Back to Legal Center

Data Processing Agreement (DPA)

Review how CK Catalyst operates as a protected data processor, including roles, privacy metrics, and client data safety protocols.

Last updated: June 4, 2026

1. Scope & Definitions

This Data Processing Agreement ("DPA") governs the processing of Personal Data by CK Catalyst ("Processor") on behalf of the Client ("Controller") in connection with the delivery of all integrated solutions and structural environments, including Hybrid Cells™, Ops Cells™, Automation Cells™, AI Cells™, Data Cells™, and Dev Cells™.

This agreement clarifies our alignment with international privacy standards including the General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

2. Operational Roles of the Parties

  • Client as Controller: The Client retains complete ownership over the methods, collection origins, and structural purposes for processing all ingested customer data records.
  • CK Catalyst as Processor: We process personal datasets and system payloads exclusively under documented instructions provided by the Client. We do not inspect, monetize, or utilize Client personal data for any auxiliary business purposes outside of fulfilling contractual tasks within your Business Cells™.

3. Scope of Personal Data Categories

To execute operational and automated tasks, our data routes and human operators process the following core information blocks on your behalf:

  • Corporate Identifiers: Corporate names, professional email strings, office telephone numbers, and job designations.
  • Operational Payloads: CRM communication data, user support records, form submissions, workflow logs, and data entries unique to your internal platforms handled via our Ops or Hybrid teams.
  • Automation Meta-Logs: Runtime diagnostic logs, integration timestamps, and system webhook response codes.

We do not actively request or store highly protected medical records, genetic profiles, or criminal histories unless explicitly contracted under specialized, secure Data Cell™ protocols.

4. Execution Framework & Nature of Processing

Data operations executed on behalf of the client are strictly restricted to:

  • Direct system orchestration, manual back-office tasks, and API payload parsing across external software tools.
  • Structural data normalization, transformation, and database syncing across active cells.
  • Parsing text patterns for reporting dashboards and automated document intelligence reads.
  • Executing routine automation health checks and diagnosing failing webhook triggers within your solutions.

5. Mandatory Processor Assurances

CK Catalyst explicitly commits to the following operational guardrails:

  • We process client data payloads strictly in accordance with written client automation configurations and established cell SOPs.
  • All engineering and operational team staff assigned to project infrastructure are bound by comprehensive corporate confidentiality parameters.
  • We will never sell, lease, or distribute your customer data blocks to third-party ad brokers or use your datasets to train public foundational AI models.

6. Technical & Organizational Safeguards

Our engineering infrastructure deploys standard protection controls across all processing lines:

  • Transport Layers: End-to-end data encryption using secure TLS 1.2 or higher tunnels for all active API webhook exchanges.
  • Access Vaults: Storage of environment variables and access keys behind AES-256 encrypted configuration vaults.
  • Account Protection: Multi-Factor Authentication (MFA) enforcement across all team accounts, staging areas, and production cell environments.

7. Approved Infrastructure Subprocessors

The Client grants explicit authorization for CK Catalyst to utilize our standard technical infrastructure providers to host and run your deployed solutions:

  • Supabase Inc. (Secure database hosting, authentication rules, and backend asset storage)
  • Vercel Inc. & Cloudflare Inc. (Web application edge caching and security filtering tools)
  • n8n, Make.com, & Zapier Inc. (Core cloud automation processing blocks and API engines)

All core sub-processors are vetted for verified privacy certifications (such as active SOC 2 compliance mapping or standard contractual clauses). If we introduce a new foundational infrastructure platform to our stack, we will update our centralized Legal Hub.

8. Cross-Border Transport Safeguards

If your automated pipelines route data across multiple regional data centers, CK Catalyst ensures all server nodes and third-party API platforms operate under verified data transit frameworks, including Standard Contractual Clauses (SCCs) or regional adequacy agreements, to guarantee uniform safety levels regardless of physical server locations.

9. Managing Data Subject Inquiries

The Client remains responsible for addressing individual consumer requests regarding data access, deletion, or privacy updates. If a consumer accidentally submits an inquiry directly to our infrastructure desk, we will forward the request to your admin contact within 5 business days without communicating directly with your customer.

10. Data Breach Discovery & Notification Rules

  • If we confirm an absolute security compromise or data exposure event affecting your infrastructure systems or Business Cells™, CK Catalyst will transmit a breach alert to your primary admin email within 72 hours of confirmation.
  • Our team will supply all known technical details regarding the estimated data scope, exposure vectors, and our ongoing system containment strategies.
  • The Client remains solely responsible for formatting and submitting required regulatory filings to privacy commissioners or end-users within statutory timelines.

11. System Deletion & Post-Contract Purging

Upon the formal conclusion of your automation solutions contract, we execute our decommissioning procedures:

  • Active data integrations are paused and environment variables are scrubbed from production engines.
  • Stored credentials and API keys inside our secure vaults are permanently wiped.
  • Cached runtime logs automatically purge over a rolling 30 to 180-day window, subject to basic financial audit requirements.

12. Structural Liability Boundaries

All liability tracking under this DPA remains entirely subject to the total liability caps set out in your master Terms of Service. Furthermore, CK Catalyst is explicitly released from any data liability resulting from:

  • Malformed data loops, mapping mistakes, or logic errors introduced manually by the client's internal staff.
  • Service outages, unannounced API changes, or server crashes occurring on external platforms (e.g., Salesforce, Hubspot, OpenAI).
  • Access exploits caused by the client sharing master credentials via insecure plaintext channels.

13. Agreement Term

This DPA operates as an active legal rider to your solutions contract and remains fully enforceable as long as CK Catalyst maintains access permissions or executes system commands affecting your company data properties.

14. Data Privacy Contact

For any questions regarding sub-processor registries, data transfer paths, or encryption tokens, reach out to our privacy coordinator:

Document FAQ

Quick, non-legalese answers to common operational questions.

You remain the sole Data Controller. Your enterprise holds absolute ownership, rights, and regulatory control over your customer records. Our team functions as the Data Processor, interacting with those payloads exclusively to manage and run your automated cells.

If a verified data exposure event touches our core services, we trigger our direct incident protocol: your primary administrative contact is notified via email within 72 hours of verification, complete with diagnostic details and active mitigation pathways.

Absolutely not. Any AI engine integrations deployed across your cells are configured via enterprise API parameters that completely block your business data, operational payloads, or prompts from being used for public model training.

Upon formal contract closure, all stored access keys and environment secrets are immediately scrubbed from our production vaults. Any residual runtime logs passing through our monitoring streams automatically clear over a 30 to 180-day cycle.

Yes. We maintain clear transparency surrounding our technical sub-processors (like Supabase and n8n). If you require compliance verification or security validations (such as SOC 2 overviews), you can request them through our security contact desk.

PreviousNext