Data Processing Agreements & Subprocessor Management
- Executive Summary
- Working Knowledge
- Technical Spec
The Legal Foundation for Enterprise Data Handling
Every enterprise client will require a signed Data Processing Agreement (DPA) before any personal data flows through the ReGenesis platform. The DPA is a legal contract that defines how ReGenesis processes personal data on behalf of the client, what protections are in place, and what happens when things go wrong or the contract ends.
For ReGenesis, the DPA is especially critical because the platform processes highly sensitive data: coaching conversations that may include personal struggles, career anxieties, relationship dynamics, health concerns, and AI-generated psychological insights. Enterprise clients -- particularly McKinsey -- will scrutinize the DPA more carefully than for a typical SaaS tool.
ReGenesis builds its DPA to GDPR Article 28 standards from day one, even for US-only operations. This ensures the agreement satisfies both US enterprise requirements and European data protection authorities when international expansion begins. The DPA includes a transparent subprocessor list (AWS, Anthropic, and others), standard contractual clauses for international data transfers, right-to-audit provisions, and clear data return/deletion procedures on contract termination.
What Is a DPA and Why Do We Need One?
A Data Processing Agreement is a legal contract between the data controller (the enterprise client, e.g., McKinsey) and the data processor (ReGenesis). Under GDPR Article 28, this agreement is legally mandatory whenever a processor handles personal data on behalf of a controller.
Even for US-only clients, a DPA has become standard enterprise practice. Most Fortune 500 procurement teams will not move forward without one.
What the DPA Must Cover
DPA Template Structure
The ReGenesis DPA follows the standard structure expected by enterprise legal teams:
| Section | Content |
|---|---|
| 1. Definitions | Key terms (personal data, processing, data subject, etc.) |
| 2. Scope and Purpose | What data is processed, for whom, and why |
| 3. Processor Obligations | ReGenesis commitments as data processor |
| 4. Controller Obligations | Client's responsibilities |
| 5. Data Subject Rights | How access, deletion, and portability requests are supported |
| 6. Personnel | Confidentiality obligations, training requirements |
| 7. Security Measures | Technical and organizational measures (Annex) |
| 8. Subprocessors | List, notification, objection rights |
| 9. International Transfers | SCCs, adequacy decisions, supplementary measures |
| 10. Data Breach | Notification timeline (72 hours), cooperation |
| 11. Audit | Right to audit, scope, frequency, cost allocation |
| 12. Return & Deletion | What happens when the contract ends |
| 13. Liability | Caps, indemnification, insurance |
| Annex A | Description of processing activities |
| Annex B | Technical and organizational security measures |
| Annex C | List of subprocessors |
| Annex D | Standard Contractual Clauses (if applicable) |
Types of Personal Data Processed
| Data Category | Examples | Sensitivity Level |
|---|---|---|
| Identity Data | Name, email, role, organization | Standard |
| Authentication Data | Hashed passwords, SSO tokens, MFA seeds | High |
| Coaching Session Data | Transcripts, notes, action items | Very High |
| Psychological Insights | AI-generated personality assessments, behavioral patterns | Very High |
| Goal & Progress Data | Personal goals, milestone tracking, self-assessments | High |
| Communication Data | Messages between coach and coachee | High |
| Usage Data | Login times, feature usage, session duration | Standard |
| Technical Data | IP addresses, device info, browser data | Standard |
Coaching transcripts and AI-generated psychological insights represent the most sensitive data categories. These require enhanced protections: field-level encryption, strict access controls (coach_only visibility tag), and explicit consent for AI processing. Enterprise clients may require that this data never leaves the primary AWS region.
Subprocessor List
ReGenesis must maintain a transparent, up-to-date list of all subprocessors who handle personal data:
| Subprocessor | Purpose | Data Processed | Location | DPA Status |
|---|---|---|---|---|
| AWS (Amazon Web Services) | Cloud infrastructure, database hosting, storage | All platform data | us-east-1 (N. Virginia) | AWS DPA signed |
| Anthropic | AI inference (Claude API) for Sasha coaching engine | Coaching prompts, session context | US | DPA required |
| Stripe | Payment processing | Billing name, email, payment tokens | US | Stripe DPA signed |
| SendGrid / AWS SES | Transactional email | Name, email, notification content | US | DPA required |
| Datadog / CloudWatch | Monitoring and logging | Technical logs (anonymized) | US | DPA required |
| Vanta / Drata | Compliance automation | Employee data, system configurations | US | DPA required |
Under GDPR Article 28(2), ReGenesis must notify clients before adding or replacing subprocessors. The standard notification period is 30 days before the change takes effect. Clients have the right to object; if the objection cannot be resolved, the client may terminate the affected services.
Enterprise-Specific DPA Customizations
Large enterprise clients (McKinsey, Fortune 500) may request customizations. Common requests:
| Request | ReGenesis Position | Notes |
|---|---|---|
| Shorter breach notification (24 hrs instead of 72) | Negotiable | ReGenesis can commit to 48 hours initial notification |
| On-site audit rights | Accept with scheduling constraints | 30-day notice, during business hours, max 1/year |
| Data residency requirements | Accept for primary region | All production data in us-east-1 |
| Custom data retention periods | Accept | Client can specify shorter retention |
| Deletion certification | Accept | Signed certification within 30 days of deletion |
| Named security contact | Accept | Security Officer is the named contact |
| Insurance minimums | Negotiable | Standard is $5M cyber liability |
| Subprocessor pre-approval | Decline | ReGenesis offers notification + objection rights instead |
| Source code escrow | Negotiable | May accept for large contracts |
Data Return and Deletion on Termination
When a client contract ends, a clear process governs data return and deletion:
- Transition Period (30 days): Client can export all their data via API or bulk export
- Data Return: Provide all client data in machine-readable format (JSON/CSV)
- Deletion: Delete all client data from production systems within 30 days
- Backup Purge: Delete from backups within 90 days (standard backup rotation)
- Certification: Provide written certification of deletion
- Exceptions: Retain only what is legally required (tax records, audit logs required by law)