Data Processing Agreement
Last updated: 6 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Tactus Adaptive Group Ltd, trading as Swiftshot ("Processor", "we", "us"), and the customer ("Controller", "you") for the use of the Swiftshot service.
This DPA applies where we process personal data on your behalf in connection with the Swiftshot service, and supplements our Terms of Service and Privacy Policy.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
- "Data Protection Laws" means the UK GDPR, EU GDPR, the Data Protection Act 2018, and any other applicable data protection legislation.
- "Sub-processor" means any third party appointed by us to process Personal Data on your behalf.
- "Data Subject" means the individual to whom the Personal Data relates.
- "Processing" has the meaning given under applicable Data Protection Laws.
2. Scope and Roles
You are the Controller and we are the Processor of the Personal Data processed through the Swiftshot service. The categories of Personal Data and Data Subjects are set out in Annex 1 below.
3. Our Obligations
We shall:
- Process Personal Data only on your documented instructions, unless required by law to do otherwise
- Ensure that persons authorised to process the Personal Data are subject to obligations of confidentiality
- Implement appropriate technical and organisational security measures as described in our Security page
- Assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist you in meeting your obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and information available to us
- At your choice, delete or return all Personal Data upon termination of the service, and delete existing copies unless storage is required by law
- Make available all information necessary to demonstrate compliance with our obligations and allow for audits
4. Sub-processors
You provide general authorisation for us to engage the Sub-processors listed below. We will notify you of any intended changes to Sub-processors, giving you the opportunity to object. If you object on reasonable grounds, you may terminate the affected service.
Current Sub-processors
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Clerk | Authentication | US | Email address, name, session data |
| Supabase | Database hosting | EU/US | All service data (profiles, meetings, actions, team members) |
| Anthropic | AI action extraction | US | Meeting notes (processed in real-time, not retained) |
| Resend | Email delivery | EU | Recipient email addresses, action content |
| Stripe | Payment processing | US | Email address, payment method, billing data |
| Vercel | Application hosting | US | IP addresses, request logs |
| Sentry | Error monitoring | US | Error traces, IP addresses, browser metadata |
| Slack | Action delivery (optional) | US | Workspace data, action content (when connected) |
5. International Transfers
Where Personal Data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place. These include:
- Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner
- Adequacy decisions where applicable
- Additional supplementary measures where required by the circumstances of the transfer
6. Security Measures
We implement the following technical and organisational measures to protect Personal Data:
- Encryption in transit (TLS) for all data transfers
- Encryption at rest at the infrastructure level
- Row-Level Security (RLS) on all database tables
- Authentication via enterprise-grade provider (Clerk) with email verification
- Rate limiting on all API endpoints
- Server-side credential management — no secrets exposed to clients
- Webhook signature verification for payment events
- Input validation and output escaping to prevent injection attacks
- Error monitoring with automated alerting (Sentry)
- Regular dependency updates and security patching
Full details of our security practices are available on our Security page.
7. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide sufficient information for you to meet your obligations to report the breach to the relevant supervisory authority and/or affected Data Subjects
- Take reasonable steps to mitigate the effects of the breach and minimise any damage
- Cooperate with you and take reasonable commercial steps as directed to assist in the investigation, mitigation, and remediation of the breach
8. Data Subject Requests
We will promptly notify you if we receive a request from a Data Subject to exercise their rights under Data Protection Laws. We will not respond to the request directly unless authorised by you. We will provide reasonable assistance to help you fulfil your obligation to respond to such requests.
9. Data Retention and Deletion
- Meeting data: Retained while your account is active, subject to your plan's history limits
- Account data: Retained until you delete your account
- Team member data: Soft-deleted on removal, permanently purged on account deletion
- Payment records: Retained for 7 years as required by UK tax law
- Error logs: Retained for 90 days
Upon termination of the service, we will delete all Personal Data within 30 days, except where retention is required by law.
10. Audits
We will make available to you all information reasonably necessary to demonstrate compliance with this DPA. You may conduct an audit, or appoint a third-party auditor (subject to reasonable confidentiality obligations), to verify our compliance. Such audits shall be conducted with reasonable notice (minimum 30 days), during normal business hours, and no more than once per year unless required by a supervisory authority or triggered by a data breach.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
12. Term and Termination
This DPA takes effect when you begin using the Swiftshot service and remains in force for as long as we process Personal Data on your behalf. The obligations in this DPA survive termination to the extent necessary to fulfil our data protection obligations.
Annex 1 — Details of Processing
Categories of Data Subjects
- The Controller's employees and authorised users of the Swiftshot service
- Team members added by the Controller (action recipients)
Categories of Personal Data
- Contact information (name, email address)
- Meeting notes and transcripts (as submitted by the Controller)
- Extracted action items (task descriptions, assignees, due dates, priorities)
- Workspace and organisational data
- Payment and billing data (managed by Stripe)
- Authentication data (managed by Clerk)
- Usage data and error logs
Nature and Purpose of Processing
Processing is carried out for the purpose of providing the Swiftshot service: extracting action items from meeting notes using AI, assigning them to team members, and delivering notifications via email and/or Slack.
Duration of Processing
For the duration of the Controller's use of the Swiftshot service, plus any retention period required by law or specified in the data retention schedule above.
13. Contact
For questions about this DPA, contact us at obsidlabs@gmail.com.