This Data Processing Agreement ("DPA") forms part of the Terms of Service between DDS Media Marketing LLC ("SheetXAI," "we," "us," or "Processor") and you ("Client" or "Controller") for the use of the SheetXAI service.
1. DEFINITIONS
Personal Data: Any information relating to an identified or identifiable natural person processed through the SheetXAI service.
Processing: Any operation performed on Personal Data, including collection, storage, use, or deletion.
Controller: The Client, who determines the purposes and means of processing Personal Data.
Processor: SheetXAI (DDS Media Marketing LLC), who processes Personal Data on behalf of the Controller.
Sub-processor: Any third-party service provider engaged by SheetXAI to process Personal Data.
Data Subject: The individual whose Personal Data is being processed.
EU SCCs: The Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Schedule A below.
2. SCOPE OF PROCESSING
What data we process:
- Email address and account information submitted at registration
- Subscription and billing information (processed by Stripe)
- API keys and integration settings you configure (encrypted at rest)
- Anonymized prompt text from your AI interactions (not linked to your identity)
- Conversation logs for the duration of an active session only
What we do not store:
- Spreadsheet cell data or file contents
- Any data from your Google Sheets or Excel files beyond what you explicitly include in a prompt
- Conversation logs beyond the active session — these are permanently deleted when you clear your conversation or end your session
Why we process it:
- To provide the SheetXAI service and enable AI-powered spreadsheet operations
- To manage your account, subscription, and credits
- To store your settings and API keys securely between sessions
- To review anonymized prompts for debugging, quality improvement, and service development
Duration of processing:
- Account data: Retained while your account is active
- API keys and settings: Retained while your account is active
- Anonymized prompts: Retained for up to 30 days, then permanently deleted
- Conversation logs: Retained only for the duration of the active session; permanently deleted when you clear your conversation
- Spreadsheet data: Not retained — processed in-memory during the request only
3. OUR OBLIGATIONS AS PROCESSOR
We will:
- Process data only per your instructions: We process Personal Data only as necessary to provide the SheetXAI service or as directed by you.
- Maintain confidentiality: Access to Personal Data is strictly limited to authorized personnel bound by confidentiality obligations.
- Implement security measures:
- Encryption in transit (TLS/SSL)
- Encryption at rest for sensitive data including API keys
- Secure authentication and access controls
- Regular security monitoring
- Assist with data subject requests: We will help you respond to requests for data access, correction, deletion, or portability within 48 hours of your written request.
- Delete data on request: Upon account cancellation or written request, we will permanently delete all Personal Data associated with your account.
- Notify you of breaches: If we discover a security breach affecting your Personal Data, we will notify you within 72 hours with details of the incident and our remediation steps.
4. SUB-PROCESSORS
Default sub-processors: The following sub-processors are used by default to provide the SheetXAI service:
| Sub-processor | Service | Address | Location | Purpose | Certifications |
|---|---|---|---|---|---|
| Vercel Inc. | Hosting | 440 N Barranca Ave #4133, Covina, CA 91723, United States | US | Application hosting and delivery | SOC2 Type II |
| Stripe, Inc. | Payment Processing | 354 Oyster Point Blvd, South San Francisco, CA 94080, United States | US | Subscription billing and payment processing | PCI DSS Level 1, SOC2 Type II |
| Google LLC | Authentication | 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | US | OAuth authentication and Google Workspace integration | ISO 27001, SOC2 Type II |
| Google LLC | Analytics | 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | US | Anonymous usage analytics (no personal data) | ISO 27001, SOC2 Type II |
| OpenRouter Inc. | AI Request Routing | San Francisco, CA, United States | US | Routing AI requests to your selected AI provider | GDPR Compliant (via SCCs) |
Sub-processor changes: We will notify you via email at least 5 days before adding or replacing any default sub-processor. You may object within this period by writing to david@sheetxai.com. If we cannot accommodate your objection, you may terminate your account.
AI providers — user-selected integrations: SheetXAI routes your prompts to whichever AI provider you select (e.g. OpenAI, Google Gemini, Anthropic Claude, or others available via OpenRouter). These AI providers are not SheetXAI sub-processors. By selecting an AI provider, you are directing SheetXAI to transmit your prompt to that provider under that provider's own terms of service and privacy policy. SheetXAI does not add personal data to these requests. Any personal data present in a prompt is there because you included it, and its handling by the AI provider is governed by that provider's policies.
Bring your own API key: Users may optionally connect their own API keys for supported AI providers. When you use your own API key, your prompts are sent to your chosen provider via OpenRouter under your own account and that provider's data processing terms. SheetXAI does not retain or have access to the content of these requests. You are responsible for reviewing the data handling practices of whichever provider you choose. Note that OpenRouter, as the routing layer, may retain prompt data in accordance with their own privacy policy at openrouter.ai/privacy.
An up-to-date list of default sub-processors is maintained at https://sheetxai.com/data-processing-agreement
5. DATA LOCATION & INTERNATIONAL TRANSFERS
Primary storage: United States (via Vercel)
For EU/UK/Swiss clients: By using SheetXAI, you acknowledge that Personal Data will be transferred to and processed in the United States.
Standard Contractual Clauses: For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States, the parties agree to be bound by the EU SCCs (Module 2: Controller to Processor) as set forth in Schedule A of this DPA. By accepting this DPA, both parties are deemed to have executed the EU SCCs.
Our infrastructure providers maintain appropriate data protection safeguards including Standard Contractual Clauses and compliance certifications required for international data transfers.
6. YOUR RIGHTS & RESPONSIBILITIES
You are responsible for:
- Ensuring you have a legal basis to process any personal data present in your spreadsheets
- Providing appropriate privacy notices to any individuals whose data may appear in your sheets
- Ensuring that any personal data you include in a prompt to an AI provider is handled in compliance with applicable law
- Using SheetXAI in compliance with applicable data protection laws
You have the right to:
- Export your account data at any time by contacting us
- Request immediate deletion of your account and associated data
- Request our security documentation
- Object to new default sub-processors within the 5-day notification period
- Terminate the agreement if you object to a sub-processor change
7. DATA DELETION & RETENTION
| Data Type | Retention | Deletion |
|---|---|---|
| Account information (email, subscription) | While account is active | Upon account deletion request |
| API keys and settings | While account is active | Upon account deletion request |
| Anonymized prompts | Up to 30 days | Automatically after 30 days |
| Conversation logs | Active session only | When you clear your conversation or session ends |
| Spreadsheet data | Not stored | N/A — processed in-memory only |
To request immediate deletion of your account and all associated data, email david@sheetxai.com. We will complete deletion within 24 hours.
8. SECURITY MEASURES
Technical measures:
- TLS/SSL encryption for all data in transit
- Encryption at rest for API keys and sensitive settings
- Secure authentication via Google OAuth
- Access controls and regular security monitoring
- Infrastructure provided by SOC2 Type II certified providers
Organizational measures:
- Access to Personal Data limited to authorized personnel only
- Confidentiality obligations for all personnel with data access
- Incident response procedures including 72-hour breach notification
- Regular security reviews
9. AUDITS & COMPLIANCE
Upon reasonable request, we will provide:
- This Data Processing Agreement
- Links to our sub-processors' security documentation and certifications
- General information about our security practices
Available documentation:
- Vercel DPA: https://vercel.com/legal/dpa
- Stripe Privacy Policy: https://stripe.com/privacy
- Google Privacy Policy: https://policies.google.com/privacy
Contact david@sheetxai.com for compliance inquiries.
10. LIABILITY & INDEMNIFICATION
Each party's liability under this DPA is subject to the limitations of liability set forth in the SheetXAI Terms of Service.
We will indemnify you against claims arising directly from our breach of this DPA, except where such breach results from your instructions or misuse of the service.
11. TERM & TERMINATION
This DPA remains in effect for as long as we process Personal Data on your behalf.
Upon termination, we will permanently delete all Personal Data associated with your account upon your request. Our confidentiality obligations survive termination.
12. CONTACT INFORMATION
DDS Media Marketing LLC (SheetXAI) 8 The Greene, Suite B Dover, DE 19901 United States
Email: david@sheetxai.com
SCHEDULE A
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
This Schedule A incorporates the Standard Contractual Clauses (Module 2: Controller to Processor) issued by the European Commission pursuant to Decision 2021/914. The EU SCCs are deemed completed as follows:
Clause 7 (Docking clause): Included
Clause 9 (Use of sub-processors): Option 2 (General written authorization) applies. See Section 4 of this DPA for sub-processor notification requirements. A 5-day advance notice period applies to changes in default sub-processors.
Clause 11 (Redress): The optional independent dispute resolution body language does not apply.
Clause 17 (Governing law): The laws of Ireland apply.
Clause 18 (Choice of forum and jurisdiction): The courts of Ireland have jurisdiction.
ANNEX I
A. LIST OF PARTIES
Data exporter (Controller):
- Name: Client (as identified in the SheetXAI Terms of Service)
- Address: As provided in Client's account registration
- Contact: Account owner email address
- Role: Controller
Data importer (Processor):
- Name: DDS Media Marketing LLC
- Address: 8 The Greene, Suite B, Dover, DE 19901, United States
- Contact: david@sheetxai.com
- Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
- Users of the SheetXAI service who submit prompts and manage account settings
Categories of personal data transferred:
- Account data: email address, subscription status
- Settings: encrypted API keys and integration preferences
- Anonymized prompt text (not linked to identity)
Sensitive data transferred:
- None by default. SheetXAI does not store spreadsheet content. Any sensitive data present in a user's spreadsheet that is included in a prompt is transmitted directly to the user's chosen AI provider and is not retained by SheetXAI.
Frequency of transfer:
- Continuous, during active use of the service
Nature of the processing:
- Collection, storage, and deletion of account data and anonymized prompts to provide AI-powered spreadsheet automation services
Purpose of the transfer:
- To provide the SheetXAI service as described in the Terms of Service
- To enable account and subscription management
- To securely store user-configured settings and API keys
- To review anonymized prompts for debugging and service improvement
Retention period:
- Account data: Duration of active account
- Anonymized prompts: Up to 30 days
- Conversation logs: Active session only
- Spreadsheet data: Not retained
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs. Where possible and legally permissible, the Irish Data Protection Commission will be the designated supervisory authority. For Clients based in other EU member states, the competent supervisory authority will be that of the Client's jurisdiction.
ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES
Encryption:
- Data encrypted in transit using TLS/SSL
- API keys and sensitive settings encrypted at rest
- Secure key management through infrastructure providers
Access Controls:
- Authentication required for all platform access
- Role-based access control
- Strict limitation of personnel access to Personal Data
Infrastructure Security:
- SOC2 Type II certified hosting infrastructure (Vercel)
- Regular security monitoring and logging
- Incident response procedures
Organizational Measures:
- Confidentiality obligations for all personnel with data access
- 72-hour breach notification commitment
- Regular security reviews
- Data minimization — spreadsheet content is never stored
ANNEX III — LIST OF SUB-PROCESSORS
See Section 4 of this DPA for the complete and current list of default sub-processors.
Note: AI providers selected by the user (e.g. OpenAI, Google Gemini, Anthropic Claude) are not SheetXAI sub-processors. These are user-directed integrations governed by each provider's own terms and privacy policies.
ACCEPTANCE
By using SheetXAI, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement, including the EU Standard Contractual Clauses incorporated in Schedule A.