Legal

Data Processing Agreement (DPA)

Last updated: April 12, 2026
This Data Processing Agreement explains how ChiefOS processes customer data on behalf of users of the Service.
Privacy Policy

Roles

When using ChiefOS, the customer acts as the data controller and ChiefOS acts as the data processor for customer-submitted data (financial records, job data, employee information, documents). ChiefOS processes this data only as instructed by your use of the Service.
For Aggregated Analytics derived from anonymized usage patterns (as described in the Privacy Policy), ChiefOS acts as a data controller — this data has been anonymized below the threshold of personal information, and ChiefOS determines the purpose and means of its use and disclosure. The protections of this DPA apply to Customer Data in ChiefOS's role as processor; Aggregated Analytics are governed by the Privacy Policy.

Scope of processing

ChiefOS processes customer data only as necessary to provide and maintain the Service.
Processing activities may include:
  • storing submitted records
  • organizing financial and operational information
  • generating analytics and summaries
  • system reliability and monitoring
  • generating anonymized, aggregated platform analytics for market intelligence purposes (Aggregated Analytics), subject to the anonymization and k-anonymity standards described in the Privacy Policy — in this context ChiefOS acts as data controller, not processor

Security measures

  • encrypted data transmission
  • role-based access controls
  • tenant data isolation
  • infrastructure security monitoring

Subprocessors

ChiefOS uses trusted infrastructure providers including:
  • Supabase (database and authentication)
  • Vercel (hosting infrastructure)
  • Stripe (billing)
  • Twilio (messaging infrastructure)

Data retention and deletion

Customer data is retained only for the duration of the customer’s account unless required for legal or operational purposes.
Customers may request deletion of their account and associated workspace data.
Anonymized and aggregated data (which contains no personal information and cannot be traced back to any individual business) may be retained indefinitely for analytics, benchmarking, and market intelligence purposes, consistent with ChiefOS’s role as controller for that data class.

International transfers

Data may be processed in multiple jurisdictions depending on the infrastructure providers used to operate the Service.