FocusHQFocusHQ
Join waitlist
Back to home

Data Processing Agreement

Version 1.0 · Last updated: April 21, 2026

How to sign this DPA

This page is our standard DPA. For Team or Enterprise customers who require a countersigned copy, email legal@focushq.app with your company legal name, address, and VAT / tax identifier. We respond within two business days with a PDF pre-signed on our side for you to counter-sign. By continuing to use a paid FocusHQ plan, you are treated as accepting the terms below on behalf of your organisation.

Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Customer— the organisation identified in the FocusHQ account billing information (the “Controller”), and
  • Andrii Tymoshchuk FOP, a Ukrainian sole proprietorship doing business as “FocusHQ” (the “Processor”).

This DPA forms part of, and is governed by, the FocusHQ Terms of Service. Capitalised terms not defined here have the meanings given in those Terms or in GDPR Art. 4.

1. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller strictly for the purpose of providing the FocusHQ service. This DPA applies for as long as the Controller’s account is active and during any subsequent data-retention period required by law.

2. Nature and Purpose of Processing

Aggregating and displaying email, calendar, task, and other productivity data from sources the Controller connects via OAuth; AI-assisted triage, drafting, planning, and semantic search; usage analytics for service improvement; security and abuse prevention.

3. Categories of Data Subject

  • Controller’s employees, contractors, and other authorised end-users of the Service.
  • The senders and recipients of messages the Controller’s users choose to process through FocusHQ (incidental to integration sync).
  • Contacts, meeting attendees, and task assignees referenced in synced data.

4. Categories of Personal Data

  • Identity data: name, email address, avatar, user identifier.
  • Connection data: OAuth tokens (encrypted), provider account identifiers.
  • Content data: message metadata and bodies, calendar events, task titles and descriptions, file references, and the textual embeddings derived from them.
  • Usage data: feature usage, AI prompt + completion telemetry (redacted), session metadata, focus-session statistics.
  • Device and diagnostic data: crash reports, performance traces, hashed IP/UA fingerprints.

5. Special Category Data

The Service is not designed to process special-category data (GDPR Art. 9). The Controller agrees not to route health, biometric, or other special-category data through FocusHQ without a separate written agreement.

6. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller (the Terms, Privacy Policy, in-app configuration, and explicit written instructions).
  • Ensure that persons authorised to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organisational measures as set out in Annex II.
  • Respect the conditions for engaging sub-processors in §8.
  • Assist the Controller with data-subject requests (§9) and with DPIAs and prior consultations under GDPR Art. 35-36.
  • Notify the Controller of Personal Data Breaches as set out in §10.
  • Delete or return Personal Data at the end of the service per §11, at the Controller’s choice.
  • Make available all information necessary to demonstrate compliance with GDPR Art. 28 and allow for audits as set out in §12.

7. Controller Obligations

The Controller warrants that it has a lawful basis under GDPR Art. 6 (and Art. 9 if ever applicable) for each category of Personal Data submitted to the Service, has provided required notices to its data subjects, and has obtained all required consents.

8. Sub-processors

The Controller provides general written authorisation for the Processor to engage the sub-processors listed at focushq.app/subprocessors (also reproduced in the Privacy Policy §4). The Processor will:

  • Impose the same data-protection obligations on each sub-processor via contract.
  • Announce additions or replacements at least 14 days before they take effect, giving the Controller the opportunity to object.
  • If the Controller reasonably objects, the Processor will work to resolve the objection and, failing resolution, the Controller may terminate the affected Service portion and receive a pro-rated refund.

9. Assistance with Data-Subject Requests

The Service offers in-app self-service for access (GDPR Art. 15 + 20 — GET /api/v1/users/me/export) and erasure (Art. 17 — DELETE /api/v1/users/me). The Processor will additionally provide reasonable assistance, at the Controller’s cost if the request is manifestly unfounded or excessive, to respond to requests the Controller receives directly from data subjects.

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay and in any case within 72 hoursafter becoming aware of a Personal Data Breach affecting the Controller’s data, providing the information required by GDPR Art. 33(3) to the extent known, and supplementing the notification as more information becomes available. Notifications are sent to the email address associated with the Controller’s account and to any security-contact address the Controller has supplied in writing.

11. Return or Deletion

On termination or expiry, the Controller can export all data via the in-app export endpoint (or API), and — at the Controller’s choice — the Processor will delete all Personal Data from production systems immediately and from encrypted backups within 30 days (see Privacy Policy §6), unless retention is required by applicable law (e.g. billing records held by Paddle for seven years).

12. Audits

The Controller may, no more than once per twelve-month period and at its own cost, audit the Processor’s compliance with this DPA. Audits may take the form of: (a) review of available third-party certifications and audit reports (e.g. sub-processor SOC 2 Type II, ISO 27001 summaries); (b) a questionnaire the Processor responds to in writing; (c) for cause, a supervised on-site or remote audit subject to 30 days’ notice, mutual NDAs, and mutually-agreed scope. The Controller will bear the costs of any such audit except where the audit reveals a material breach of this DPA.

13. International Transfers

To the extent transferring Personal Data outside the EEA/UK is necessary to provide the Service (see Privacy Policy §5), the parties rely on the 2021 European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor), which are incorporated into this DPA by reference. Where the UK GDPR applies, the UK International Data Transfer Addendum (IDTA) is likewise incorporated. The countries of sub-processor residency and applicable safeguards are set out in Annex III. Additional supplementary measures: TLS 1.3 in transit, AES-256-GCM at rest, least-privilege production access, published sub-processor list updated with 14-day notice.

14. Liability

Each party’s aggregate liability under or in connection with this DPA is subject to the liability cap set out in the Terms of Service, except that nothing limits liability for damages a party causes by processing data in breach of GDPR or the SCCs, or liability that cannot lawfully be limited.

15. Governing Law

This DPA is governed by the laws of Ukraine, consistent with the Terms of Service. The SCCs are governed by the law of the country specified in the SCCs themselves (Ireland, as the EU member state with which the Processor has the closest connection in terms of sub-processor residency).

Annex I — Processing Details

  • Data exporter: Controller (the Customer).
  • Data importer: Andrii Tymoshchuk FOP (Processor).
  • Categories of data subjects / data: as set out in §3 and §4 above.
  • Nature + purpose of processing: as set out in §2 above.
  • Duration: term of the FocusHQ subscription plus retention periods described in Privacy §6.

Annex II — Technical and Organisational Measures

  • Encryption. AES-256-GCM at rest for OAuth tokens, refresh tokens, and license keys. TLS 1.3 in transit for all client ↔ server traffic.
  • Access control. Production secrets live only in Railway + Vercel environment scopes. No raw secrets in source control. Two-factor authentication required for all administrative accounts (Supabase, Railway, Vercel, Cloudflare, Paddle, Anthropic).
  • Network. Database traffic over private network from Railway to Supabase. Cloudflare in front of public endpoints for DDoS protection and WAF.
  • Authentication. Short-lived JWT access tokens (15 min), opaque refresh tokens with family-reuse detection, per-web-session CSRF tokens.
  • Backups. Daily Supabase snapshots with 7-day point-in-time recovery. Backups encrypted at rest.
  • Logging. Application logs retained 30 days with PII scrubbing at ingest. Error traces in Sentry with source-map-resolved stack traces only; event payloads scrubbed for tokens, emails, and phone numbers.
  • Least privilege. Per-environment service accounts. No shared credentials across staging and production.
  • Incident response. 24-hour triage target for security reports to security@focushq.app; 72-hour breach-notification commitment per §10.
  • Secure development. Code review required for all changes touching auth, encryption, or payment paths. Dependency vulnerability scanning via npm audit and GitHub security alerts.

Annex III — Sub-processors

The current list of sub-processors, their purpose, and their country of residency is published at focushq.app/subprocessors and is mirrored in the Privacy Policy §4. All sub-processor engagements include written data-protection terms equivalent to those in this DPA.

Join waitlist