Data Processing Agreement

Last updated: June 26, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer (“Controller”) and Derrick App, a French SAS (Société par Actions Simplifiée) (“Processor”).

Derrick App provides automation and data enrichment workflows via a Google Sheets extension.

1. Subject Matter
This DPA governs the processing of personal data by Derrick App on behalf of the Customer, in compliance with Regulation (EU) 2016/679 (the “GDPR”) and applicable data protection laws.


2. Nature and Purpose of Processing
Derrick App processes data for the following purposes:

- Executing user-defined workflows inside Google Sheets  
- Enriching and transforming data via third-party APIs (e.g. Dropcontact, Hunter, Clearbit)  
- Generating insights using language models (e.g. Claude, OpenAI)  

Data is processed solely for providing the Services described above.


3. Types of Personal Data and Data Subjects

Types of personal data: Free-form text inputs, email addresses, names, company names, job titles, phone numbers, or any data submitted by the Customer.
Categories of data subjects: Prospects, customers, contacts, and employees whose data is uploaded or processed by the Customer.

Derrick App does not actively determine whether data is personal or not. Detection of personal data is based on heuristic patterns (e.g. email or phone formats) but is not guaranteed.

4. Roles and Responsibilities
- The Customer is the data controller.  - Derrick App, a French SAS (Société par Actions Simplifiée), acts as data processor for user-initiated workflows and third-party API calls.  
- For AI-based features (e.g., Claude, OpenAI), Derrick App may act as joint controller due to data interpretation and transformation beyond simple processing.

5. Subprocessors
Derrick App relies on a dynamic and evolving network of subprocessors, including but not limited to cloud hosting providers, data analytics platforms, third-party API services, and AI vendors.

A non-exhaustive list of key subprocessors is maintained and can be provided upon request by contacting:  
contact@derrick-app.com.The Customer acknowledges that this list may evolve as the platform and its integrations grow.

6. Security Measures
- Google OAuth is used for user authentication  
- Data in transit is encrypted via HTTPS/TLS  
- Only authorized personnel can access internal logs and storage  
- Logs are stored securely on Heroku and/or Stackhero  
- No manual review of personal data is conducted

7. Data Retention and Deletion
- Results are stored until the user retrieves them (no auto-expiration yet)  - Logs are kept for debugging and error tracking    - Heroku limits logs to approx. 1,500 lines for ~7 days  
- No automated deletion mechanism is in place yet, but users may contact support to request manual deletion of their data

8. Data Subject Rights
Derrick App will assist the Customer in responding to data subject requests, including:- Right of access, rectification, or erasure  
- Right to data portability  
- Right to object or restrict processing  Requests can be sent to:  contact@derrick-app.com

9. Liability and Third-Party Data
Derrick App cannot filter or remove personal data originating from third-party APIs used by the Customer (e.g. phone numbers returned by Dropcontact).Derrick App provides a disclaimer to notify third parties that it does **not control** the content returned by enrichment providers.

10.Term and Termination
This DPA remains in effect for the duration of the Customer’s use of Derrick App. Upon termination, Derrick App will delete or return all Customer Data, unless legally required to retain it.

11. Miscellaneous
- This DPA is governed by French law and the GDPR  
- Updates to this DPA will be announced on the Derrick App website