1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cultivation ("Processor", "we", "us") and the organization or individual using Vision™ ("Controller", "you", "your"). This DPA sets out the terms under which we process personal data on your behalf.

This DPA applies to all personal data processed by Cultivation in the course of providing Vision™ services, including organizational analysis, digital transformation assessments, and related analytics.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third party engaged by Cultivation to process personal data on behalf of the Controller.
"Data Subject" means the individual to whom personal data relates.
"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data, including GDPR (EU), UK GDPR, CCPA (California), and other relevant legislation.

3. Scope and Purpose of Processing

Cultivation processes personal data solely for the purpose of providing Vision™ services as described in the Terms of Service. The categories of personal data processed may include:

Employee names, email addresses, and job titles (for organizational mapping)
Team structure and department information
Usage data and interaction patterns within the platform
Integration data from connected third-party tools (as authorized by the Controller)
Communication metadata (for collaboration analysis, not content)

4. Controller Obligations

The Controller shall:

Ensure that it has a lawful basis for processing personal data and for instructing Cultivation to process personal data on its behalf.
Provide clear and documented instructions regarding the processing of personal data.
Ensure that data subjects have been informed of the processing and their rights under applicable data protection laws.
Notify Cultivation promptly of any changes to processing instructions or any data subject requests.

5. Processor Obligations

Cultivation shall:

Process personal data only on documented instructions from the Controller, unless required by law.
Ensure that persons authorized to process personal data are subject to confidentiality obligations.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Assist the Controller in fulfilling its obligations to respond to data subject requests.
Delete or return all personal data upon termination of the service agreement, at the Controller's choice.
Make available all information necessary to demonstrate compliance and allow for audits.

6. Security Measures

Cultivation implements and maintains the following security measures:

Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access Controls: Role-based access controls with multi-factor authentication for all internal systems.
Monitoring: Continuous security monitoring, intrusion detection, and automated alerting.
Infrastructure: Hosted on SOC 2 Type II certified cloud infrastructure with geographic redundancy.
Testing: Regular penetration testing and vulnerability assessments.
Incident Response: Documented incident response procedures with defined escalation paths.

7. Sub-processors

Cultivation may engage sub-processors to assist in providing Vision™ services. We maintain an up-to-date list of sub-processors and will notify the Controller of any intended changes, providing an opportunity to object.

Current sub-processors include:

Vercel Inc. — Application hosting and edge computing (United States)
Supabase Inc. — Database hosting and authentication (United States, EU regions available)
OpenAI / Anthropic — AI analysis processing (data not used for training)
Resend — Transactional email delivery
Stripe Inc. — Payment processing

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, Cultivation ensures that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions where applicable.
Additional supplementary measures as required by applicable law.

9. Data Subject Rights

Cultivation will assist the Controller in responding to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection, to the extent required by applicable data protection laws.

10. Data Breach Notification

In the event of a personal data breach, Cultivation will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach. The notification will include:

A description of the nature of the breach, including categories and approximate number of data subjects affected.
The likely consequences of the breach.
Measures taken or proposed to address the breach and mitigate its effects.

11. Data Retention and Deletion

Cultivation retains personal data only for as long as necessary to provide the services. Upon termination of the service agreement or upon the Controller's request, Cultivation will delete or return all personal data within 30 days, unless retention is required by applicable law.

12. Audit Rights

The Controller has the right to audit Cultivation's compliance with this DPA. Audits may be conducted no more than once per year, with reasonable advance notice, during normal business hours, and subject to appropriate confidentiality obligations.

13. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. The obligations under this DPA shall survive termination to the extent necessary to complete the deletion or return of personal data.

14. Contact

For questions about this DPA or to exercise data protection rights, contact us at:

Cultivation
Email: info@heycultivation.com
Website: heycultivation.com

1. Introduction

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third party engaged by Cultivation to process personal data on behalf of the Controller.
"Data Subject" means the individual to whom personal data relates.
"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data, including GDPR (EU), UK GDPR, CCPA (California), and other relevant legislation.

3. Scope and Purpose of Processing

Cultivation processes personal data solely for the purpose of providing Vision™ services as described in the Terms of Service. The categories of personal data processed may include:

Employee names, email addresses, and job titles (for organizational mapping)
Team structure and department information
Usage data and interaction patterns within the platform
Integration data from connected third-party tools (as authorized by the Controller)
Communication metadata (for collaboration analysis, not content)

4. Controller Obligations

The Controller shall:

Ensure that it has a lawful basis for processing personal data and for instructing Cultivation to process personal data on its behalf.
Provide clear and documented instructions regarding the processing of personal data.
Ensure that data subjects have been informed of the processing and their rights under applicable data protection laws.
Notify Cultivation promptly of any changes to processing instructions or any data subject requests.

5. Processor Obligations

Cultivation shall:

Process personal data only on documented instructions from the Controller, unless required by law.
Ensure that persons authorized to process personal data are subject to confidentiality obligations.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Assist the Controller in fulfilling its obligations to respond to data subject requests.
Delete or return all personal data upon termination of the service agreement, at the Controller's choice.
Make available all information necessary to demonstrate compliance and allow for audits.

6. Security Measures

Cultivation implements and maintains the following security measures:

Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access Controls: Role-based access controls with multi-factor authentication for all internal systems.
Monitoring: Continuous security monitoring, intrusion detection, and automated alerting.
Infrastructure: Hosted on SOC 2 Type II certified cloud infrastructure with geographic redundancy.
Testing: Regular penetration testing and vulnerability assessments.
Incident Response: Documented incident response procedures with defined escalation paths.

7. Sub-processors

Current sub-processors include:

Vercel Inc. — Application hosting and edge computing (United States)
Supabase Inc. — Database hosting and authentication (United States, EU regions available)
OpenAI / Anthropic — AI analysis processing (data not used for training)
Resend — Transactional email delivery
Stripe Inc. — Payment processing

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, Cultivation ensures that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions where applicable.
Additional supplementary measures as required by applicable law.

9. Data Subject Rights

10. Data Breach Notification

A description of the nature of the breach, including categories and approximate number of data subjects affected.
The likely consequences of the breach.
Measures taken or proposed to address the breach and mitigate its effects.

11. Data Retention and Deletion

12. Audit Rights

13. Term and Termination

14. Contact

For questions about this DPA or to exercise data protection rights, contact us at:

Cultivation
Email: info@heycultivation.com
Website: heycultivation.com

Data Processing Agreement

1. Introduction

2. Definitions

3. Scope and Purpose of Processing

4. Controller Obligations

5. Processor Obligations

6. Security Measures

7. Sub-processors

8. International Data Transfers

9. Data Subject Rights

10. Data Breach Notification

11. Data Retention and Deletion

12. Audit Rights

13. Term and Termination

14. Contact

Stay Ahead of the Curve

Data Processing Agreement

1. Introduction

2. Definitions

3. Scope and Purpose of Processing

4. Controller Obligations

5. Processor Obligations

6. Security Measures

7. Sub-processors

8. International Data Transfers

9. Data Subject Rights

10. Data Breach Notification

11. Data Retention and Deletion

12. Audit Rights

13. Term and Termination

14. Contact

Stay Ahead of the Curve