal Data (access, correction, deletion, etc.). Jetlabs will not respond to such requests except on Customer’s documented instructions. Jetlabs shall provide reasonable assistance to enable Customer to respond to Data Subject requests as required by law.

  6. If Jetlabs becomes aware of a Personal Data Breach affecting Customer Data, Jetlabs will notify Customer without undue delay (and in any event within 72 hours of confirmation of the breach, if feasible). Such notice will describe the nature of the breach, potential impact, and the measures taken or proposed to address it. Jetlabs is not responsible for notifications or communications to regulators or individuals unless otherwise required by law or agreed. Customer may contact help@mysite.ai to report an incident.

  7. Deletion or Return of Data:

    1. Jetlabs will rectify or delete Personal Data upon Customer’s request within thirty (30) days unless retention is required by law or necessary for legitimate business purposes.

    2. Upon expiration or termination of the Principal Agreement, Jetlabs shall, at Customer’s choice, delete or return all Customer Data. If deletion is requested, Jetlabs will remove Personal Data from active systems within 30 days (with possible retention in backups for a limited period).

    3. Jetlabs may retain certain data if required by law, subject to confidentiality and technical protection measures.

5. Customer’s obligations

  1. Customer represents and warrants that it (a) has complied, and will continue to comply, with all Applicable Data Protection Laws; and (b) has the right to transfer or provide access to Personal Data for Processing by Jetlabs in accordance with this DPA.

  2. Customer shall ensure that Personal Data is collected lawfully, is accurate, and is limited to what is necessary for the purposes for which it is processed. Customer is responsible for ensuring that their instructions comply with all applicable laws.

  3. Customer shall provide all necessary notices to Data Subjects and obtain any required consents under Applicable Data Protection Law for Jetlabs’ Processing of Personal Data under this DPA.

  4. If Customer uploads or processes data relating to third parties (e.g., end users), Customer is solely responsible for ensuring it has the necessary legal basis to do so. Jetlabs disclaims any responsibility if the Customer lacks such basis.

6. Confidentiality

  1. The Processor hereby confirms that it will ensure the confidentiality of Personal Data in the course of processing such data. Only those employees of the Processor who require access to the Personal Data in order to fulfill the obligations of Jetlabs under the Principal Agreement and this Data Processing Agreement shall be granted such access. These employees will only process Personal Data to the extent necessary for the performance of their duties and shall be bound by appropriate confidentiality obligations.

  2. The provisions on confidentiality set forth in the Principal Agreement, including any applicable penalties or sanctions, shall also apply to this Data Processing Agreement and any Processing activities conducted pursuant to it.

7. Right to audit

  1. The Controller shall have the right, at any time and upon providing prior reasonable notice, to conduct an audit—either directly or through an appointed independent third-party auditor—to verify the Processor’s compliance with this Data Processing Agreement and the Principal Agreement.

  2. To facilitate such audit, Jetlabs agrees to provide the Controller or its auditor with access to Jetlabs’ premises, systems, software, documentation, and other information necessary to perform the audit, solely to the extent required to assess compliance with applicable data protection obligations. This right of access shall not extend to any data or information relating to other Jetlabs customers or proprietary information unrelated to the Services provided to the Controller.

  3. Upon request, each Party and/or the appointed auditor shall be required to maintain the confidentiality of all information obtained in the course of the audit. However, this confidentiality obligation shall not prevent the Controller or its auditor from taking appropriate action based on the findings of the audit, provided such actions are reasonably based on the conclusions derived from the audit process.

8. Data Protection Impact Assessment

  1. Where the nature of Processing—particularly where it involves the use of new technologies—and taking into account the scope, context, and purposes of the Processing, is likely to result in a high risk to the rights and freedoms of natural persons, Jetlabs (the Processor) shall, prior to undertaking such Processing, provide reasonable assistance to the Controller in carrying out a data protection impact assessment (DPIA) in accordance with Applicable Data Protection Law.

  2. Jetlabs acknowledges that, in circumstances where a competent supervisory authority determines that the proposed Processing activities referenced in Clause 1 may potentially infringe applicable data protection laws or regulations, such authority may issue written recommendations to Jetlabs and exercise any powers granted to it under Applicable Data Protection Law, including but not limited to enforcement actions, suspension of processing, or the imposition of penalties.

9. Liability and Indemnification

  1. The liability of each party under or in connection with this Data Processing Agreement (“DPA”) shall be subject to the limitations of liability set forth in the Principal Agreement between Jetlabs and the Customer. Jetlabs does not assume liability for Personal Data Breaches or other acts or omissions by its Subprocessors beyond the obligations specifically outlined in the Principal Agreement and this DPA.

  2. Jetlabs engages reputable and industry-standard Subprocessors to support the provision of the Services, such as Stripe for payment processing and OpenAI for AI functionality. The Customer acknowledges and agrees that Jetlabs shall not be liable for any data incidents or regulatory liabilities solely attributable to the actions or omissions of these Subprocessors, provided that Jetlabs has fulfilled its obligations as described in Section 4.3 (Subprocessors). Jetlabs shall, however, remain responsible for managing such Subprocessors in accordance with this DPA, including assisting the Customer with any required remediation efforts or legal notifications in the event of a confirmed Personal Data Breach involving a Subprocessor.

  3. Each party agrees to indemnify, defend, and hold harmless the other party from and against any and all damages, losses, liabilities, costs, or expenses (including reasonable legal fees and fines) arising out of or relating to any breach by the indemnifying party of this DPA or of Applicable Data Protection Law, to the extent such indemnification is permitted under the terms of the Principal Agreement.

10. International data transfers

  1. Personal Data that Jetlabs Processes on behalf of the Customer may be transferred to and stored in the United States or the European Union. Jetlabs and its authorized Subprocessors maintain secure data centers primarily within these jurisdictions to support the performance of the Services under the Principal Agreement.

  2. For any transfers of Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to countries not recognized by the applicable regulatory authorities as providing an adequate level of data protection, Jetlabs shall implement appropriate safeguards, such as the Standard Contractual Clauses (SCCs) or other legally valid transfer mechanisms recognized under Applicable Data Protection Law. By entering into this DPA, the Customer hereby expressly authorizes Jetlabs to enter into such safeguards on the Customer’s behalf, where required, to ensure lawful cross-border transfers of Personal Data.

11. Miscellaneous

  1. Term and Termination. This Data Processing Agreement (“DPA”) shall remain in effect for the duration of the Principal Agreement between the Customer and Jetlabs. Upon termination or expiration of the Principal Agreement, this DPA shall automatically terminate. Notwithstanding the foregoing, any provisions of this DPA that by their nature are intended to survive termination (including, without limitation, confidentiality obligations and data deletion clauses) shall remain in full force and effect.

  2. Governing Law and Jurisdiction. This DPA and any disputes or claims arising out of or in connection with its subject matter or formation shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without giving effect to any choice or conflict of law provisions. The parties hereby irrevocably submit to the exclusive jurisdiction of the state and federal courts located in Delaware for any legal proceedings related to this DPA, unless otherwise required under Applicable Data Protection Law.

  3. Entire Agreement; Conflict. This DPA is incorporated into and forms an integral part of the Principal Agreement. In the event of any conflict or inconsistency between the terms of this DPA and the Principal Agreement relating specifically to the Processing of Personal Data, the terms of this DPA shall prevail. All other terms of the Principal Agreement shall remain in full force and effect and unchanged.

  4. Severability. If any provision of this DPA is determined to be invalid, illegal, or unenforceable by a competent authority, such provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable, and the remaining provisions shall continue in full force and effect.

  5. Amendments. Jetlabs may amend or update this DPA as necessary to reflect changes in Applicable Data Protection Law or industry best practices. If any material changes are made, Jetlabs shall notify the Customer by email or through the Customer’s account interface. Unless otherwise specified, such amendments shall become effective upon notification or publication.

  6. Acceptance. By using the Services provided by Jetlabs through mysite.ai or by otherwise entering into this DPA (whether electronically or in writing), the Customer confirms its agreement to be bound by the terms and conditions set forth herein.

12. Annexes to the Agreement

  1. Annex 1. List of subprocessors;

  2. Annex 2. List of organisational and technical measures.

Annex 1: Subprocessors

Below is a non-exhaustive list of key Subprocessors used by Jetlabs for hosting, data processing, or other Services-related activities. This list may be updated from time to time.

  • OpenAI (AI infrastructure)

  • Anthropic (AI infrastructure)

  • SEOptimer (SEO analysis)

  • Stripe (payment processing)

  • OVH Cloud (hosting, data storage)

  • RevenueCat (subscription management)

  • Twilio (SMS, communications)

  • Intercom (customer support)

  • Klaviyo (marketing email)

  • Sentry (error tracking)

  • Gitlab (code repository)

  • Wordware (specialized tools)

  • Pos (analytics)

  • Churnkey (subscription churn management)

  • Jetlabs also uses affiliates for certain data processing and development activities.

Annex 2: Technical and Organisational measures

Jetlabs maintains a comprehensive information security program aligned with industry best practices and certified under ISO/IEC 27001, the international standard for information security management systems (ISMS). This framework governs the technical and organizational measures implemented to protect the confidentiality, integrity, and availability of Personal Data.

The following controls are in place:

  • Access Controls: Access to systems and Personal Data is restricted based on the principle of least privilege. User authentication is performed using hashed credentials, and user identification is maintained via unique user IDs instead of storing plain email addresses. Role-based access control ensures that only authorized users can access specific data and services.

  • Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher, and encrypted at rest where feasible, ensuring robust data confidentiality during storage and transmission.

  • Physical Security: Jetlabs uses cloud infrastructure provided by Amazon Web Services (AWS) and Google Cloud Platform (GCP). These facilities are protected by multiple layers of physical and logical security measures and are accessible only by authorized personnel.

  • Monitoring and Logging: Jetlabs maintains detailed logs of system access and activity. Security events are monitored in real-time using Security Information and Event Management (SIEM) tools. Intrusion detection and anomaly detection systems are in place to identify and respond to threats proactively.

  • Incident Response: Jetlabs has a formal incident response plan in place. In the event of a security incident or Personal Data Breach, Jetlabs will notify the Customer in accordance with this DPA and take all reasonable steps to mitigate any adverse effects.

  • Employee Training: Employees with access to Personal Data undergo regular training on data privacy, security practices, and compliance with applicable data protection laws.

  • Data Minimization and Retention: Jetlabs only collects and retains the minimum data necessary to deliver the Services or fulfill legal obligations. Retention periods are defined in accordance with contractual and legal requirements.

  • Data Deletion: Personal Data is securely deleted from Jetlabs’ active systems within thirty (30) days following service termination or upon Customer’s request, unless a longer retention period is required by applicable law or justified by legitimate business purposes.