Data Processing Agreement
Effective: upon your acceptance of the Terms of Service · Last updated: July 4, 2026
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service (the “Agreement”) between Delta 3 Core Tech LLC (“Delta3CoreTec”, “we”, “us”) and the customer organization identified in the Agreement (“Customer”) for the CritPath AI platform and related services (the “Service”). It applies to the extent Delta3CoreTec processes Personal Data on Customer’s behalf that is subject to Data Protection Law. It is entered into automatically upon Customer’s acceptance of the Agreement (which expressly incorporates this DPA); no signature is required. Enterprise customers may execute a countersigned copy on request.
1. Definitions
- “Data Protection Law” means all laws applicable to the processing of Personal Data under the Agreement, including (as applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), and the California Consumer Privacy Act as amended by the CPRA (“CCPA”).
- “Personal Data” means any information relating to an identified or identifiable natural person that Delta3CoreTec processes on Customer’s behalf in connection with the Service.
- “Customer Data” has the meaning given in the Agreement; Personal Data processed under this DPA is the subset of Customer Data that is personal data.
- “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given in the GDPR (and their CCPA equivalents — e.g., “business” and “service provider” — where the CCPA applies).
- “SCCs” means the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914, as amended or replaced.
- “Sub-processor” means a third party engaged by Delta3CoreTec to process Personal Data on Customer’s behalf.
2. Roles and scope
- Roles. For Personal Data contained in Customer’s tenant content (projects, schedules, tasks, risks, resource contact details, and other content Customer’s users enter), Customer is the Controller and Delta3CoreTec is the Processor. If Customer acts as a processor for a third-party controller, Delta3CoreTec is a sub-processor and this DPA applies mutatis mutandis; Customer warrants that its controller has authorized the processing described here.
- Delta3CoreTec as independent controller. We act as an independent controller — and this DPA does not apply — for personal data we process for our own purposes as described in the Privacy Policy: user account registration and authentication data, billing and subscription records, usage and security telemetry, and marketing/waitlist data. For the avoidance of doubt, Customer tenant content (including AI prompts and schedule context) is processed exclusively under this DPA; to the extent any such content appears in application logs, error diagnostics, or telemetry, Delta3CoreTec processes it as Processor under this DPA and does not use it for its own purposes.
- Details of processing. The subject matter, duration, nature and purpose of processing, categories of Data Subjects, types of Personal Data, and the obligations and rights of the Controller are set out in Annex I, this DPA, and the Agreement. Customer has the rights and obligations of a Controller under Data Protection Law in respect of the Personal Data.
- CCPA. Where the CCPA applies, Delta3CoreTec acts as Customer’s “service provider”: we process Personal Data only for the specific business purposes set out in Annex I.B (providing, securing, and supporting the CritPath AI Service), and we do not sell or share Personal Data, retain, use, or disclose it outside the direct business relationship, or combine it with data from other sources except as permitted for service providers. We will comply with our applicable obligations under the CCPA and provide the same level of privacy protection as required of businesses. We will notify Customer if we determine we can no longer meet these obligations, and Customer may take reasonable and appropriate steps (per Section 12) to ensure our use of Personal Data is consistent with Customer’s obligations and, upon notice, to stop and remediate any unauthorized use of Personal Data.
3. Customer instructions
- We will process Personal Data only on Customer’s documented instructions, including with regard to international transfers, unless required to do so by Union or Member State law to which we are subject or, for Personal Data not subject to the GDPR, other applicable law (in which case we will inform Customer of that legal requirement before processing, unless the law prohibits it). Third-country government access requests are handled per the commitments corresponding to Clauses 14 and 15 of the SCCs: where legally permitted we will notify Customer of a legally binding request for access to Personal Data and will review the legality of, and challenge where appropriate, any request we consider overbroad.
- Customer’s instructions are: (a) this DPA; (b) the processing necessary to provide, secure, and support the Service as configured and used by Customer’s users — including the AI features, whose use instructs the transmission of prompts and relevant schedule context to the LLM Sub-processors listed in Annex III, and the notification features, whose configuration instructs transmission of the entered contact details to the notification Sub-processors; and (c) any further written instructions agreed between the parties. For clarity, the license in Section 9 of the Agreement does not expand these instructions: processing to “improve the Service” is permitted with respect to Personal Data only as described in Section 3.5.
- We will immediately inform Customer if, in our opinion, an instruction infringes Data Protection Law (we are not obliged to perform legal review of Customer’s instructions).
- Customer responsibilities. Customer is responsible for the accuracy and lawfulness of the Personal Data it submits, for having a lawful basis (and giving any required notices) for the processing it instructs — including for third-party contact details its users enter for notification features — and for not submitting special-category data or data restricted by Section 7 of the Agreement (e.g., PHI) outside an Enterprise agreement covering it.
- Aggregated / de-identified data. As a documented instruction, Delta3CoreTec may create and use aggregated or de-identified data derived from Customer Data only where the result is de-identified such that it is no longer Personal Data (to the standard of GDPR anonymization and CCPA § 1798.140(m)), and we commit not to attempt to re-identify it and to require the same of any recipient.
- No AI training. Delta3CoreTec will not use Customer Personal Data to train or fine-tune machine-learning models, and will route Customer Personal Data to LLM Sub-processors only under API terms that do not permit the provider to use it to train their models.
4. Confidentiality
We ensure that persons authorized to process Personal Data are bound by contractual or statutory obligations of confidentiality.
5. Security
- Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects, we implement and maintain the technical and organizational measures set out in Annex II (the “TOMs”), consistent with Article 32 GDPR.
- We may update the TOMs from time to time, provided the updates do not materially reduce the overall level of protection during a subscription term.
- Customer is responsible for its own secure use of the Service, including safeguarding its users’ credentials, enabling available security features (e.g., two-factor authentication), and configuring roles and membership appropriately.
6. Sub-processors
- General authorization. Customer provides general written authorization for Delta3CoreTec to engage the Sub-processors listed in Annex III and to replace or add Sub-processors as the Service evolves, subject to this Section 6. Annex III corresponds to the sub-processor list published in Section 7 of the Privacy Policy; the Privacy Policy page reflects the most current list, updated per this Section 6.
- Advance notice of changes. We will notify Customer (by email to the organization owner’s registered address, and/or by prominent in-product notice) and update the published sub-processor list at least 30 days before any new or replacement Sub-processor processes Personal Data (at least 15 days where an urgent replacement is needed for security or continuity reasons, with the reason stated in the notice). This notice period is the time period agreed for the purposes of Clause 9(a) of the SCCs.
- Right to object. Customer may object to a new Sub-processor on reasonable, documented data-protection grounds within the notice period in Section 6.2. The new Sub-processor will not process Customer’s Personal Data before that period expires (except where Customer approves earlier). If an objection cannot be resolved in good faith (e.g., by Customer not using the affected feature), Customer may terminate the affected subscription and — notwithstanding Section 6 of the Terms of Service (non-refundability) — receive a pro-rata refund of prepaid fees for the unused remainder of the term. Continued use of the Service after the notice period constitutes acceptance.
- Flow-down. We impose on Sub-processors, by entering into each Sub-processor’s data processing terms, data-protection obligations that provide at least the same level of protection for Personal Data as those in this DPA (in particular, sufficient guarantees to implement appropriate technical and organizational measures), and we remain liable to Customer for their performance as required by Article 28(4) GDPR.
7. International transfers
- Delta3CoreTec and the Sub-processors in Annex III are located in the United States (and any other locations identified in the relevant Sub-processor’s data processing terms), and Customer instructs processing there.
- Where Personal Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred to a country without an adequacy decision, the parties rely on appropriate safeguards: the SCCs (Module Two: controller-to-processor, or Module Three where Customer is a processor), which are incorporated into this DPA by reference and completed as follows: Annexes I–III of this DPA serve as the SCC Annexes; Clause 7 (docking) is included; for Clause 9(a), Option 2 (general written authorization) applies with the advance-notice period specified in Section 6.2; for Clause 17, Option 1 applies and the SCCs are governed by the law of the Netherlands; for Clause 18, disputes are resolved before the courts of Amsterdam, the Netherlands. If and to the extent the SCCs are held inapplicable to a transfer, the parties will cooperate in good faith to implement a valid alternative transfer mechanism without undue delay.
- For transfers subject to the UK GDPR, the UK Information Commissioner’s International Data Transfer Addendum to the SCCs applies, completed as follows: Table 1 with the party details in Annex I.A; Table 2 with the SCC module and elections in Section 7.2; Table 3 with Annexes I–III of this DPA; and for Table 4, neither party may end the Addendum as set out in its Section 19. For transfers subject to the Swiss FADP, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”): references to the GDPR are read as references to the FADP; the FDPIC is the competent authority insofar as the transfer is governed by the FADP (in parallel with the relevant EEA authority where the GDPR also applies); and Data Subjects in Switzerland may bring proceedings before the courts of their place of habitual residence.
- Where a Sub-processor is certified under a framework recognized by an adequacy decision (e.g., the EU-U.S. Data Privacy Framework, its UK Extension, or the Swiss-U.S. DPF), that certification serves as an additional safeguard only; it does not replace the flow-down obligations in Section 6.4.
8. Assistance with Data Subject rights
- Self-service tools. The Service provides in-app tools that help Customer respond to Data Subject requests directly: each user can export the personal data linked to their account (Settings → Your Data & Account → Export my data) and delete their account with a 30-day recovery window (see the Privacy Policy, Sections 11 and 13). Organization owners and admins control tenant content and membership through the product.
- Taking into account the nature of the processing, we will assist Customer with appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection).
- If a Data Subject request concerning Customer’s tenant data is made directly to us, we will (to the extent legally permitted) redirect the Data Subject to Customer or promptly forward the request, and will not respond substantively except on Customer’s instruction or where legally required.
9. Personal Data Breach
We will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. Notice is given by email to the organization owner’s registered address. The notification will describe, insofar as known, the nature of the breach, the categories and approximate volumes of Data Subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point; where full details are not yet available, we will notify in phases as information becomes available. We will provide reasonable cooperation with Customer’s investigation, mitigation, and any notification obligations Customer has. Notification is not an acknowledgement of fault or liability.
10. DPIAs and prior consultation
Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance with Customer’s data protection impact assessments and prior consultations with Supervisory Authorities, to the extent they relate to processing under this DPA.
11. Deletion and return of Personal Data
- During the term. Customer’s users can delete tenant content through the product, and individual users can invoke the account-deletion flow described in Section 8.1.
- At the end of the services — Customer’s choice. Upon termination of the Agreement or closure of Customer’s account, at Customer’s choice, Delta3CoreTec will return and/or delete the Personal Data processed on Customer’s behalf. Return: the organization owner can self-serve a complete export of Customer’s tenant Personal Data at any time before termination or account closure via the in-product organization export (Settings → Organization data → Export organization data), delivered in a structured, commonly used, machine-readable format (JSON); the in-product exports also cover project and schedule reports (CSV/PDF) and each user’s own personal data (the per-user account export). If Customer has not run the organization export before the end of the services, Customer may make a written request within 30 days of termination and we will provide the complete export in a structured, commonly used, machine-readable format (JSON and/or CSV). Deletion: deletion initiated through the in-product account-closure flow follows the lifecycle in Section 11 of the Privacy Policy — a 30-day recovery window, then a scheduled purge that permanently deletes or anonymizes Personal Data. Where the Agreement ends without the in-product closure flow having been used (e.g., subscription lapse or termination by us), we will delete or anonymize the tenant Personal Data on Customer’s written request, actioned within 30 days of the request. On request, we will confirm completion of deletion in writing.
- Backups. Purged or deleted Personal Data may persist for a limited period in encrypted backups maintained by the hosting provider and is removed in the ordinary course of backup rotation; backup copies are not restored except for disaster recovery, and remain protected by this DPA until removed.
- Retention carve-out. We may retain Personal Data after the end of the services to the extent Union or Member State law (or other applicable law) requires storage; any data so retained remains protected under this DPA and is processed only for that purpose. Separately, account, billing, and security records (including audit logs) that Delta3CoreTec retains for its own legal-compliance and security purposes are processed by Delta3CoreTec as an independent controller as described in Section 2.2 and the Privacy Policy.
12. Audits and information
- On written request (no more than once per 12-month period, absent a Personal Data Breach or demonstrated material non-compliance), we will make available the information reasonably necessary to demonstrate compliance with this DPA — such as descriptions of the TOMs, this DPA, sub-processor terms, our Article 30(2) record of processing activities relevant to Customer, and, when available, summaries of third-party security assessments or certifications (a SOC 2 Type II examination is on the Enterprise roadmap and is not yet available).
- Where the information above is insufficient to demonstrate compliance, we will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer (bound by confidentiality and not a competitor of Delta3CoreTec), limited in scope, duration, and frequency, on at least 30 days’ notice, during business hours, at Customer’s expense, and without access to other customers’ data. The parties will agree the audit plan in advance.
13. Liability, precedence, and term
- Each party’s liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability in the Agreement (Terms of Service, Section 12); this DPA does not enlarge either party’s total liability.
- If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls; where the SCCs apply and conflict with this DPA, the SCCs control.
- This DPA takes effect upon acceptance of the Agreement and remains in force as long as we process Personal Data on Customer’s behalf. Sections 4, 5, 7, 9, 11, 12.1, and 13 survive for as long as Delta3CoreTec retains Personal Data under Section 11.
- This DPA is governed by the law governing the Agreement (State of North Carolina), except where the SCCs or mandatory Data Protection Law require otherwise (the SCCs themselves are governed as set out in Section 7.2).
14. Contact
Privacy and data-protection inquiries, Data Subject requests, and DPA questions: privacy@delta3coretec.com. Postal: Delta 3 Core Tech LLC, 1500 W Main St #41, Carrboro, NC 27510-9998.
Annex I — Details of processing
A. List of parties. Data exporter: Customer (the organization accepting the Agreement; contact = the organization owner’s registered email). Data importer: Delta 3 Core Tech LLC, 1500 W Main St #41, Carrboro, NC 27510-9998, privacy@delta3coretec.com — activities: providing the CritPath AI schedule-risk SaaS.
B. Description of processing.
| Item | Description |
|---|---|
| Subject matter | Provision of the CritPath AI platform (schedule risk management: CPM, Monte Carlo simulation, TOC/DBR, decision gates, resource and cost analysis, reporting, and AI-assisted features) |
| Duration | The subscription term, plus the 30-day post-closure recovery window and the retention periods described in Section 11 of this DPA and the Privacy Policy (Section 11) |
| Nature and purpose | Hosting, storage, computation (scheduling/risk analysis), display, transmission to Sub-processors as instructed (including LLM providers for AI features and notification providers for email/SMS when notification features are enabled and contact details are provided), backup-related storage by the hosting provider, and deletion |
| Categories of Data Subjects | Customer’s authorized users (employees, contractors); individuals whose contact details Customer’s users enter (e.g., team members/resources for task-assignment notifications); individuals named in project content |
| Categories of Personal Data | Identification and contact data (name, email, phone) of users and resources as it appears in tenant content and organization membership records (user account registration and authentication data is processed by Delta3CoreTec as an independent controller per Section 2.2 and is out of scope); organization role and membership data; project and schedule content insofar as it contains personal data (e.g., names in tasks, notes, risks); AI prompts and context insofar as they contain personal data |
| Special categories | None intended. The Agreement prohibits submitting special-category/regulated data (including PHI) outside an Enterprise agreement covering it |
| Frequency | Continuous, for the duration of the subscription |
| Retention | Per Section 11 of this DPA and Section 11 of the Privacy Policy |
C. Competent supervisory authority (where the SCCs apply): determined per Clause 13 SCCs — for data exporters established in the EEA, the authority of the exporter’s member state; for exporters not established in the EEA that have appointed an Article 27 representative, the authority of the member state in which the representative is established; otherwise, the authority of a member state in which the relevant Data Subjects are located; for the UK, the ICO; for Switzerland, the FDPIC.
Annex II — Technical and organizational measures
- Access control (users): password authentication with strong one-way hashing (per-user salt; passwords are never stored or logged in plaintext); optional TOTP two-factor authentication with encrypted secret storage and single-use hashed recovery codes; session-epoch versioning that immediately invalidates all issued tokens on security events (e.g., 2FA enrollment, deactivation, account deletion).
- Authorization / tenant isolation: multi-tenant architecture with organization-scoped data access enforced in the application layer on every query; role-based access control (Owner / Admin / Manager / Member / Viewer); administrative actions restricted by role and, for sensitive account-lifecycle actions, protected by two-factor step-up where the actor has 2FA enrolled.
- Encryption: TLS encryption in transit; for encryption at rest and physical/network security we rely on the controls described in the Annex III hosting providers’ published security documentation; two-factor secrets encrypted at application level; payment card data handled exclusively by Stripe and never stored on our systems.
- Auditability: append-only, hash-chained audit logging of security-relevant and schedule-decision events (per-organization tamper-evident chain, database-level guard against modification, verifiable export).
- Availability and resilience: the Service runs on managed cloud infrastructure with provider-level redundancy; database backup and restore capabilities are provided through the managed database platform (see Section 11.3 for backup handling of deleted data); Customers can additionally export project reports, per-user personal data, and (for organization owners) the complete tenant dataset at any time via the in-product exports (see Section 11.2).
- Data lifecycle: self-service personal-data export; account deletion with a 30-day recovery window followed by a scheduled purge that permanently deletes or anonymizes personal data (subject to the backup carve-out in Section 11.3); released identifiers only after purge.
- Application security: secrets managed via environment configuration, never in source control; server-side input validation; sanitized error responses (no internal details or personal data leaked to clients); rate limiting on expensive endpoints; production API documentation disabled.
- Infrastructure: hosted on the managed cloud infrastructure of the Sub-processors in Annex III (United States); separation of production and development environments.
- Organizational: personnel with access to Personal Data are bound by confidentiality obligations; least-privilege access to production systems; sub-processor due diligence via their published security documentation and data processing terms.
- Data subject rights support: in-app export (structured JSON) and deletion flows (see Section 8); requests received directly are forwarded to the Customer.
Annex III — Authorized Sub-processors
This list corresponds to Section 7 of the published Privacy Policy; the Privacy Policy page reflects the most current list, updated per Section 6 of this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI features (Claude API) — processes prompts and schedule context submitted to AI features | United States |
| Google (Gemini API) | AI features (Gemini API), including text embeddings for retrieval | United States |
| Stripe | Payment processing and billing | United States |
| Railway | Backend application hosting and managed PostgreSQL database | United States |
| Vercel | Frontend application hosting | United States |
| Twilio | SMS / text notifications (when notification features are enabled and phone numbers are provided) | United States |
| Mailgun (Sinch Mailgun) | Transactional and notification email | United States |