Data Processing Agreement
How we process data for you.
Last updated: 30 June 2026
This Data Processing Agreement ("DPA") forms part of the Agreement — the Currant Terms of Service — between Currant Software, LLC ("Currant," "Processor") and the organization that installs or uses the Service ("Customer," "Controller"). It applies whenever Currant processes personal data on the Customer's behalf, and it is incorporated by reference into the Terms. Capitalized terms not defined here have the meaning given in the Terms or in applicable Data Protection Laws.
In short. The Customer is the controller; Currant is the processor (a CCPA "service provider"). By default Currant works on metadata only; optional content features process message text transiently and store only derived outputs — never raw text — and AI sub‑processors don't train on the data. We secure it, list our sub‑processors, delete on uninstall, and use standard safeguards (SCCs) for any EEA/UK→US transfer.
1. Definitions
"Data Protection Laws" means all laws applicable to the processing of personal data under the Agreement, including the EU GDPR, the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"). "Personal Data," "Processing," "Controller," "Processor," "Sub‑processor," "Data Subject," and "Personal Data Breach" have the meanings given in the Data Protection Laws. "SCCs" means the EU Standard Contractual Clauses and, where relevant, the UK International Data Transfer Addendum.
2. Roles of the parties
The Customer is the Controller (or a processor acting for a third‑party controller) and Currant is the Processor of the personal data described in Annex A. Under the CCPA/CPRA, the Customer is a Business and Currant is a Service Provider. Each party complies with its own obligations under Data Protection Laws.
3. Scope and instructions
Currant processes personal data only: (a) to provide, secure, and support the Service; (b) in accordance with the Customer's documented instructions — the Terms, this DPA, and the Customer's configuration and use of the Service constitute those instructions; and (c) as required by applicable law, in which case Currant will inform the Customer first unless legally prohibited. Currant will tell the Customer if, in its opinion, an instruction infringes Data Protection Laws.
4. Nature of processing; content‑free by default
The subject matter, duration, nature and purpose of processing, the types of personal data, and the categories of data subjects are set out in Annex A. By default the Service is content‑free — it processes only metadata (who/when/where mentioned, timestamps, answered‑state). Optional content features process message text transiently to produce derived outputs and persist only the derived artifacts (labels, scores, assignments, bounded‑window embeddings) — never raw message text or transcripts. Currant does not sell personal data, does not use it for its own purposes, and does not use Customer personal data or message content to train AI models.
5. Confidentiality
Currant ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
6. Security
Currant implements appropriate technical and organizational measures to protect personal data, described in Annex B — including encryption at rest, least‑privilege and just‑in‑time access, per‑tenant isolation, exclusion of secrets/tokens from logs, and hosting on SOC 2 Type II infrastructure.
7. Sub‑processors
The Customer provides general authorization for Currant to engage the sub‑processors listed in Annex C. Currant imposes data‑protection obligations on each sub‑processor no less protective than this DPA, remains responsible for their performance, and will give the Customer prior notice of any intended addition or replacement, allowing the Customer to object on reasonable data‑protection grounds. The AI sub‑processors do not use the data to train their models and are bound to short retention.
8. Data subject requests
Taking into account the nature of the processing, Currant assists the Customer by appropriate technical and organizational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests to exercise data subject rights (access, rectification, erasure, restriction, portability, objection). If Currant receives such a request directly, it will refer the data subject to the Customer.
9. Personal Data Breach
Currant notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer personal data, provides the information reasonably available, and offers reasonable assistance with the Customer's notification and remediation obligations.
10. Assistance with compliance
Currant assists the Customer, taking into account the nature of processing and the information available to Currant, with the Customer's obligations regarding security, breach notification, and data protection impact assessments and prior consultations.
11. International data transfers
Currant processes and stores personal data in the United States. Where personal data of EEA or UK data subjects is transferred from the EEA/UK to the United States, the parties rely on the SCCs (and the UK Addendum), which are incorporated by reference, or on another lawful transfer mechanism.
12. Deletion and return of data
On termination of the Service, or when the Customer uninstalls Currant, Currant deletes the Customer's personal data (metadata and derived) within a commercially reasonable period, except to the extent retention is required by law. Uninstalling the Service triggers deletion of that workspace's data.
13. Audits and information
Currant makes available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and contributes to audits, including by providing relevant third‑party reports (for example, its hosting provider's SOC 2 report) under confidentiality.
14. CCPA/CPRA — Service Provider terms
With respect to personal information governed by the CCPA/CPRA, Currant acts as a Service Provider and: (a) does not sell or share personal information; (b) does not retain, use, or disclose it except as necessary to provide the Service or as otherwise permitted by the CCPA/CPRA; (c) does not combine it with personal information from other sources except as permitted; and (d) certifies that it understands and will comply with these restrictions.
15. Liability and precedence
This DPA is subject to the limitations of liability in the Terms. In the event of a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls; in all other respects the Terms control.
16. Term & acceptance
This DPA takes effect when the Customer accepts the Terms or begins using the Service and remains in effect for as long as Currant processes personal data on the Customer's behalf. No separate signature is required; if a Customer requires a countersigned copy, contact hello@currant.work.
Annex A — Details of processing
- Subject matter: Currant's provision of the Service to the Customer.
- Duration: for the term of the Agreement and until deletion under §12.
- Nature & purpose: content‑free metadata processing to surface unanswered @mentions, response pace, and where work is waiting; optional content features that transiently process message text to derive topics, summaries, focus, and bottleneck signals.
- Types of personal data: Slack user/workspace identifiers, display names, timezone; message metadata (channel, thread, timestamps, mention/answer events); for opted‑in content features, derived artifacts (topic labels/assignments, scores, bounded‑window embeddings, optional relationship notes) — no raw message content at rest; account/sign‑in data (Slack ID, email, role); operational logs (e.g., IP).
- Categories of data subjects: the Customer's workforce (members of the Customer's Slack workspace) who use or are referenced by the Service.
Annex B — Technical & organizational measures
Encryption at rest (tokens and sensitive derived fields with a separate key); TLS in transit; least‑privilege and just‑in‑time Slack scopes; per‑tenant data isolation; secrets and tokens excluded from logs; data minimization (content‑free by default; derived‑only for content features); hosting on SOC 2 Type II infrastructure; deletion on uninstall/termination.
Annex C — Sub‑processors
| Sub‑processor | Purpose | Location |
|---|---|---|
| Slack | The platform the Service runs on; identity provider for sign‑in | US |
| Railway | Application hosting, database, job queue (SOC 2 Type II) | US |
| Cloudflare R2 | Object storage for backups and cold/bulk derived data | US |
| Anthropic (Claude) | Content tier only: labels, summaries, classification (not used for training) | US |
| Voyage (via MongoDB Atlas) | Content tier only: text embeddings (not used for training) | US |
| Stripe | Payment processing for paid plans (active once billing launches) | US |
This Data Processing Agreement is a template prepared for the convenience of the parties and is not legal advice. Have it reviewed by qualified counsel before relying on it for a paying or EEA/UK customer. Questions: hello@currant.work.