Data Processing Agreement
Last Updated: February 2, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and AfterActions, LLC, operating as Harvesto.io ("Processor"), for the use of Harvesto.io services.
1. Definitions
- "Personal Data"
- Any information relating to an identified or identifiable natural person.
- "Processing"
- Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Data Controller"
- The Customer, who determines the purposes and means of Processing Personal Data.
- "Data Processor"
- AfterActions, LLC (Harvesto.io), which Processes Personal Data on behalf of the Customer.
- "Subprocessor"
- A third party engaged by the Processor to Process Personal Data.
2. Scope of Processing
2.1 Subject Matter
The Processor provides AI-powered content generation services that transform meeting transcripts into professional LinkedIn content based on user-defined personas.
2.2 Nature and Purpose
Processing activities include:
- Receiving and storing meeting transcripts via Zoom API integration
- Sanitizing transcripts to remove sensitive information using AI
- Generating content suggestions using AI based on configured personas
- Storing and delivering generated content to the Customer
- Managing Customer account and subscription data
2.3 Categories of Personal Data
Personal Data Processed may include:
- Contact information (names, email addresses)
- Account credentials and authentication tokens
- Meeting content and transcripts
- Participant names mentioned in transcripts
- Persona configurations and preferences
- Generated content drafts
- Usage and billing data
2.4 Categories of Data Subjects
- Customer employees and authorized users
- Meeting participants whose names appear in transcripts
- Individuals mentioned in meeting content
2.5 Duration
Processing continues for the duration of the service agreement and until all Personal Data is deleted in accordance with Section 8.
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Customer
- Ensure persons authorized to Process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Customer in responding to data subject requests
- Assist the Customer with data protection impact assessments where required
- Delete or return Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Customer or their auditor
4. Customer Obligations
The Customer shall:
- Ensure lawful basis for Processing Personal Data through the Service
- Provide appropriate notice to data subjects about the Processing
- Ensure accuracy of Personal Data provided to the Processor
- Comply with applicable data protection laws
- Obtain necessary consents from meeting participants for transcript Processing
5. Security Measures
The Processor implements the following security measures:
5.1 Technical Measures
- Encryption of data at rest and in transit (TLS 1.2+)
- OAuth tokens encrypted using Fernet symmetric encryption
- Secure cloud infrastructure (Digital Ocean) with firewalls and access controls
- Regular security updates and vulnerability patching
- Secure authentication mechanisms including multi-factor authentication options
5.2 Organizational Measures
- Access controls limiting personnel access to Personal Data
- Employee confidentiality agreements
- Security awareness training
- Incident response procedures
- Regular security reviews
6. Subprocessors
6.1 Authorization
The Customer provides general authorization for the Processor to engage Subprocessors. The Processor will inform the Customer of any intended changes to Subprocessors, giving the Customer an opportunity to object.
6.2 Current Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Digital Ocean, LLC | Cloud hosting, database, and infrastructure | United States |
| OpenAI, LLC | AI content generation and transcript sanitization | United States |
| Stripe, Inc. | Payment processing | United States |
| Mailgun Technologies, Inc. | Email delivery | United States |
| Google LLC | OAuth authentication | United States |
| Zoom Video Communications, Inc. | Meeting transcript API integration | United States |
6.3 Subprocessor Requirements
The Processor ensures that Subprocessors are bound by data protection obligations no less protective than those in this DPA.
7. Data Subject Rights
The Processor will assist the Customer in responding to requests from data subjects exercising their rights under applicable data protection laws, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of Processing
- Right to data portability
- Right to object
8. Data Retention and Deletion
8.1 During Service
Personal Data is retained for the duration necessary to provide the Service and as specified in the Privacy Policy.
8.2 Upon Termination
Upon termination of services or Customer request, the Processor will delete or return all Personal Data within 30 days, except where retention is required by applicable law.
9. Data Breach Notification
In the event of a Personal Data breach, the Processor will:
- Notify the Customer without undue delay (within 72 hours where feasible)
- Provide information about the nature of the breach
- Describe likely consequences and measures taken or proposed
- Cooperate with the Customer's investigation and notification obligations
10. International Transfers
Personal Data may be transferred to and processed in the United States. For transfers from the European Economic Area, United Kingdom, or Switzerland, the Processor relies on Standard Contractual Clauses approved by the European Commission.
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
12. Governing Law
This DPA is governed by the laws of the State of Delaware, except where data protection laws require otherwise.
13. Contact Information
For questions about this DPA or to exercise data protection rights, please contact:
AfterActions, LLC (operating as Harvesto.io)Data Protection Contact
1820 Avenue M #780
Brooklyn, NY 11230
Email: [email protected]