Data Processing Addendum (DPA)
Last Updated: October 2025
Data Processing Addendum (DPA)
Version 1.0 — October 2025 Entity: Journey Bound Media, LLC dba DecodeIQ Jurisdiction: State of New Mexico, United States Contact: Privacy Email
1. Purpose and Scope
This Data Processing Addendum ("DPA") forms part of the DecodeIQ Terms of Service and applies when DecodeIQ processes Personal Data on behalf of a Customer under the General Data Protection Regulation (EU) 2016/679 ("GDPR") or comparable data protection laws.
The DPA governs all processing of Personal Data performed by Journey Bound Media, LLC dba DecodeIQ ("Processor") for the Customer ("Controller").
2. Definitions
- Personal Data: any information relating to an identified or identifiable natural person.
- Processing, Processor, Controller, Data Subject, and Personal Data Breach have the meanings defined in Article 4 of the GDPR.
- Sub-Processor: any third party engaged by DecodeIQ to process Personal Data on behalf of the Controller.
- Services: the DecodeIQ Platform, APIs, and related systems described in the Terms of Service and Technical Architecture & Deployment Specification v2.3.
3. Nature and Purpose of Processing
DecodeIQ processes Personal Data solely to:
- Create, manage, and authenticate user accounts.
- Execute semantic analyses, briefs, and draft generation through the MNSU Engine.
- Store workspace data, usage metrics, and credit balances.
- Provide billing and subscription services.
- Maintain service reliability, security, and compliance.
No processing for independent purposes occurs. DecodeIQ does not sell, share, or profile personal data for marketing without explicit consent.
4. Duration of Processing
Processing continues for the duration of the Customer's active subscription and for up to 30 days thereafter, solely for secure deletion, data transfer, or billing record retention.
5. Categories of Data Subjects and Data Types
| Category | Examples |
|---|---|
| Data Subjects | Customer employees, contractors, or agents using the Platform |
| Personal Data | Name, email, workspace identifiers, billing details, IP address, logs |
| Derived Data | Usage telemetry, anonymized embeddings (non-personal) |
DecodeIQ does not intentionally process special category data (GDPR Art. 9).
6. Controller Responsibilities
The Controller is responsible for:
- Determining the lawfulness of processing activities.
- Providing all necessary notices to Data Subjects.
- Ensuring data accuracy, minimization, and retention discipline.
- Managing end-user authentication and role access within the Platform.
7. Processor Obligations
DecodeIQ shall:
- Process only on documented instructions from the Controller.
- Maintain confidentiality of all Personal Data.
- Implement appropriate technical and organizational measures (see Section 9).
- Assist the Controller in responding to Data Subject requests (Art. 12–23 GDPR).
- Notify the Controller without undue delay, and within 72 hours, after becoming aware of any Personal Data Breach.
- Provide deletion or return of all Personal Data after termination.
- Maintain records of processing activities (Art. 30(2) GDPR).
- Enable audits or provide equivalent documentation upon reasonable request.
8. Sub-Processors
DecodeIQ uses the following Sub-Processors to deliver its services. Each is bound by written agreements ensuring equivalent data protection standards.
| Category | Sub-Processor | Jurisdiction | Transfer Mechanism |
|---|---|---|---|
| Hosting & DB | Supabase (Postgres, Auth, Storage) | U.S. | SCCs / DPF |
| Frontend Hosting | Vercel | U.S. | DPF |
| DNS / CDN | Cloudflare | U.S. / EU | DPF |
| Search Data | Bright Data | U.S. / Israel | SCCs |
| Crawling / Ingestion | SpiderCloud | EU / U.S. | SCCs |
| Vector Storage | Pinecone | U.S. | DPF |
| Payments | Stripe | U.S. / EU | DPF |
| AI Processing | OpenAI, Anthropic, Google (Gemini) | U.S. | SCCs / DPF |
| Analytics | PostHog, Google Analytics | U.S. / EU | SCCs / DPF |
| Marketing / Email | MailerLite | EU | SCCs |
DecodeIQ shall provide at least 30 days' notice of any intended addition or replacement of Sub-Processors. Controllers may object to changes based on reasonable data protection concerns.
9. Security Measures
DecodeIQ maintains layered security consistent with ISO 27001-equivalent controls and the measures documented in its Technical Architecture & Deployment Specification v2.3:
- AES-256 encryption at rest, TLS 1.3 in transit
- Row-Level Security isolation for each workspace
- Role-based access control (RBAC) for internal systems
- Multi-factor authentication for all administrative accounts
- 24-hour RPO / 15-minute RTO backup policy
- Continuous monitoring (PostHog + Cloudflare + Supabase telemetry)
- Logging of all API access events (anonymized)
- Breach notification procedure within 72 hours of discovery
DecodeIQ's security framework is reviewed quarterly and updated as systems evolve.
10. Data Transfers Outside the EEA, UK, or Switzerland
DecodeIQ and its Sub-Processors may transfer Personal Data to the United States or other jurisdictions that lack an adequacy decision. In such cases, transfers rely on:
- The EU Standard Contractual Clauses (2021/914/EU); or
- Participation in the EU–U.S. Data Privacy Framework (DPF); or
- Equivalent UK and Swiss addenda as required.
Signed copies of SCCs are available upon request to Privacy Email.
11. Data Subject Requests
DecodeIQ shall:
- Promptly forward any Data Subject request received directly.
- Provide reasonable assistance to fulfill such requests.
- Delete, restrict, or export data as instructed by the Controller, subject to technical feasibility.
All requests are logged in DecodeIQ's secure compliance registry.
12. Breach Notification
DecodeIQ shall notify the Controller without undue delay and within 72 hours after becoming aware of a confirmed Personal Data Breach. Notifications will include:
- Nature and scope of the breach
- Data types affected
- Likely consequences
- Mitigation actions taken
DecodeIQ will cooperate fully in breach investigation and remediation.
13. Audit Rights
Controllers may request:
- DecodeIQ's most recent Security & Compliance Statement; or
- A remote or on-site audit (limited to once per year) at reasonable notice and cost.
DecodeIQ may substitute third-party certifications or penetration test reports that demonstrate equivalent assurance.
14. Return or Deletion of Data
Upon termination of services, DecodeIQ will:
- Delete all Personal Data within 30 days, unless legal obligations require retention.
- Provide written confirmation of deletion upon request.
Backups are automatically purged on a 30-day rolling basis.
15. Liability
DecodeIQ's total aggregate liability under this DPA shall not exceed the total fees paid under the master agreement during the 12 months preceding the event giving rise to liability. This limitation does not apply to intentional or grossly negligent breaches.
16. Governing Law & Jurisdiction
This DPA shall be governed by the laws of the State of New Mexico, United States, without regard to conflicts of law principles. Where required by GDPR, disputes may alternatively be brought before the competent courts of the Customer's Member State.
17. Term and Termination
This DPA remains in effect for the duration of the Controller's active subscription or until deleted data has been confirmed removed per Section 14.
18. Contact Information
Data Protection Officer Journey Bound Media, LLC dba DecodeIQ Albuquerque, New Mexico, USA Privacy Email
Effective Date: October 18, 2025 Version: 1.0