ioInsureOS
Sign inStart free
InsureOS

Data Processing Agreement

Last updated 6/20/2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and the operator of this InsureOS workspace ("Processor") for the provision of the InsureOS service.

1. Roles

The Controller determines the purposes and means of processing personal data within its workspace. The Processor acts on documented instructions from the Controller. Where the Processor engages sub-processors, it does so on the same terms as set out below.

2. Scope of processing

  • Subject-matter — operation of the InsureOS CRM, including lead capture, scoring, outreach, calendar booking, policy management, commission tracking and audit logging.
  • Duration — for the term of the underlying agreement and any retention period defined in the workspace's retention_days setting.
  • Nature and purpose — providing the contracted SaaS service.
  • Categories of data subjects — leads, policyholders, broker staff, and Controller employees.
  • Categories of personal data — identifiers, contact details, policy details, communication content, consent records, financial transaction metadata.
  • Special category data — only where explicitly entered by the Controller (e.g. health insurance applications). Controller is responsible for the lawful basis.

3. Sub-processors

The Controller authorises the following sub-processors:

  • Lovable Cloud — hosting, database, authentication, file storage (EU region).
  • Lovable AI Gateway — model inference for lead scoring and content suggestions.
  • Stripe Payments Europe Ltd — subscription billing and payment processing.
  • Any messaging, telephony or calendar provider the Controller connects in Settings → Comms providers (e.g. Twilio, SendGrid, Meta, Google, Microsoft).

The Processor will give the Controller 30 days' notice of any changes to this list and a right to object.

4. Security measures

The Processor implements the technical and organisational measures described on the Security page, including TLS 1.2+ in transit, encryption at rest, row-level tenant isolation, encrypted integration credentials, role-based access control, full audit logging, and incident response within UK GDPR Article 33 timelines.

5. Data subject rights

The Processor provides tooling for the Controller to action data-subject requests: in-app data export (Article 15), right to rectification (lead edit), right to erasure (RTBF), and automated retention enforcement.

6. International transfers

Where personal data is transferred outside the UK / EEA, transfers are governed by the UK International Data Transfer Addendum and the European Commission's Standard Contractual Clauses (2021/914), as applicable.

7. Audits

The Controller may request a summary of the Processor's most recent security assessment once per twelve-month period.

8. Return and deletion

On termination, the Controller may export workspace data for 30 days. After that period the Processor deletes Controller data within 60 days, save where retention is required by law.

9. Conflict

In the event of conflict with the main agreement, this DPA prevails for matters of personal data processing.