OSP.net legal
Data Processing Addendum
Last updated: June 13, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Learning Science, Inc., 7027 West Broward Blvd, Plantation, FL 33317, which operates OSP.net (“OSP.net”, the “Processor”) and the Customer (the “Controller”), and applies to the extent OSP.net processes personal data contained in Customer Content on the Customer’s behalf.
1. Roles and scope
For account and billing data (your email, subscription state), OSP.net is an independent controller as described in the Privacy Policy. For Customer Content — the contents of your agent’s memory volume, conversation sessions, files, and the credentials you store — OSP.net acts as a processor: we host, transmit, and secure that data solely to provide the Service and only on your documented instructions (the Terms, your dashboard configuration, and your agent’s operation are those instructions).
Important carve-out: the AI model provider and the messaging channel are services you select and contract with directly, using your own keys. They process Customer Content as your direct providers (or as independent controllers per their terms) — they are not OSP.net subprocessors, and OSP.net is not responsible for their processing.
2. Details of processing
- Subject matter / nature: hosting and operating an isolated AI agent instance; storage and transmission of agent memory and configuration; encrypted storage of credentials.
- Duration: the subscription term plus the retention windows in Privacy Policy §5.
- Data subjects / categories: determined by the Customer — typically the Customer and the people whose information the Customer or their agent processes (contacts, correspondents). The Customer must not submit special-category or regulated data (e.g. PHI under HIPAA) — the Service is not offered for such data.
3. Processor obligations
OSP.net will: (a) process Customer Content only to provide the Service; (b) ensure personnel with access are bound by confidentiality; (c) implement the technical and organizational measures in Section 6; (d) assist the Controller, taking into account the nature of processing, with data-subject requests and with security/breach obligations; (e) delete Customer Content per Privacy Policy §5 on termination or verified request; and (f) make available information reasonably necessary to demonstrate compliance, and allow audits as required by applicable law (satisfied where possible by documentation and third-party reports of our subprocessors).
4. Subprocessors
The Controller gives general authorization for the following subprocessors. We will post changes to this list at least 14 days before a new subprocessor processes Customer Content; if you object on reasonable data-protection grounds and we cannot accommodate, you may cancel per the Terms.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, encrypted secrets vault (Vault), serverless functions | USA (AWS us-east-1) |
| DigitalOcean, LLC | Compute (servers running tenant instances), container registry, object storage | USA (NYC region) |
| Stripe, Inc. | Payment processing, subscription billing, tax | USA |
| Cloudflare, Inc. | DNS for osp.net and tenant subdomains | USA / global network |
| Resend, Inc. | Transactional email (sign-in links, service notices) | USA (us-east-1) |
Customer-directed services that are not subprocessors (you select and contract with them directly): your AI model provider (e.g. Anthropic, OpenRouter, Groq, Ollama) and your messaging channel (e.g. Telegram).
5. International transfers
Processing occurs in the United States. Where the Controller is subject to EU/UK data-protection law, the parties agree that the EU Standard Contractual Clauses (Module 2, controller-to-processor) and the UK Addendum are incorporated by reference with the details in Sections 2 and 4. [Counsel to confirm SCC incorporation mechanics and annexes before launch.]
6. Security measures
- Per-tenant container isolation with per-tenant private networks; no inbound ports on tenant containers.
- Row-level security on all customer-readable database tables.
- Credentials encrypted at rest in Supabase Vault; injected into the instance only at container start; never written to plaintext columns, images, or logs.
- TLS for all traffic in transit; wildcard certificates managed automatically.
- Least-privilege operational access; secrets held in managed secret stores, not in code.
- Volume snapshots before fleet upgrades; rolling deletion of aged backups.
7. Breach notification
OSP.net will notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Content, with the information reasonably available about its nature, scope, and mitigation.
8. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Terms. If this DPA conflicts with the Terms regarding the processing of personal data, this DPA controls.