📄 Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is part of the agreement between the user ("Data Controller") and GentleBridge ("Data Processor") and applies whenever GentleBridge processes personal data on behalf of the user.

1. Purpose and Scope

This DPA outlines the obligations of both parties related to the processing of personal data (as defined by applicable data protection laws) in the course of using the GentleBridge platform.

GentleBridge will process personal data only for the purpose of providing the Services, as defined in our Terms of Use and Privacy Policy.

2. Types of Data Processed

Data processed may include:

• Parent/guardian names and emails
• User login credentials (hashed)
• Child nicknames or pseudonyms (strongly encouraged)
• Task prompts, routines, and AI-generated dialogue
• Optional usage metrics or crash diagnostics

We do not knowingly collect health records, educational records, or sensitive data requiring special regulatory protections (e.g., under HIPAA or FERPA).

3. Subprocessors

GentleBridge uses the following subprocessors for infrastructure, AI, and feature delivery:

• OpenAI, L.L.C. – AI conversation and text generation
• Google Cloud Platform – Voice synthesis and analytics
• Amazon Web Services (AWS) – Data hosting and infrastructure
• Stripe (if applicable) – Payment processing
• Other subprocessors disclosed upon request

All subprocessors are subject to strict confidentiality, data security, and processing agreements.

4. Data Security

GentleBridge implements industry-standard safeguards, including:

• AES-256 encryption at rest
• TLS encryption in transit
• Role-based access controls
• Multi-factor authentication for internal systems
• Continuous security monitoring
• Disaster recovery and backup systems

Only authorized personnel may access user data on a need-to-know basis.

5. Data Subject Rights

We support the Data Controller's obligation to:

• Provide access to, correct, or delete user or child data
• Respond to subject access requests (SARs)
• Support data portability where applicable
• Withdraw consent and request processing restrictions

Requests can be submitted to privacy@gentlebridge.com.

6. International Transfers

All data is processed in the United States. If the Data Controller resides in the European Economic Area (EEA) or the United Kingdom, they acknowledge that their data will be transferred to and processed in a jurisdiction with potentially different data protection laws.

Where required, Standard Contractual Clauses (SCCs) or other lawful mechanisms may be applied.

7. Data Breach Notification

In the event of a data breach affecting personal data, GentleBridge will:

• Notify the Controller without undue delay (typically within 72 hours)
• Provide details on the nature and scope of the breach
• Outline mitigation and remediation steps
• Cooperate with regulatory or legal inquiries

8. Termination and Deletion

Upon account closure or request, GentleBridge will delete all personal data (except where retention is required by law) within 30 days. Data may remain in encrypted backups for up to 60 days before secure purge.

9. Liability and Indemnification

GentleBridge shall be liable only to the extent resulting from proven breaches of this DPA and shall be subject to the limitations set forth in our Terms of Use. The Controller agrees to indemnify GentleBridge for misuse, misrepresentation, or unlawful instructions relating to data.

10. Contact for Data Protection Matters