Tier One Content Logo
Tier One Content
Sign InGet Started

Data Processing Agreement (DPA)

Last updated: March 19, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

Customer (the "Controller")
and
Jakatech LLC, a Texas limited liability company d/b/a Tier One Content ("Jakatech" or "Processor").

This DPA applies where Customer processes Personal Data subject to the General Data Protection Regulation ("GDPR") and Jakatech processes such Personal Data on Customer's behalf.

1. Definitions

  • "Personal Data" has the meaning given in GDPR Article 4(1).

  • "Processing" has the meaning given in GDPR Article 4(2).

  • "Subprocessor" means any third party engaged by Processor to process Personal Data.

  • "Standard Contractual Clauses" or "SCCs" means the European Commission Implementing Decision (EU) 2021/914.

All other capitalized terms have the meaning given in the Terms of Service.

2. Scope and Role of the Parties

2.1 Customer acts as Data Controller for Personal Data contained within uploaded content and related metadata.

2.2 Jakatech acts as Data Processor, processing Personal Data solely on documented instructions from Customer, including as set forth in the Terms of Service.

2.3 For account registration, billing, and platform administration data, Jakatech acts as an independent Data Controller (outside the scope of this DPA).

3. Processor Obligations

Jakatech shall:

  • Process Personal Data only on documented instructions from Customer.

  • Ensure personnel are subject to confidentiality obligations.

  • Implement appropriate technical and organizational measures ("TOMs") as described in Annex II.

  • Assist Customer in responding to Data Subject Requests.

  • Assist Customer with data protection impact assessments where required.

  • Notify Customer without undue delay after becoming aware of a Personal Data Breach.

  • Delete or return Personal Data upon termination, subject to applicable law.

  • Make available information necessary to demonstrate compliance.

4. Subprocessors

4.1 Customer authorizes Jakatech to engage Subprocessors listed in Annex III.

4.2 Jakatech shall:

  • Impose data protection obligations on Subprocessors equivalent to this DPA.

  • Remain liable for Subprocessor performance.

  • Notify Customer of material Subprocessor changes (via website update or email).

5. International Transfers

5.1 Where Personal Data is transferred outside the European Economic Area (EEA), such transfer shall be governed by:

  • The EU Standard Contractual Clauses (Module 2: Controller to Processor), incorporated by reference; and/or

  • The EU–US Data Privacy Framework (where applicable).

5.2 For the purposes of the SCCs:

  • Customer is the "Data Exporter."

  • Jakatech is the "Data Importer."

  • Annex I, II, and III of this DPA serve as the Annexes to the SCCs.

5.3 The optional docking clause (Clause 7) applies.

5.4 The governing law for the SCCs shall be the law of Ireland (or another EU Member State where required).

6. Security and Breach Notification

6.1 Jakatech shall implement the Technical and Organizational Measures described in Annex II.

6.2 In the event of a confirmed Personal Data Breach, Jakatech shall:

  • Notify Customer without undue delay;

  • Provide available details regarding nature, scope, and mitigation steps;

  • Cooperate reasonably with Customer.

7. Data Subject Rights

Jakatech shall, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures to fulfill obligations relating to:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Data portability

  • Objection

8. Deletion and Return of Data

Upon termination of the Service:

  • Customer may request deletion or return of Personal Data within 30 days.

  • After that period, Jakatech may delete Customer Data in accordance with retention policies.

  • Backup systems may retain encrypted data for limited additional periods.

9. Liability

Liability shall be governed by the Terms of Service, except where otherwise required by GDPR or the SCCs.

ANNEX I – DETAILS OF PROCESSING

A. Subject Matter

Provision of hosted content-sharing and collaboration platform.

B. Duration

For the duration of the Terms of Service plus applicable retention periods.

C. Nature and Purpose

  • Hosting

  • Storage

  • Indexing

  • Tagging

  • Search optimization

  • Secure transmission

  • Access control

D. Categories of Data Subjects

  • Customer employees

  • Authorized users

  • Business partners

  • End customers (if uploaded by Customer)

E. Categories of Personal Data

  • Name

  • Email address

  • Organization details

  • Uploaded content containing personal data

  • Usage metadata

  • IP address

Sensitive personal data is not intentionally processed and should not be uploaded without lawful authorization.

ANNEX II – TECHNICAL & ORGANIZATIONAL MEASURES (TOMs)

Jakatech may implement measures including:

1. Encryption

  • TLS encryption in transit

  • Encryption at rest (cloud storage and databases)

2. Access Controls

  • Role-based access control (RBAC)

  • Least privilege principles

  • Multi-factor authentication for administrative access

3. Network Security

  • Firewalls

  • Network segmentation

  • Cloud provider security controls

4. Logging & Monitoring

  • Audit logging

  • Access logs

  • Error monitoring

5. Vulnerability Management

  • Regular dependency updates

  • Patch management

  • Cloud infrastructure updates

6. Data Minimization

  • Limited metadata collection

  • Retention controls

  • Scoped log retention

7. Business Continuity

  • Cloud-based redundancy

  • Automated backups

  • Disaster recovery procedures

ANNEX III – AUTHORIZED SUBPROCESSORS

Effective Date: March 19, 2026

Jakatech LLC d/b/a Tier One Content uses the following subprocessors in connection with the provision of the Service.

1. Google LLC

  • Service: Google Cloud Platform (Cloud Run, Secret Manager)

  • Purpose: Infrastructure hosting, compute execution, secrets management

  • Categories of Data: Account data, metadata, service logs, application processing data

  • Location: United States and optional EU regions

  • Transfer Mechanism: Standard Contractual Clauses (SCCs) and EU–US Data Privacy Framework

  • Role: Subprocessor

2. MongoDB, Inc.

  • Service: MongoDB Atlas

  • Purpose: Managed database services

  • Categories of Data: Account data, content metadata, application data

  • Location: United States

  • Transfer Mechanism: Standard Contractual Clauses (SCCs)

  • Role: Subprocessor

3. Cloudflare, Inc.

  • Services: R2 Object Storage, Cloudflare Pages, Content Delivery Network (CDN), DDoS Protection

  • Purpose: Content storage, static asset hosting, traffic routing, edge caching, security

  • Categories of Data: Uploaded content, IP addresses, request metadata

  • Location: United States and global edge network

  • Transfer Mechanism: Standard Contractual Clauses (SCCs) and EU–US Data Privacy Framework

  • Role: Subprocessor

4. Mailgun Technologies, Inc.

  • Service: Transactional Email Delivery

  • Purpose: Outbound email communications

  • Categories of Data: Email address, message content, metadata, IP address

  • Location: United States

  • Transfer Mechanism: Standard Contractual Clauses (SCCs)

  • Role: Subprocessor

5. Microsoft Corporation

  • Service: Microsoft 365 / Exchange Online

  • Purpose: Inbound email hosting (support communications)

  • Categories of Data: Support emails, attachments, metadata

  • Location: United States

  • Transfer Mechanism: SCCs and EU–US Data Privacy Framework

  • Role: Subprocessor

6. Stripe, Inc.

  • Service: Payment Processing

  • Purpose: Subscription billing and transaction processing

  • Categories of Data: Billing name, billing address, email, payment method details, transaction metadata

  • Location: United States

  • Transfer Mechanism: EU–US Data Privacy Framework

  • Role: Independent Controller

7. Google LLC

  • Service: Google Authentication (OAuth)

  • Purpose: User authentication

  • Categories of Data: Email address, name, profile identifier

  • Location: United States

  • Transfer Mechanism: EU–US Data Privacy Framework

  • Role: Independent Controller

8. Microsoft Corporation

  • Service: Microsoft Authentication (OAuth)

  • Purpose: User authentication

  • Categories of Data: Email address, name, profile identifier

  • Location: United States

  • Transfer Mechanism: EU–US Data Privacy Framework

  • Role: Independent Controller

9. Google LLC

  • Service: Google Analytics

  • Purpose: Website and application usage analytics (activated only with user consent)

  • Categories of Data: IP address (anonymized where applicable), usage data, device metadata

  • Location: United States

  • Transfer Mechanism: EU–US Data Privacy Framework and SCCs

  • Role: Subprocessor (analytics provider)

10. Twilio Inc.

  • Service: SMS Delivery (if enabled)

  • Purpose: Transactional SMS notifications

  • Categories of Data: Phone number, message content, delivery metadata

  • Location: United States

  • Transfer Mechanism: SCCs and EU–US Data Privacy Framework

  • Role: Subprocessor

Execution

This DPA is incorporated into and governed by the Terms of Service.

Acceptance of the Terms constitutes acceptance of this DPA.

Enterprise customers may request a countersigned version upon request.

This Data Processing Agreement was last updated on March 19, 2026.