This Data Processing Agreement ("DPA") forms part of the Terms of Service between Jetwork, Inc. ("Processor," "Jetwork," "we," "us") and the customer who has executed the Terms of Service ("Controller," "Customer," "you"). This DPA applies to the extent that Jetwork processes Personal Data on behalf of the Customer in connection with providing the Jetwork platform and related services.
For questions about this DPA, contact legal@jetwork.ai.
1. Definitions
In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Service or applicable data protection legislation.
- "Controller" means the Customer who determines the purposes and means of processing Personal Data by using the Jetwork platform.
- "Processor" means Jetwork, Inc., which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Jetwork on behalf of the Controller in connection with the Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Sub-processor" means any third party engaged by Jetwork to process Personal Data on behalf of the Controller.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any amendments or successors thereto.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Purpose of Processing
Jetwork processes Personal Data solely for the purpose of providing the Jetwork platform and related services as described in the Terms of Service. The scope of processing includes:
- Ingesting contact data from Customer-authorized data sources (email, messaging, social media, and calendar platforms).
- Performing entity resolution and deduplication to create unified contact profiles.
- Computing relationship scores and interaction analytics.
- Processing natural language queries via AI models to provide relationship intelligence.
- Storing and managing contact records, notes, tags, and interaction history.
- Sending transactional emails related to the Customer's use of the Service.
Jetwork will not process Personal Data for any purpose other than as set out in this DPA or as otherwise instructed by the Controller.
3. Types of Personal Data Processed
The following categories of Personal Data may be processed in connection with the Service:
- Contact information: Names, email addresses, phone numbers, mailing addresses, and social media profile URLs.
- Professional information: Job titles, company names, departments, and professional biography details.
- Interaction history: Email metadata (sender, recipient, subject lines, timestamps), meeting records (attendees, dates, durations), messaging data (participants, timestamps), and calendar events.
- Relationship data: Connection dates, interaction frequency, relationship scores, tags, notes, and brain entries added by the Customer.
- Account data: Customer's name, email, authentication credentials (hashed), subscription details, and usage logs.
4. Data Subject Categories
The following categories of Data Subjects may have their Personal Data processed:
- Customers (Users): Individuals who create a Jetwork account and use the platform.
- Customer's Contacts: Individuals whose contact information, interaction history, or relationship data is imported into or generated by the Jetwork platform through the Customer's connected data sources.
5. Duration of Processing
Jetwork will process Personal Data for the duration of the Customer's use of the Service. Upon termination or expiration of the Customer's account:
- Personal Data will be retained for a maximum of 30 days to allow the Customer to export their data.
- After the 30-day period, all Personal Data will be permanently deleted from active systems and backups, unless retention is required by applicable law.
- The Customer may request immediate deletion at any time by contacting legal@jetwork.ai or through the account settings.
6. Processor Obligations
Jetwork, as Processor, shall:
6.1 Security Measures
- Encrypt all Personal Data at rest using AES-256 encryption.
- Encrypt all Personal Data in transit using TLS 1.3.
- Implement and maintain PostgreSQL Row Level Security (RLS) to ensure strict data isolation between Customers.
- Store authentication credentials using bcrypt hashing; never store plaintext passwords.
- Store third-party OAuth tokens in a dedicated, encrypted vault (Nango) separate from the primary database.
- Maintain access controls limiting employee access to Personal Data to only those with a legitimate need.
- Conduct periodic security assessments and vulnerability testing.
6.2 Confidentiality
Jetwork shall ensure that persons authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
6.3 Breach Notification
- Jetwork will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach.
- The notification will include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- Jetwork will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
6.4 Assistance
Jetwork will assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject requests for access, rectification, erasure, data portability, restriction, or objection.
7. Sub-processors
The Controller grants Jetwork general written authorization to engage the following Sub-processors. Jetwork will notify the Controller of any intended changes to this list at least 30 days before engaging a new Sub-processor, giving the Controller the opportunity to object.
| Sub-processor |
Purpose |
Location |
| Supabase |
Database hosting, authentication, and storage |
United States |
| Vercel |
Application hosting and edge delivery |
United States |
| Nango |
OAuth token management and integration sync |
United States |
| OpenAI |
AI model inference for natural language queries and entity resolution |
United States |
| Anthropic |
AI model inference for natural language queries and relationship intelligence |
United States |
| Resend |
Transactional email delivery |
United States |
Each Sub-processor is contractually bound to data protection obligations no less protective than those in this DPA. Jetwork remains fully liable for the acts and omissions of its Sub-processors.
8. Data Subject Rights
Jetwork will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including:
- Right of access: Data Subjects may request a copy of their Personal Data. The Controller can fulfill this through the platform's export functionality.
- Right to rectification: Data Subjects may request correction of inaccurate data. The Controller can update contact records directly in the platform.
- Right to erasure: Data Subjects may request deletion of their Personal Data. The Controller can delete individual contacts or their entire account.
- Right to data portability: Personal Data can be exported in standard machine-readable formats (CSV, JSON) at any time.
- Right to restriction: Data Subjects may request restriction of processing. The Controller can disconnect data sources or freeze specific contact records.
- Right to object: Data Subjects may object to processing. Jetwork will comply by ceasing processing of the relevant Personal Data.
If Jetwork receives a request directly from a Data Subject, it will promptly notify the Controller and will not respond to the request without the Controller's instructions, unless legally required to do so.
9. Data Transfers
Jetwork's primary infrastructure is located in the United States. Personal Data may be transferred to and processed in the United States.
Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other countries outside the EEA that have not been recognized as providing an adequate level of data protection, Jetwork ensures appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission.
- Additional technical and organizational measures to supplement the SCCs where required.
- Compliance with the EU-U.S. Data Privacy Framework, where applicable.
The Controller acknowledges that by using the Service with US-based Sub-processors, Personal Data will be processed in the United States.
10. Termination and Data Return/Deletion
Upon termination or expiration of the Service agreement:
- Data return: The Controller may export all Personal Data through the platform's export features (CSV, JSON) or request a data export from Jetwork within 30 days of termination.
- Data deletion: After the 30-day post-termination period (or upon the Controller's earlier request), Jetwork will permanently delete all Personal Data from active systems and, within 90 days, from backup systems.
- Certification: Upon the Controller's written request, Jetwork will provide written certification that all Personal Data has been deleted in accordance with this DPA.
- Exceptions: Jetwork may retain Personal Data to the extent required by applicable law. Any retained data will continue to be protected under the terms of this DPA.
11. Audit Rights
The Controller has the right to audit Jetwork's compliance with this DPA. Jetwork will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and will allow for and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller.
Audit requests must be submitted with at least 30 days' written notice and will be conducted during normal business hours in a manner that does not unreasonably disrupt Jetwork's operations.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws that govern the Terms of Service, except where Data Protection Laws require application of the law of another jurisdiction.
13. Contact
For questions, concerns, or requests related to this Data Processing Agreement, contact:
Jetwork, Inc.
Email: legal@jetwork.ai
Security: security@jetwork.ai