Data Processing Agreement

Last updated: April 11, 2026

Plain English summary: Under GDPR, you (the agent) are the data controller for your clients' data. Morphsage processes that data on your behalf as a data processor. This agreement sets out both parties' responsibilities, as required by GDPR Article 28.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: You, the Morphsage subscriber ("Controller")
Data Processor: Christopher Ndi, operating as Morphsage, Belgium ("Processor")

This DPA forms part of the Morphsage Terms of Service and is binding upon acceptance of those terms.

2. Definitions

Personal Data — any information relating to an identified or identifiable natural person (e.g. your clients' names, email addresses, phone numbers)
Processing — any operation performed on personal data (reading, categorising, drafting replies, storing, deleting)
GDPR — the EU General Data Protection Regulation (2016/679)
Sub-processor — a third party engaged by the Processor to process personal data

3. Subject Matter and Nature of Processing

The Processor will process personal data on behalf of the Controller solely to provide the Morphsage service, which includes:

Reading and categorising incoming emails in the Controller's Gmail inbox
Generating AI-drafted reply suggestions using the email content
Booking calendar appointments from email requests
Sending daily digest summaries to the Controller

4. Types of Personal Data Processed

Data Type	Source	Purpose
Client name, email address	Incoming emails	Categorisation and draft reply generation
Email subject and body content	Incoming emails	AI categorisation and draft generation — not stored in full
Client phone number, property address	Email body (if present)	Calendar booking and reply personalisation

The Controller is responsible for ensuring they have a valid legal basis to process their clients' personal data and to share it with the Processor for the purposes above.

5. Processor Obligations

The Processor shall:

Process personal data only on documented instructions from the Controller (i.e. to provide the Morphsage service)
Ensure all staff with access to personal data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures (encryption, access controls, audit logging)
Not engage any sub-processor without the Controller's prior authorisation (general authorisation granted via acceptance of these Terms — see Section 7)
Assist the Controller in responding to data subject rights requests (access, erasure, portability) where technically feasible
Delete or return all personal data upon termination of the service, at the Controller's choice
Provide the Controller with all information necessary to demonstrate compliance with GDPR Article 28
Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach

6. Controller Obligations

The Controller shall:

Ensure they have a valid legal basis under GDPR to process and share their clients' personal data with Morphsage
Provide accurate and complete instructions for processing
Inform Morphsage promptly of any changes that affect the lawfulness of processing
Ensure their use of Morphsage complies with applicable data protection laws

7. Sub-processors

By accepting these Terms, the Controller grants general authorisation for the Processor to engage the following sub-processors:

Sub-processor	Purpose	Location
Supabase	Database and authentication	EU (AWS eu-west-1)
Railway	Application hosting	US (SCCs in place)
Anthropic	AI email processing via Claude API (zero data retention)	US (SCCs in place)
Google	Gmail API and Google Calendar API	EU / US
Resend	Digest email delivery	US (SCCs in place)

The Processor will notify the Controller of any intended changes to sub-processors by updating this DPA and emailing subscribers at least 14 days in advance. The Controller may object to a new sub-processor within 14 days; if no resolution is reached, either party may terminate the agreement.

8. International Transfers

Some sub-processors (Railway, Anthropic, Resend) are located outside the European Economic Area (EEA). All such transfers are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection.

9. Security Measures

The Processor implements the following technical and organisational measures:

OAuth tokens encrypted at rest using AES-256-GCM
All data transmitted over TLS (HTTPS)
Row-level security in the database — each Controller's data is strictly isolated
Access to production systems restricted to authorised personnel only
Audit logging of sensitive operations
Email body content passed to AI API and not stored in full

10. Data Retention and Deletion

Email metadata and draft history: retained for 12 months, then automatically deleted
Account and profile data: deleted within 30 days of account cancellation
Upon Controller request, all personal data can be deleted immediately via the account deletion feature or by emailing privacy@morphsage.ai

11. Data Subject Rights

If the Controller receives a data subject request (e.g. a client requesting access to or deletion of their data), the Controller is responsible for responding. The Processor will assist where technically feasible — for example, by providing a data export or confirming deletion — upon written request to privacy@morphsage.ai.

12. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller within 72 hours of becoming aware, including:

The nature of the breach and data affected
Likely consequences
Measures taken or proposed to address the breach

The Controller is responsible for notifying the relevant supervisory authority (GBA/APD in Belgium) and affected data subjects where required by GDPR.

13. Audits

The Controller may request an audit of the Processor's data processing activities no more than once per year, with 30 days' written notice. The Processor may satisfy audit requests by providing relevant documentation rather than granting direct system access.

14. Governing Law

This DPA is governed by the laws of Belgium and subject to the jurisdiction of Belgian courts.

15. Acceptance

This DPA is incorporated into and forms part of the Morphsage Terms of Service. By creating a Morphsage account and accepting the Terms of Service, the Controller accepts this DPA.

For questions or to request a signed copy of this DPA, contact privacy@morphsage.ai.