Data Processing Agreement
Last updated: June 9, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between TinyCommand LLC ("Tiny Command," "Processor," "we," or "us") and the customer agreeing to these terms ("Customer," "Controller," or "you"), governing the Processing of Personal Data in connection with the Tiny Command platform and services (the "Service").
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data.
1. Definitions
Terms such as "Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Personal Data Breach," and "Supervisory Authority" have the meanings given in applicable Data Protection Laws.
"Data Protection Laws" means all laws applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Indian Digital Personal Data Protection Act, 2023 ("DPDP Act"), and applicable U.S. state privacy laws (including the CCPA/CPRA).
"Customer Personal Data" means Personal Data contained within Customer Data that Tiny Command Processes on Customer's behalf.
2. Roles and Scope
The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller (or, under the DPDP Act, the Data Fiduciary) and Tiny Command is the Processor (or Data Processor). Where Customer acts as a processor for a third-party controller, Tiny Command acts as a sub-processor.
Tiny Command will Process Customer Personal Data only:
to provide, maintain, secure, and support the Service;
in accordance with Customer's documented instructions, including those set out in the Agreement and this DPA; and
as required by applicable law, in which case we will inform Customer of that legal requirement unless prohibited from doing so.
The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex A.
3. Customer Obligations
Customer is responsible for the lawfulness of Customer Personal Data and the means by which it was acquired, including having a valid lawful basis and providing required notices to Data Subjects. Customer's instructions to Tiny Command will comply with Data Protection Laws.
4. Confidentiality
Tiny Command ensures that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and are subject to least-privilege access controls.
5. Security Measures
Tiny Command implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data, as described in our and summarized in Annex B, including encryption in transit and at rest, access controls, daily encrypted backups, regular vulnerability management, and quarterly third-party penetration testing.
6. Sub-Processors
Customer provides general authorization for Tiny Command to engage sub-processors to Process Customer Personal Data. A current list of sub-processors is maintained on our . Tiny Command will:
impose data-protection obligations on each sub-processor that are no less protective than those in this DPA; and
remain liable for the acts and omissions of its sub-processors.
We will provide at least 30 days' notice of new sub-processors before authorizing them to Process Customer Personal Data, and will give Customer the opportunity to object on reasonable data-protection grounds.
7. Data Subject Requests
Taking into account the nature of the Processing, Tiny Command will provide reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If Tiny Command receives such a request directly, it will, where legally permitted, direct the Data Subject to Customer.
8. Personal Data Breach
Tiny Command will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include information reasonably available to assist Customer in meeting its own breach-notification obligations. Tiny Command will take reasonable steps to mitigate and remediate the breach.
9. Data Protection Impact Assessments
Tiny Command will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by Data Protection Laws and taking into account the information available to Tiny Command.
10. International Transfers
Customer Personal Data may be Processed in the United States and Europe (see the ). Where Tiny Command transfers Customer Personal Data from the EEA, UK, or Switzerland to a country not subject to an adequacy decision, such transfers are governed by:
the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), incorporated by reference and completed in Annex C; and
the UK International Data Transfer Addendum to the EU SCCs, where the UK GDPR applies.
11. Deletion and Return
Upon termination of the Agreement, Tiny Command will, at Customer's choice, delete or return Customer Personal Data. Customer Data is available for export for 30 days following termination; thereafter it is deleted from production systems within 30 days and purged from backups within 90 days, except where retention is required by applicable law.
12. Audits
Tiny Command will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. The parties will agree on the scope, timing, and confidentiality terms of any audit in advance; Tiny Command may satisfy audit requests by providing relevant third-party certifications or reports (e.g., SOC 2, once available).
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
14. Term
This DPA takes effect on the date the Agreement becomes effective and remains in force for as long as Tiny Command Processes Customer Personal Data.
Annex A — Details of Processing
Subject matter: Provision of the Tiny Command platform and services.
Duration: For the term of the Agreement plus applicable retention periods.
Nature and purpose: Hosting, storage, automation, AI-assisted processing, email delivery, and related services as described in the Agreement.
Types of Personal Data: As determined by Customer — including names, email addresses, contact details, and any Personal Data contained in form responses, table/database records, and uploaded documents submitted to the Service.
Categories of Data Subjects: As determined by Customer — including Customer's end users, customers, employees, and contacts.
Annex B — Technical and Organizational Measures
As described on the : encryption in transit and at rest; least-privilege role-based access controls; daily encrypted backups; regular vulnerability management; quarterly third-party penetration testing; incident response with 72-hour breach notification; hosting on AWS in US and European regions.
Annex C — Standard Contractual Clauses
The EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum are incorporated into this DPA. The executed SCC exhibit, including completed appendices identifying the parties, the competent supervisory authority, and the description of transfer, is to be appended and signed by the parties at the time the DPA is countersigned. (This exhibit is the official EU-published form and must be physically attached at signing.)
Contact
TinyCommand LLC N Gould St., Sheridan, Wyoming 82801, US Email: