This Data Processing Addendum ("DPA") supplements the Privacy Policy and forms part of the agreement between PhewDo ("Processor") and you, the customer ("Controller"). It describes PhewDo's obligations when processing personal data on your behalf through the PhewDo platform.
Where there is any conflict between this DPA and the Privacy Policy, this DPA shall prevail with respect to data processing matters.
Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service on your behalf.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction.
- "Sub-processor" means any third party engaged by PhewDo that processes Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Isolation Boundary" means the logical and cryptographic separation enforced between each customer's data within the platform.
Scope & Categories of Data Processed
| Data Category | Nature of Processing | Retention |
|---|---|---|
| Account credentials | Authentication, session management | Duration of account + 90 days |
| Third-party session tokens | Encrypted storage, authenticated API relay | Until revocation or 24h post-deletion |
| Third-party login credentials | Encrypted vault storage, automated re-authentication | Until revocation or 24h post-deletion |
| Prospect profiles (public data) | Enrichment, qualification scoring, campaign targeting | Duration of account + 30 days |
| Campaign configurations | Automated execution, scheduling, optimization | 12 months post-completion + 12 months archived |
| Engagement metadata | Analytics, rate-limit enforcement, reporting | 6 months, then anonymized |
Security Architecture
PhewDo's infrastructure is engineered around a defense-in-depth model with multiple independent security layers. The following describes the technical controls in place across the platform.
Encryption at Rest
All stored data is encrypted using AES-256 block ciphers. Sensitive credentials are additionally wrapped with per-tenant envelope encryption, where key material is managed by a dedicated key management service and never stored alongside ciphertext.
Encryption in Transit
All data transmission between client applications, edge compute nodes, and persistent storage layers is secured with TLS 1.2 or higher. Certificate pinning is enforced on all internal service-to-service communication paths.
Tenant Isolation
Row-level security policies enforce strict logical isolation at the storage engine level. Every query is scoped to the authenticated tenant's boundary. Cross-tenant data access is architecturally impossible — enforced at the query planner, not application logic.
Runtime Sandboxing
Automated operations execute within ephemeral, containerized sandboxes. Each execution context is provisioned on demand, isolated at the process and network level, and destroyed upon task completion. No state persists between executions.
Access Control
The platform enforces short-lived, cryptographically signed access tokens with automatic rotation. Administrative access to production systems requires multi-factor authentication and is restricted to a minimal set of authorized personnel operating under the principle of least privilege.
Network Perimeter
Production infrastructure operates behind a hardened network perimeter with stateful packet inspection, geo-restricted ingress rules, and anomaly-based intrusion detection. All egress traffic is routed through monitored gateways with protocol-level filtering.
Data Isolation & Multi-Tenancy
4.1 Logical Isolation
PhewDo operates a multi-tenant architecture in which each customer's data is segregated through enforced isolation boundaries at the storage layer. These boundaries are implemented as declarative security policies evaluated by the database engine itself — not by application code — ensuring that even in the event of an application-layer vulnerability, cross-tenant data leakage is prevented by the underlying storage enforcement layer.
4.2 Credential Isolation
Third-party credentials (session tokens, login credentials) are stored in a dedicated credential vault with per-tenant encryption envelopes. Decryption is performed only at the point of use within an ephemeral execution context, and plaintext credentials never persist on disk or in application memory beyond the scope of a single operation.
4.3 Execution Isolation
Each automated operation runs within its own sandboxed execution environment. Environments are provisioned with dedicated process trees, isolated network namespaces, and tenant-scoped resource limits. This prevents any operation from observing, interfering with, or accessing resources belonging to another tenant's workload.
4.4 Audit Isolation
All data access and mutation events are captured in an immutable, append-only audit log. Audit entries are tagged with tenant identifiers at write time and are subject to the same row-level isolation policies as primary data stores. Customers may request an export of their audit trail at any time.
Sub-processors
PhewDo engages the following categories of sub-processors. Specific sub-processor identities are available to enterprise customers under NDA.
| Sub-processor Category | Purpose | Data Accessed |
|---|---|---|
| Cloud infrastructure provider | Compute, storage, and managed database services | All data (encrypted at rest) |
| Edge compute provider | Serverless function execution for API operations | Transient request/response payloads |
| Network relay provider | Geo-distributed traffic routing for session integrity | IP-level traffic only; no application-layer data |
| AI inference provider | Natural language generation, lead scoring | Anonymized prospect metadata; not retained beyond request lifecycle |
| Payment processor | Subscription billing | Billing identifiers only; no full payment card data stored by PhewDo |
| Transactional email provider | Account notifications, system alerts | Email address, message content |
PhewDo will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to the appointment of a new sub-processor on reasonable grounds related to data protection, and PhewDo will work with the Controller to address such concerns.
Data Breach Response
6.1 Detection
PhewDo operates continuous monitoring across all production systems. Anomaly detection pipelines analyze access patterns, authentication events, and data flow volumes in real time. Alerts are escalated to an on-call security response team.
6.2 Notification
In the event of a confirmed Data Breach affecting Personal Data processed on behalf of the Controller, PhewDo will:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
- Provide a written incident report detailing: the nature and scope of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to mitigate the breach.
- Cooperate with the Controller in meeting any regulatory notification obligations.
6.3 Remediation
Upon detection, PhewDo's incident response protocol includes immediate containment (credential rotation, session invalidation, access revocation), root cause analysis, evidence preservation, and implementation of preventive controls to address the identified vulnerability.
International Data Transfers
PhewDo is operated from Dubai, UAE. Where Personal Data is transferred to jurisdictions outside the Controller's country of residence, PhewDo ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission, where applicable.
- Data Processing Agreements with all sub-processors requiring equivalent levels of protection.
- Encryption of data in transit and at rest across all geographic boundaries, ensuring that data remains protected regardless of the hosting jurisdiction.
The Controller may request documentation of the specific transfer mechanisms in place for each sub-processor.
Controller Rights & Obligations
8.1 Instruction Authority
PhewDo processes Personal Data only on documented instructions from the Controller. The Controller's use of the PhewDo platform (including campaign configuration, prospect targeting, and messaging) constitutes documented instructions. PhewDo will not process Personal Data for any purpose other than the delivery of the Service unless required by applicable law.
8.2 Data Subject Requests
PhewDo will assist the Controller in responding to data subject access, rectification, erasure, portability, and objection requests. The platform provides self-service data export and deletion capabilities. For requests that cannot be fulfilled through the platform, contact huh@phewdo.com.
8.3 Audit Rights
The Controller, or an independent third-party auditor appointed by the Controller, may audit PhewDo's compliance with this DPA upon reasonable written notice (not more than once per calendar year). PhewDo will provide reasonable access to relevant documentation, systems information, and personnel. Audit scope is limited to data processing activities performed on behalf of the Controller.
8.4 Data Protection Impact Assessments
Where required by applicable data protection law, PhewDo will provide the Controller with reasonable assistance in conducting data protection impact assessments related to the use of the Service.
Data Deletion & Return
Upon termination of the Controller's account or upon written request:
- PhewDo will provide the Controller with a machine-readable export of all Personal Data processed on their behalf, available for download for 30 days following the request.
- After the export period, or upon the Controller's instruction, PhewDo will permanently delete all Personal Data from active systems within 30 days and from backup systems within 90 days.
- Third-party credentials and session tokens will be purged within 24 hours of account termination or revocation.
- PhewDo will provide written confirmation of deletion upon request.
Governing Law & Amendments
This DPA is governed by the laws applicable to the underlying service agreement. PhewDo may update this DPA to reflect changes in data protection law or our processing practices. Material changes will be communicated to the Controller at least 30 days in advance. Continued use of the Service after such notice constitutes acceptance of the updated DPA.
For questions regarding this DPA or to request detailed security documentation under NDA:
This Data Processing Addendum was last updated on April 1, 2026.