Legal

Data Processing Addendum (DPA)

This Data Processing Addendum (DPA) governs how TwinMinds Studio processes Customer Personal Data when providing the freelanceOS service and related support.

Effective date:
27 October 2025
Service:
freelanceOS (CRM for freelancers)
Processor:
Thomas Graham James Birch, micro-entrepreneur, trading as TwinMinds Studio SIREN 924 532 476, SIRET 924 532 476 00018
Registered address:
14 Avenue Eugène Thomas, 94270 Le Kremlin-Bicêtre, Île-de-France, France
Contact (privacy):
legal@twinminds.studio

This Data Processing Addendum ("DPA") forms part of the Terms & Conditions or other written agreement between Customer and TwinMinds Studio governing the use of freelanceOS (the "Agreement"). Capitalized terms not defined here have the meanings in the Agreement.

1. Roles; Scope; Duration

1.1 Roles. For Customer Personal Data processed in the Service, Customer is the controller andTwinMinds is the processor (or sub-processor where Customer acts as a processor for its own clients).

1.2 Scope. This DPA applies solely to TwinMinds’ processing of Customer Personal Data on behalf of Customer to provide the Service and related technical support.

1.3 Duration. This DPA applies for the term of the Agreement and thereafter as required for deletion/return of data under Section 10.

2. Customer Instructions

2.1 TwinMinds shall process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and Customer’s in-product configurations and written support requests.

2.2 TwinMinds shall promptly inform Customer if, in its opinion, an instruction infringes applicable data protection law.

3. Confidentiality & Personnel

3.1 TwinMinds ensures persons authorized to process Customer Personal Data are subject to appropriate confidentialityobligations.

3.2 TwinMinds will ensure personnel receive appropriate privacy and security training proportionate to their role.

4. Security

4.1 TwinMinds will implement and maintain appropriate technical and organizational measures ("TOMs") designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described inAnnex II (Security Measures), taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing as well as risks to data subjects.

4.2 Customer is responsible for securing its own systems and for configuring the Service (e.g., access controls, API keys, role permissions) in a secure manner.

5. Sub-Processors

5.1 Customer authorizes TwinMinds to engage the sub-processors listed in Annex III and to engage new sub-processors as needed to provide the Service.

5.2 TwinMinds shall enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those in this DPA.

5.3 Changes. TwinMinds will provide notice of material changes to sub-processors (e.g., via /legal/subprocessors or in-app/email). Customer mayobject on reasonable grounds relating to data protection by providing written notice within 10 business days. The parties will work in good faith to resolve the objection; if not resolved, Customer may terminate the affected Service (or this Agreement if materially affected) with a pro-rata refund of any prepaid, unused fees.

6. Assistance; DPIAs; DSRs

6.1 Data subject requests. Taking into account the nature of processing, TwinMinds shall assist Customer by appropriate technical and organizational measures, insofar as possible, for fulfilling Customer’s obligations to respond to data subject requests under GDPR/UK GDPR.

6.2 DPIAs & consultation. Considering the nature of processing and the information available, TwinMinds shall provide reasonable assistance to Customer withDPIAs and prior consultations with supervisory authorities where required.

6.3 Records. TwinMinds will maintain records of processing activities as required by law.

7. Personal Data Breach

TwinMinds will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably required to enable Customer to meet its breach notification obligations, as information becomes available. TwinMinds will take appropriate steps to remediate and mitigate the effects of the breach. Target notice window: 72 hours when feasible.

8. International Transfers

8.1 EEA/UK data. Where TwinMinds or its sub-processors transfer Customer Personal Data outside the EEA or UK to a country without an adequacy decision, such transfers will be subject to appropriate safeguards, including the EU Standard Contractual Clauses (2021/914) ("SCCs") and, where applicable, theUK Addendum issued by the UK ICO.

8.2 SCCs module. The parties agree the Controller-to-Processor (Module Two) SCCs apply and are incorporated by reference with the details completed as set out in Annex I–III to this DPA. The UK Addendum is also incorporated by reference with the same annex details.

9. Audits & Information

9.1 Information. Upon written request, TwinMinds will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security summaries, policies, and responses to security questionnaires).

9.2 Audits. Where required by law, Customer (or its independent auditor bound by confidentiality) may audit TwinMinds’ compliance no more than once per 12 months with30 days’ prior written notice, during normal business hours, and in a manner that does not unreasonably disrupt operations or compromise confidentiality/security. Remote document reviews are preferred. On-site audits, if required by law, shall be limited in scope and at Customer’s expense.

10. Return & Deletion of Data

10.1 Export. During the term, Customer may export Customer Personal Data via in-product tools (e.g., CSV/JSON reports).

10.2 Deletion. Upon Customer’s verified request or termination of the Agreement, TwinMinds shall delete Customer Personal Data from active systems within30 days, unless retention is required by law. Backups are overwritten in the ordinary course (target ~30 days).

10.3 Certification. Upon Customer’s written request, TwinMinds will confirm completion of deletion for Customer Personal Data processed as processor.

11. Liability; Precedence

11.1 Liability. The limitations and exclusions of liability in the Agreement apply to this DPA.

11.2 Precedence. If any conflict arises between this DPA and the Agreement, this DPA controls to the extent of the conflict regarding processing of Customer Personal Data. In case of conflict between this DPA and the SCCs, the SCCs prevail.

12. Miscellaneous

12.1 Governing law. This DPA follows the governing law and venue of the Agreement, without prejudice to the SCCs’ specific governing law where they apply.

12.2 Amendments. TwinMinds may update this DPA to reflect changes in law or sub-processors. Material changes will be notified with at least 30 days’ notice where feasible.

12.3 Counterparts; electronic acceptance. This DPA may be executed electronically or deemed accepted via click-through when accepting the Agreement.

Annex I — Description of Processing

A. Parties

  • Data exporter (controller): Customer (the entity agreeing to the Agreement).
  • Data importer (processor): TwinMinds Studio (details above).

B. Subject matter & duration

  • Subject matter: Processing of Customer Personal Data to provide the freelanceOS Service and related support.
  • Duration: Term of the Agreement plus deletion/backup periods described in Section 10.

C. Nature & purpose of processing

Hosting, storage, retrieval, organization, transmission, and display of CRM data; user management; access control; email sending via Brevo (if configured); logging, monitoring, and security; billing via Stripe; analytics for service operation and improvements.

D. Categories of data subjects

Customer’s clients, leads, and contacts; Customer’s Authorized Users; and other individuals whose data Customer uploads or collects in the Service.

E. Categories of personal data

  • Identification and contact data (names, emails, phone numbers, addresses), business profile data, communications and notes, files and attachments, scheduling and invoice metadata, limited technical identifiers (IP, device, logs) related to Service use.
  • Special categories of data: Not intended to be processed. Customer shall not upload special categories (GDPR Art. 9) or data on criminal convictions (Art. 10) unless expressly agreed in writing.

F. Frequency of transfer

Continuous and ad hoc as determined by Customer’s use of the Service.

G. Sensitive data & restrictions

Customer will not use the Service to process: health/PHI, full payment card PANs, government ID images, children’s data, or other regulated categories unless agreed in writing and supported by appropriate safeguards.

H. Competent supervisory authority

Determined under GDPR; for TwinMinds in France, typically the CNIL.

Annex II — Security Measures (Summary)

TwinMinds maintains the following controls, appropriate to the risk:

  1. Organizational
    • Security policies; role-based access; least-privilege and need-to-know; onboarding/offboarding; confidentiality agreements; security & privacy training.
  2. Physical & Environmental
    • Hosting via reputable cloud providers (Vercel, Supabase) with data-center certifications and physical safeguards.
  3. Logical / Technical
    • Encryption in transit (TLS) and at rest (provider-level), secrets management, MFA for admin access, network edge protections offered by providers, vulnerability management and patching cadence.
  4. Application Security
    • Secure SDLC practices; code review; dependency scanning; environment segregation; logging & monitoring; rate limiting and abuse detection.
  5. Data Management
    • Backups with routine rotation (~30 days); data minimization; deletion workflows; export tooling.
  6. Incident Response
    • Incident handling procedures; breach notification processes targeting 72 hours where feasible; post-incident review.
  7. Business Continuity
    • Cloud resilience features; recovery procedures tested periodically.

Annex III — Authorized Sub-Processors (Current)

The following providers may process Customer Personal Data to deliver the Service. Scope is limited to what is necessary for the stated purpose.

  • Vercel — Application hosting and edge delivery.
  • Supabase — Database, storage, and authentication.
  • Stripe — Payments, invoicing, and tax calculation/collection.
  • Brevo — Transactional and opted-in marketing email delivery.
  • Google Analytics — Service usage analytics (EEA/UK loaded with consent). Note: used primarily for TwinMinds’ controller purposes; telemetry may relate to Customer’s users.

TwinMinds may update this list from time to time; material changes will be notified per Section 5.3.

Annex IV — International Transfer Mechanisms

EU Standard Contractual Clauses (2021/914/EU)

  • Module: Controller-to-Processor (Module Two).
  • Clause 9 (sub-processors): General authorization with notice and objection per DPA Section 5.3.
  • Clause 11 (redress): Not applicable.
  • Annex I–III: As set out in this DPA.
  • Governing law for SCCs: Laws of France; supervisory authority: CNIL.

UK Addendum to the EU SCCs (ICO)

  • Table 1–3: As per Annex I–III.
  • Table 4 (Terms): Importer may make reasonable changes to the Addendum that do not reduce data subjects’ protections.

Signatures / Acceptance

This DPA is effective as of the Effective Date and is incorporated into the Agreement. Where signatures are required, the parties may execute electronically. Acceptance may also occur via click-through when enabling or continuing to use the Service after notice of this DPA.