Back to home
Compliance

Data Processing Addendum.

Last updated: Version 1.0 · 16 May 2026 · DPDPA + GDPR-aligned

You're the data controller — you own the data. We're the data processor — we operate on it on your behalf, only to deliver the brief. This document spells out who does what when something goes wrong, and which sub-processors we use.

1. Parties

Controller (you): the Customer who signed up for 9AM CEO and connected a Slack workspace.

Processor (us): Dreamyhook Pvt. Ltd., operating 9AM CEO under the DPDPA, 2023 (India) and, where applicable, the EU GDPR (Regulation 2016/679).

2. Subject and duration of processing

Subject matter: generating and delivering daily editorial briefs of Slack channel activity.

Duration: for the lifetime of your subscription, plus the 48-hour deletion window after cancellation.

Nature: ingestion of Slack messages, AI summarisation via Vertex AI, persistence of the generated briefs, delivery via WhatsApp and email.

Purpose: the sole purpose is delivering the brief to you. We don't repurpose your data.

3. Types of data and data subjects

Customer and employee data: name, email, WhatsApp number, company name, industry, team size, time-zone, role-related identifiers from Slack (user IDs, display names).

Slack message content: message text from the channels you select, including user mentions, URLs, and rupee amounts. Held in memory only during brief generation; the resulting brief is persisted, the raw messages are not.

Billing data: processed by Razorpay (sub-processor); we receive only the subscription state, never card numbers.

Data subjects: you, your team members visible in the connected Slack channels, and anyone @-mentioned in those channels.

4. Our obligations

We will:

  • Process your data only on your documented instructions — your subscription is the instruction.
  • Apply technical and organisational measures appropriate to the risk: encryption at rest and in transit, least-privilege IAM, audit logging, customer-managed KMS keys for Slack tokens.
  • Notify you of a personal-data breach affecting your data within 72 hours of becoming aware of it.
  • Assist you with data-subject rights requests — access, correction, deletion.
  • Delete or return your personal data within 48 hours of subscription cancellation.
  • Make available the information needed to demonstrate compliance with this addendum.

5. Your obligations

You will:

  • Have a lawful basis for processing the data you bring to 9AM CEO.
  • Inform anyone whose data is captured — your team, anyone they @-mention — that the brief tool is in use.
  • Only connect Slack workspaces you have authority to share with us.
  • Tell us promptly if a Slack workspace owner withdraws consent.

6. Sub-processors

We use a small, audited set of sub-processors. Each was chosen for its security posture. We give you 30 days' notice by email before adding a new sub-processor; you can object by emailing privacy@9amceo.com within that window.

Sub-processorPurposeRegion
Google Cloud (Firestore, Cloud Functions, Vertex AI, KMS, Pub/Sub, Cloud Scheduler)Hosting, database, AI inference, encryptionMumbai (asia-south1)
Firebase Authentication (Google)Sign-in identityMulti-region (US-hosted)
Meta Platforms (WhatsApp Business Cloud API)Brief and alert deliveryGlobal
ResendTransactional emailUS-hosted
RazorpaySubscription billingIndia
Slack TechnologiesSource of channel data (your existing relationship)Global

7. International transfers

Your Slack data, briefs, and account profile stay in Mumbai (asia-south1). Some sub-processors operate globally — notably WhatsApp (Meta) and Resend — so data delivered through them may transit US infrastructure. Where applicable we rely on the EU Standard Contractual Clauses and adequacy decisions for cross-border transfers under GDPR. Under the DPDPA, we operate within India's notified data-transfer framework.

8. Security measures (Annex II)

  • Encryption in transit: TLS 1.2+ for every external connection. Enforced by Google Cloud, Firebase, and each upstream provider.
  • Encryption at rest: Firestore uses Google-managed encryption by default. Slack bot tokens get a second layer via Cloud KMS with a customer-managed key on a 90-day rotation.
  • Access control: least-privilege IAM. The runtime service account holds only the roles it needs (datastore.user, aiplatform.user, KMS encrypter/decrypter scoped to the specific key). No long-lived JSON keys; CI uses Workload Identity Federation.
  • Audit logging: every administrative action and Firestore operation is logged to Google Cloud Audit Logs with 400-day retention.
  • Data minimisation: raw Slack messages are not persisted after brief generation. Only the resulting brief and lightweight signals are stored.
  • Webhook verification: Slack Events API and Razorpay webhooks have HMAC-SHA256 signature verification on every call.

9. Audit and assistance

You can request a summary of our security posture by emailing privacy@9amceo.com. We don't currently offer customer-led on-site audits; we cooperate with regulator-led audits as required by law.

10. Term and termination

This addendum is in force for as long as you have an active 9AM CEO subscription, and survives termination only insofar as needed for the 48-hour data-deletion obligation.

11. Conflicts

If this addendum conflicts with our Terms of Service, this addendum controls on matters of data protection.