Data Processing Addendum

1. Context & Architecture (The "Slack-Native" Model)

Unlike traditional SaaS platforms that ingest and store all customer data, ThreadPatrol operates as a "Minimal-Footprint Processor" within your Slack environment.

• Minimal Content Retention: To provide AI-powered threading suggestions, ThreadPatrol caches the last 50 messages per channel with a 90-day rolling TTL. This cache is automatically purged and immediately deleted upon uninstallation.
• Metadata Retention: ThreadPatrol retains only metadata (e.g., timestamps, user IDs, channel IDs) and classification logs necessary to provide the Service and audit logs.
• Hosting: ThreadPatrol's core infrastructure is hosted in the European Union (AWS Frankfurt/Dublin).

2. Definitions

• "CCPA" means the California Consumer Privacy Act.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.
• "Sub-processor" means any third party appointed by Processor to process Personal Data.

3. Scope and Details of Processing

• Subject Matter: Provision of the ThreadPatrol Slack bot services (channel organization, message moving, threading prompts).
• Duration: The term of the Agreement plus the period until all Personal Data is deleted or returned.
• Nature and Purpose: Automated analysis of Slack messages to detect context, creating threads, and organizing workspace communication.
• Categories of Data:
  • Slack Profile Data: Usernames, Email addresses, Slack User IDs, Avatars.
  • Communication Data: Content of last 50 messages per channel (cached with 90-day TTL for AI analysis context; deleted on uninstall).
  • Metadata: Channel names, timestamps, thread relationships.
• Data Subjects: Users within the Controller's Slack Workspace.

4. Processor Obligations

Processor shall:

1. Instructions: Process Personal Data only on documented instructions from Controller (including this DPA and the Agreement), unless required by law.
2. Confidentiality: Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
3. Security: Implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including:
   • Encryption of data in transit (TLS 1.2+) and at rest (AWS KMS).
   • Strict logical separation of customer data.
   • Regular security assessments (SOC 2 aligned controls).
4. Sub-processors: Not engage another processor without general written authorization. Controller authorizes the current sub-processors listed in Annex 1. Processor will inform Controller of intended changes, giving Controller the opportunity to object.
5. Rights of Data Subjects: Assist Controller, insofar as possible, for the fulfillment of Controller’s obligation to respond to requests for exercising the data subject's rights.
6. Data Breach: Notify Controller without undue delay after becoming aware of a Personal Data Breach.

5. International Data Transfers

• Primary Processing Location: European Union (EU).
• Transfers: If Personal Data is transferred to a country without an adequacy decision (e.g., to a US-based sub-processor not covered by DPF), such transfers shall be governed by the Standard Contractual Clauses (SCCs).

6. Deletion or Return of Data

Upon termination of the Service, Processor shall delete all Personal Data (including metadata and logs) in accordance with its standard retention policies, unless applicable law requires storage. Note that message content is already discarded immediately after processing.

ANNEX 1: AUTHORIZED SUB-PROCESSORS

ANNEX 2: SECURITY MEASURES

• Encryption: All data in transit is encrypted via TLS 1.2+. Data at rest (metadata/logs) is encrypted via AES-256.
• Access Control: Least-privilege access model for support staff. MFA required for all internal access.
• Ephemeral Design: Architecture designed to minimize data footprint; message bodies are not written to persistent disk storage.

Contact