Data Processing Agreement
How to get a GDPR-compliant DPA for your organization.
Last updated · May 13, 2026
What is a DPA?
A Data Processing Agreement (DPA) is the contract that governs how CauceOS LLC processes personal data on behalf of your organization, in accordance with Article 28 of the GDPR and equivalent regulations (LGPD, CCPA, etc.).
If your organization has users in the European Union, the United Kingdom, Brazil, or any jurisdiction that requires it, a DPA is a mandatory document.
Do I need a DPA?
| Situation | DPA required? |
|---|---|
| Business with users/clients in the EU or UK | Yes — mandatory under GDPR Art. 28 |
| Business with users in Brazil | Yes — recommended under LGPD |
| Business with employees in California | Yes — recommended under CCPA/CPRA |
| Clinic or independent professional practice (any jurisdiction) | Recommended for greater protection |
| Individual use (Pro plan, no formal organization) | Not mandatory; the Privacy Policy applies |
CauceOS standard DPA
Our standard DPA covers:
- Subject and nature of processing: session transcription, alert generation, and reports.
- Purpose and duration: active service + retention period defined in the Privacy Policy.
- Data types: professional account data, session transcripts, reports.
- Categories of data subjects: professional users (psychologists, therapists, HR professionals) and anonymous session participant data.
- Rights and obligations of the controller: as per GDPR Art. 28.3.
- Sub-processors: complete list at /sub-processors, with change notifications.
- Technical and organizational security measures: TLS 1.3, AES-256, MFA, least-privilege principle, audit logging.
- Standard Contractual Clauses (SCCs): included for transfers outside the EEA.
- Breach notification: within 72 hours of detection.
- Audit rights: controller's right to audit or request certifications.
How to obtain the DPA
Option 1 — Business plan (included)
If you have the Business Plan, CauceOS's standard DPA is available directly from your dashboard:
/app/settings/organization → Legal documents → Download signed DPA
The DPA is generated with your organization's data and is pre-signed by CauceOS LLC.
Option 2 — Any plan (email request)
If you need a DPA for the Pro Plan or want a customized DPA with additional clauses:
- Send an email to
legal@cauceos.comwith the subject: "DPA Request — [your organization name]" - Include: legal name of your organization, country of incorporation, primary user jurisdiction, and any specific requirements.
- We respond within 5 business days with the DPA ready to sign.
Specific addenda available
For organizations with additional requirements, we offer specific addenda:
| Addendum | For whom |
|---|---|
| GDPR Addendum | Organizations with users in the EU/EEA/UK |
| LGPD Addendum | Organizations with users in Brazil |
| CCPA Addendum | Organizations with users in California |
| Healthcare Privacy Addendum | Clinics and healthcare organizations (non-HIPAA) |
Request any addendum at legal@cauceos.com.
Validity and updates
The DPA is linked to your active subscription. When we update the DPA (for example, to reflect changes in the sub-processor list or regulation), we notify you with at least 30 days' notice, and the new DPA takes effect at the start of your next billing cycle, unless you agree earlier.
Legal contact
legal@cauceos.com — DPA requests, addenda, and legal inquiries.
dpo@cauceos.com — Data Protection Officer — GDPR and LGPD inquiries.