myday

Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of the agreement between myday ("Processor") and the customer ("Controller") for the provision of CRM services.

1. Definitions

  • Controller — The customer organization that determines the purposes and means of processing personal data
  • Processor — myday, which processes personal data on behalf of the Controller
  • Sub-processor — A third-party service engaged by myday to assist in processing data
  • Personal Data — Any information relating to an identified or identifiable natural person stored within myday
  • Processing — Any operation performed on personal data, including storage, retrieval, and deletion

2. Scope of Processing

myday processes personal data on behalf of the Controller for the purpose of providing CRM services. This includes storing and managing:

  • Contact information (names, emails, phone numbers, addresses)
  • Lead and deal records
  • Notes, activities, and communication history
  • File attachments uploaded by the Controller
  • User account data for the Controller's team members

3. Controller Obligations

The Controller is responsible for:

  • Ensuring a lawful basis for processing personal data
  • Providing any required notices to data subjects
  • Ensuring the accuracy of data entered into myday
  • Responding to data subject requests (with myday's assistance as needed)

4. Processor Obligations

myday will:

  • Process personal data only on documented instructions from the Controller
  • Ensure that personnel authorized to process data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

5. Sub-processors

myday uses the following sub-processors to deliver its services:

  • Supabase (AWS) — Database hosting and authentication (US region)
  • Vercel — Application hosting and edge delivery (global)
  • Payment processor — Payment processing (US/EU)
  • Resend — Transactional email delivery (US)
  • Sentry — Error monitoring and performance tracking (US)
  • Anthropic — AI insights generation (US)

We will notify the Controller at least 30 days before adding a new sub-processor. The Controller may object to a new sub-processor by contacting us within that period.

6. Data Transfers

When personal data is transferred outside the European Economic Area, myday relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processor certifications and compliance frameworks (e.g., SOC 2)

7. Security Measures

myday implements the following security measures to protect personal data:

  • Encryption in transit — TLS 1.3 for all data transfers
  • Encryption at rest — AES-256 encryption for stored data
  • Access controls — Role-based access control with least-privilege principles
  • Audit logging — Comprehensive audit trails for data access and modifications
  • Authentication — Secure password hashing (bcrypt) and OAuth 2.0 support
  • Row-Level Security — Database-level tenant isolation via PostgreSQL RLS
  • Regular backups — Automated daily backups with point-in-time recovery

8. Data Breach Notification

In the event of a personal data breach, myday will:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide details of the breach, including the nature of the data affected and the approximate number of data subjects
  • Describe the measures taken or proposed to address the breach
  • Cooperate with the Controller in notifying relevant supervisory authorities and affected data subjects, as required

9. Data Deletion

Upon termination of the agreement or at the Controller's request:

  • The Controller has 30 days to export all data via CSV
  • After 30 days, all personal data is permanently deleted from active systems
  • Backups containing the data are purged within 90 days
  • myday will provide written confirmation of deletion upon request

10. Audits

The Controller may audit myday's compliance with this DPA by requesting our most recent SOC 2 report or equivalent security documentation. On-site audits may be arranged with reasonable advance notice and at the Controller's expense.

11. Contact

For DPA-related inquiries, email us at support@mydaycrm.com