Data Processing Agreement
Last updated: April 14, 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service and applies when TinyBridge processes personal data on behalf of an organization ("Data Controller") that uses TinyBridge Choice Boards (the "Service").
When does this DPA apply? This DPA applies when an organization (school, clinic, care facility, therapy practice) uses TinyBridge and is responsible as a data controller for the personal data of its users, clients, patients, or students.
1. Definitions
- "Data Controller" — The organization that determines the purposes and means of processing personal data through the Service
- "Data Processor" — TinyBridge, which processes personal data on behalf of the Data Controller
- "Data Subject" — The individual whose personal data is processed (end users, patients, students)
- "Personal Data" — Any information relating to an identified or identifiable natural person
- "Processing" — Any operation performed on personal data (collection, storage, use, disclosure, deletion)
- "Sub-processor" — A third party engaged by TinyBridge to process personal data
2. Scope and Purpose of Processing
2.1 Categories of Data Subjects
- Caregivers, therapists, educators, and healthcare providers (account holders)
- Non-verbal individuals, patients, students, and clients (end users of choice boards)
2.2 Types of Personal Data Processed
- Account information (email, display name, profile photo)
- Photos captured or uploaded by the Data Controller
- Choice board content (labels, descriptions, configurations)
- Usage and interaction data (board usage, choice selections)
- Feedback submissions and technical logs
2.3 Purpose of Processing
TinyBridge processes personal data solely for the purpose of providing the Service as described in the Terms of Service, including:
- Creating and managing user accounts
- Storing and synchronizing choice boards
- Processing photos for AI-based item detection
- Generating and caching tile images
- Providing offline-first functionality and data sync
- Responding to support and feedback requests
3. Obligations of TinyBridge (Data Processor)
TinyBridge commits to the following obligations:
3.1 Lawful Processing
- Process personal data only on documented instructions from the Data Controller
- Not process personal data for any purpose other than providing the Service
- Inform the Data Controller if a legal requirement compels processing beyond the Controller's instructions
3.2 Confidentiality
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Limit access to personal data to those who need it to provide the Service
3.3 Security
We implement appropriate technical and organizational measures including:
- Encryption of data at rest and in transit (TLS/HTTPS)
- Per-user data isolation at the database and storage level
- Authentication via Google OAuth with secure session management
- Azure infrastructure with SOC 2 Type II compliance
- Regular security reviews and updates
3.4 Data Subject Requests
- Assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Notify the Data Controller promptly of any data subject request received directly by TinyBridge
- Not respond directly to data subjects without the Data Controller's authorization, unless legally required
3.5 Breach Notification
- Notify the Data Controller of a personal data breach without undue delay and in any event within 48 hours of becoming aware of it
- Provide sufficient information for the Data Controller to meet its own breach notification obligations
- Cooperate with the Data Controller in investigating and mitigating the breach
3.6 Data Protection Impact Assessments
- Assist the Data Controller with data protection impact assessments (DPIAs) where required
- Provide information about our processing activities, security measures, and sub-processors as needed
3.7 Deletion and Return of Data
- Upon termination of the Service relationship or upon request, delete or return all personal data to the Data Controller
- Data will be exported in a structured, machine-readable format (JSON) upon request
- Deletion will be completed within 30 days, with backup data removed within 90 days
4. Sub-processors
The Data Controller authorizes TinyBridge to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, database, storage, authentication, email delivery | United States / Global |
| OpenAI | Photo analysis / item detection via Vision API | United States |
| Google (Gemini) | AI image generation for choice tiles | United States / Global |
| Google (OAuth) | User authentication | United States / Global |
Changes to Sub-processors
- TinyBridge will notify the Data Controller of any intended changes to sub-processors at least 30 days in advance
- The Data Controller may object to a new sub-processor within 14 days of notification
- If the objection cannot be resolved, the Data Controller may terminate the Service agreement
5. International Data Transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, TinyBridge ensures appropriate safeguards:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs are in place with all sub-processors
- Supplementary measures: Encryption, access controls, and data minimization
- Transfer Impact Assessments: Conducted for each sub-processor to evaluate the legal framework of the destination country
6. Audit Rights
- The Data Controller has the right to audit TinyBridge's compliance with this DPA
- Audits may be conducted by the Data Controller or an independent third-party auditor
- TinyBridge will provide reasonable cooperation, access to relevant documentation, and responses to audit questionnaires
- Audits should be conducted with reasonable notice (at least 30 days) and during normal business hours
- TinyBridge may provide SOC 2 reports or equivalent certifications in lieu of on-site audits where appropriate
7. Obligations of the Data Controller
The Data Controller agrees to:
- Ensure a valid legal basis for processing personal data through the Service
- Provide appropriate privacy notices to data subjects
- Obtain necessary consents where required (especially for minors and vulnerable individuals)
- Not submit sensitive personal data (health data, biometric data) unless a BAA or equivalent agreement is in place
- Instruct TinyBridge in writing regarding any specific processing requirements
8. Term and Termination
- This DPA remains in effect for the duration of the Service relationship
- Obligations regarding data deletion, confidentiality, and security survive termination
- Either party may terminate this DPA upon 30 days' written notice
9. Liability
Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party is liable for damages caused by processing that infringes applicable data protection law.
10. How to Execute This DPA
Organizations that need a signed DPA can request one by contacting us:
- Email: info@tinybridge.ai
- Subject: "DPA Request"
- Include: Your organization name, contact person, and a brief description of your intended use
We will provide a counter-signed DPA within 10 business days.