Home / Legal / Data Processing Agreement
DPA · last updated 2026-05-22

Data Processing Agreement

This is Signal Mama's standard Data Processing Agreement (DPA), GDPR-aligned and pre-incorporated with the EU Standard Contractual Clauses (SCCs) for cross-border transfers. By signing up for Mama (or by countersigning a custom DPA), you (the Controller) and Signal Mama, Inc. (the Processor) agree to these terms. Custom DPA review: if your legal team needs redlines, email [email protected] — typical turnaround is 5 business days.

Definitions

In plain English
A short glossary so terms-of-art mean the same thing in this DPA as they do in GDPR.
Controller
You — the customer entity that determines the purposes and means of processing personal data via Signal Mama.
Processor
Signal Mama, Inc. — processes personal data on behalf of the Controller per these terms and the underlying Terms of Service.
Sub-processor
Third-party vendors engaged by the Processor to perform parts of the processing (e.g., AWS for infrastructure). Full list at /security#sub-processors.
Personal Data
Any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1) and equivalent regimes (CCPA, UK GDPR, etc.).
Data Subject
The identified or identifiable natural person to whom Personal Data relates.
SCCs
The EU Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914, as updated, used to lawfully transfer personal data outside the EEA.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Scope & roles

In plain English
You're the Controller (you decide what data to process). Mama is the Processor (we process it on your instructions). This DPA covers everything we do with Personal Data on your behalf.

This DPA applies to processing of Personal Data by Signal Mama as Processor on behalf of Customer as Controller, in connection with Customer's use of the Signal Mama service as described in our Terms of Service.

Customer instructs Signal Mama to process Personal Data only for the following purposes:

  • Operating the Signal Mama service for Customer's use (generating briefs, scoring accounts, running signal detection, syncing to integrations)
  • Providing support and resolving issues raised by Customer
  • Complying with documented written instructions from Customer
  • Complying with applicable law (with prior notice to Customer where lawful)

Signal Mama will not process Personal Data for any other purpose without Customer's prior written consent.

Categories of data & data subjects

In plain English
What we process and about whom. Two main categories: your account data (your team's contact info, billing, app usage) and account-research data (publicly-listed professional info about contacts at companies you research).
Annex A · Subject matter & details of processing
Categories of Data Subjects

Customer's authorized users (Admins, Managers, Reps with seats in the workspace) and professional contacts at the companies Customer researches via Mama (e.g., named executives, hiring managers).

Categories of Personal Data

For authorized users: name, business email, role/title, workspace membership, application telemetry, IP address (for security), SSO identity assertions.

For professional contacts at researched companies: name, role/title, employer, public LinkedIn profile URL (if cited as source), public quotes from forums/reviews (only where the speaker has chosen to be public). No personal contact details (home address, personal phone, personal email) are collected.

Nature & purpose of processing

Storage, indexing, analysis, signal detection, brief synthesis, integration sync, audit logging — solely for the purpose of providing the Signal Mama service to Customer.

Duration

For the duration of Customer's subscription, plus retention windows specified in our Privacy Policy (30-day post-termination data purge from primary; 90 days from backups).

Sub-processors

In plain English
We use sub-processors to run Mama (AWS, PostgreSQL, Stripe, etc.). Full list and locations at /security. We give 14 days' notice before adding a new sub-processor that touches your data; you can object in that window.

Customer authorizes Signal Mama to engage sub-processors to provide the service, on the terms below. The current list of sub-processors with their roles, locations, and data categories is published at /security#sub-processors.

4.1 Diligence

Signal Mama will impose, in writing, data protection obligations on each sub-processor that are no less protective than those in this DPA, and will remain fully liable to Customer for any acts or omissions of sub-processors that violate this DPA.

4.2 Notification of changes

Signal Mama will notify Customer at least 14 days in advance of engaging a new sub-processor that processes Personal Data, via the security mailing list. Customer may object on reasonable grounds within 14 days of such notice; if the parties cannot resolve the objection, Customer may terminate the affected service with a pro-rata refund of unused fees for the affected period.

Technical & organizational measures

In plain English
The full security posture is at /security. Headline: AES-256 at rest, TLS 1.3 in transit, role-based access with audit logging, SOC 2 Type II in progress, annual pen test, MFA-required for all employees with production access.

Signal Mama implements and maintains appropriate technical and organizational measures designed to protect Personal Data against the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in particular:

  • Encryption — AES-256 at rest, TLS 1.3 in transit; service-to-service mTLS
  • Access control — role-based access, least-privilege defaults, MFA required for all production access, quarterly access reviews, paired approval for production writes
  • Audit logging — admin actions logged with timestamp/user/IP/diff; 12-month retention on Pro; SIEM webhook available
  • Vendor security — annual sub-processor review, signed DPAs with all sub-processors that handle Personal Data
  • Personnel — background checks for production-access roles, mandatory training on day one and annually thereafter, NDA covering all personnel
  • Resilience — encrypted backups, cross-region replication, documented incident response with twice-yearly tabletop exercise
  • Compliance frameworks — SOC 2 Type II audit active; ISO 27001 alignment in progress; annual independent penetration test

Full and current technical measures are documented at /security, which forms Annex B to this DPA and is incorporated by reference.

International transfers

In plain English
Default region is US (AWS us-east-1). EU residency on Pro. Cross-border transfers covered by SCCs (auto-incorporated below) plus the UK addendum where applicable.

To the extent that Customer's use of Signal Mama involves the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed by the European Commission (or equivalent authority) to provide adequate protection, the parties agree:

  • The EU Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission under Decision (EU) 2021/914 are hereby incorporated into this DPA by reference
  • The UK International Data Transfer Addendum (IDTA) issued by the UK ICO is incorporated where applicable
  • For Swiss transfers, references to the GDPR in the SCCs are deemed to refer to the Swiss FADP as appropriate
  • Customer is the "data exporter" and Signal Mama is the "data importer" under the SCCs
  • Annex I (parties, processing, transfer details), Annex II (security measures), and Annex III (sub-processors) of the SCCs are populated by reference to this DPA, /security, and /security#sub-processors respectively

Pro-tier customers may elect EU data residency (AWS eu-west-1) at workspace creation, which avoids most cross-border transfer scenarios for that workspace's data at rest.

Data subject requests

In plain English
If a Data Subject contacts us with a GDPR/CCPA request about Customer's data, we forward to Customer and help respond within the statutory window. If they contact Customer, we provide reasonable assistance.

Signal Mama will, taking into account the nature of processing, assist Customer in fulfilling Customer's obligation to respond to requests for exercising the Data Subject's rights under applicable data protection law (right of access, rectification, erasure, restriction, portability, and objection).

Specifically:

  • If Signal Mama receives a Data Subject Request relating to Customer's data, we will forward the request to Customer within 5 business days and will not respond directly except to confirm receipt and direct the Data Subject to Customer
  • Signal Mama will provide Customer with the technical means to access, export, correct, and delete Personal Data through the Signal Mama application
  • For complex requests requiring engineering support, Signal Mama will provide reasonable assistance at no additional cost

Personal data breach notification

In plain English
If we have a Personal Data Breach, we notify Customer within 72 hours (GDPR-aligned). The notification includes what happened, what was affected, what we're doing about it, and a contact for follow-up.

Signal Mama will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer's data. The notification will include, to the extent then known:

  • The nature of the breach, including the categories and approximate number of Data Subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including measures to mitigate adverse effects
  • The name and contact details of Signal Mama's Data Protection Contact ([email protected])

Signal Mama will provide updates as additional information becomes available and will cooperate with Customer's reasonable requests in responding to the breach.

Audit rights

In plain English
Customer has the right to verify Signal Mama's compliance with this DPA. We satisfy this primarily through our annual SOC 2 Type II report (available under NDA) and ISO 27001 alignment work, supplemented by reasonable on-request audits where required.

Customer has the right to verify Signal Mama's compliance with its obligations under this DPA. To facilitate this and to limit operational burden on both parties:

  • Signal Mama will, on Customer's written request, provide its most recent SOC 2 Type II report (under NDA) and respond to a reasonable security questionnaire (CAIQ-aligned or custom)
  • Where a Customer has a regulatory or contractual obligation that cannot be satisfied by these documents, Signal Mama will, on at least 30 days' prior written notice, permit an audit by Customer (or a mutually-agreed independent third party) at Customer's expense and during normal business hours, no more than once per year, and not in a manner that compromises other customers' confidentiality
  • Costs of any such audit are borne by Customer unless the audit reveals a material breach by Signal Mama of this DPA

Return & deletion of data

In plain English
When the contract ends, Customer can export everything via the API (or by request). After 30 days from termination, primary storage is purged; backups roll off within 90 days.

On termination of the underlying Terms of Service for any reason, Signal Mama will, at Customer's choice:

  • Return all Personal Data via the Signal Mama API (machine-readable JSON export) or on written request; the export remains available for 30 days post-termination, and
  • Delete all Personal Data from primary storage within 30 days of termination, and from backup systems within 90 days

Signal Mama will provide written confirmation of deletion on request. Customer acknowledges that Signal Mama may retain Personal Data to the extent (and for as long as) required by applicable law, in which case the data will continue to be protected by the security and confidentiality measures of this DPA.

Note from the team: This DPA is written by Signal Mama and reviewed by our outside counsel. It's the standard agreement we sign with all customers; if your legal team needs redlines, we'll review and respond within 5 business days on most reasonable requests. Email [email protected] with the redlined version. Related: Privacy Policy · Terms of Service · Security.