Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller:The Coach ("you", "Controller") — the individual or entity that has agreed to the IronOS Terms of Service and uses the IronOS platform to manage leads, clients, and coaching operations.
Data Processor:Mustafa Hadi d/b/a IronOS, operating at ironos.dev ("IronOS", "we", "Processor") — the entity that processes personal data on behalf of the Controller through the IronOS platform.

This DPA supplements the IronOS Terms of Service and Privacy Policy, and applies to the extent that IronOS processes personal data on behalf of the Controller under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and the Swiss Federal Act on Data Protection (FADP).

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
Processing: Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
Sub-Processor: A third-party entity engaged by IronOS to process Personal Data on behalf of the Controller.
Data Subject: An identified or identifiable natural person whose Personal Data is processed.
Supervisory Authority: An independent public authority established by an EU/EEA Member State pursuant to Article 51 of the GDPR.

3. Subject Matter and Duration

IronOS processes Personal Data on behalf of the Controller for the purpose of providing the IronOS platform services as described in the Terms of Service. Processing begins when the Controller creates an IronOS account and continues for the duration of the service agreement. Upon termination, data is handled in accordance with Section 13 (Data Return and Deletion) of this DPA.

4. Nature and Purpose of Processing

IronOS processes Personal Data to provide the following services to the Controller:

AI-powered coaching platform operation, including dashboard access and account management
Lead capture and CRM functionality, including public application pages and lead scoring
Automated email sequence delivery and engagement tracking
AI content generation in the Controller's voice using voice profile data
Outreach assistance, including AI-generated DM scripts and prospect scoring
Analytics and reporting on lead pipeline performance
Payment processing for setup fees and subscriptions

5. Types of Personal Data Processed

The following categories of Personal Data may be processed:

Lead Data: Names, email addresses, Instagram handles, training experience, powerlifting stats (squat/bench/deadlift), training goals, and form submission metadata
Coach Account Data: Names, email addresses, business names, Clerk authentication identifiers, Stripe customer and subscription identifiers
Voice Profile Data: Writing samples, tone preferences, and AI-generated voice characteristics used for content generation
Usage Data: IP addresses, user agent strings, page views, and feature usage patterns (collected via PostHog)
Payment Data: Processed exclusively by Stripe — IronOS does not store card numbers or bank account details

6. Categories of Data Subjects

Coaches: Independent powerlifting coaches who have subscribed to the IronOS platform
Leads: Prospective and current clients of Coaches who submit information through Coach-branded capture pages or are added to the CRM

7. Controller's Instructions

IronOS shall process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law to which IronOS is subject. The Terms of Service, this DPA, and the Controller's use of the platform (including configuration of lead capture pages, email sequences, and content generation settings) constitute the Controller's complete instructions for processing.

If IronOS believes that an instruction from the Controller infringes the GDPR or other applicable data protection provisions, IronOS shall promptly inform the Controller.

8. Confidentiality

IronOS ensures that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require it to perform their duties in connection with the IronOS platform.

9. Security Measures

IronOS implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase and infrastructure providers)
Access Control: Row-Level Security (RLS) policies on all database tables enforce data isolation between coaches. Default-deny policy with explicit allow rules.
Authentication: Clerk v5.7.5 with session management, CSRF protection, and secure cookie handling
Rate Limiting: Upstash Redis-based rate limiting on all API endpoints (auth: 5/15min, API: 60/15min, leads: 3/hr per IP)
Webhook Verification: Cryptographic signature verification on all inbound webhooks (Stripe, Clerk, Resend)
Input Validation: All inputs validated with Zod schema validation before database operations. HTML tags stripped, whitespace trimmed, max lengths enforced.
Bot Protection: Cloudflare Turnstile on public-facing forms
Error Handling: Sanitized error messages — stack traces, PII, and internal paths are never exposed to clients or stored in logs
Security Headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options enforced on all responses
Monitoring: Sentry error tracking and PostHog analytics for anomaly detection

10. Sub-Processors

The Controller provides general written authorization for IronOS to engage Sub-Processors for the purpose of delivering the platform services. The current list of Sub-Processors is set out below.

Sub-Processor	Purpose	Location
Clerk	Authentication and user identity management	United States
Supabase	Database hosting, storage, and real-time subscriptions	United States (AWS)
Stripe	Payment processing and subscription billing	United States
Resend	Transactional and marketing email delivery	United States
OpenAI	AI content generation, voice profiles, and DM scripts	United States
Apify	Public social media data collection (Instagram, TikTok)	Czech Republic (EU)
Vercel	Application hosting and serverless function execution	United States
Cloudflare	CDN, DDoS protection, DNS, and Turnstile bot verification	Global (edge network)
PostHog	Product analytics and feature flag management	United States
Sentry	Error monitoring and performance tracking	United States
Upstash	Redis-based rate limiting and caching	United States
Trigger.dev	Background job orchestration and task scheduling	United States

IronOS shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-Processors, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds related to data protection within 30 days of notification, IronOS shall either not appoint the Sub-Processor or, if IronOS proceeds, the Controller may terminate the affected services without penalty.

IronOS shall impose data protection obligations on each Sub-Processor no less protective than those in this DPA and shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

11. Data Subject Rights

IronOS shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection. IronOS provides:

A self-service data export function accessible from the Coach dashboard
An API endpoint for submitting GDPR/CCPA data rights requests
Administrative tools for processing access, deletion, rectification, portability, and restriction requests

If IronOS receives a request directly from a Data Subject, IronOS shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise required by law.

12. Breach Notification

IronOS shall notify the Controller without undue delay, and in any event within 72 hoursof becoming aware of a Personal Data breach affecting the Controller's data. The notification shall include:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
The name and contact details of the IronOS data protection contact point
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

IronOS shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each such breach.

13. Data Return and Deletion

Upon termination of the service agreement, the Controller may export their data using the IronOS dashboard export functionality. IronOS shall make data available for export for a period of 90 days following termination.

After the 90-day retention period, IronOS shall permanently delete all Personal Data processed on behalf of the Controller, including all copies in backups and logs, unless retention is required by applicable law. Upon request, IronOS shall provide written confirmation of deletion.

Data that is anonymized and aggregated (such that it can no longer be attributed to any Data Subject) may be retained for analytics and service improvement purposes.

14. International Data Transfers

IronOS and the majority of its Sub-Processors are located in the United States. For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision from the European Commission, IronOS relies on:

Standard Contractual Clauses (SCCs): As adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated by reference into this DPA
UK International Data Transfer Agreement (IDTA): For transfers from the UK, as applicable
Sub-Processor safeguards: Each Sub-Processor listed in Section 10 maintains its own data transfer mechanisms (e.g., SCCs, DPAs, or adequacy-based frameworks)

IronOS shall ensure that any transfer of Personal Data to a third country or international organization is subject to appropriate safeguards as described in Article 46 of the GDPR.

15. Audits and Inspections

IronOS shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be conducted with reasonable prior notice, during business hours, and in a manner that does not unreasonably disrupt IronOS operations.

16. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that nothing in this DPA limits either party's liability for breaches of data protection law where such limitation is not permitted by applicable law.

17. Contact

For questions or requests related to this DPA, data processing, or the exercise of data subject rights, contact us at legal@ironos.dev.

← Back to Legal