Version 1.2 — Last updated: May 22, 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Bluegrass Digital Advantage LLC, a Kentucky limited liability company ("Omnovo," "we," "us," or "Processor"), and the customer identified in the order form or subscription ("Customer" or "Controller") (each a "Party," together the "Parties") for the provision of the Omnovo platform and related services (the "Services"). This DPA reflects the Parties' agreement on the processing of Personal Data by Omnovo on behalf of Customer in connection with the Services.
To the extent there is any conflict between this DPA and the Omnovo Terms of Service, this DPA will control with respect to the processing of Personal Data.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
- "Data Protection Laws" means all privacy and data protection laws that apply to the processing of Personal Data under this DPA, including (as applicable) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any successor or equivalent legislation.
- "Controller," "Processor," "Data Subject," "Processing," and "Personal Data Breach" have the meanings given in the GDPR (or the equivalent terms under other applicable Data Protection Laws such as "Business" and "Service Provider" under the CCPA).
- "Customer Data" means the Personal Data and other data that Customer (including its end users) submits to, or that Omnovo processes on behalf of Customer through, the Services.
- "Subprocessor" means any third party engaged by Omnovo to process Customer Data on Omnovo's behalf in connection with the Services.
2. Roles of the Parties
With respect to Customer Data processed under this DPA, Customer acts as the Controller (or, where Customer itself is a Processor for another Controller, as a Processor) and Omnovo acts as the Processor. Each Party will comply with its obligations under applicable Data Protection Laws.
3. Scope and Details of Processing
3.1 Subject matter and duration
The subject matter of the processing is the provision of the Services described in the Terms of Service. Processing continues for the term of the subscription and until Customer Data is deleted in accordance with Section 11.
3.2 Nature and purpose
Omnovo processes Customer Data to provide, operate, secure, monitor, and support the Services, including ingesting Customer's digital footprint, generating brand and content systems, deploying a website, distributing content, delivering analytics, and responding to support requests.
3.3 Categories of Data Subjects
- Customer's authorized users and administrators.
- Customer's own customers, prospects, and website visitors whose data Customer chooses to submit to the Services (e.g. leads, reviewers, contact form submissions).
- Individuals referenced in Customer-provided content.
3.4 Categories of Personal Data
- Account and contact information (name, email, phone, business details).
- Billing information (processed by Stripe; Omnovo does not store full card numbers).
- Business content (text, images, logos, brand materials).
- Lead and inquiry data submitted through Customer's Omnovo-hosted website.
- Reviews and social content associated with Customer's connected profiles.
- Third-party account credentials and tokens needed to operate the Services on Customer's behalf.
- Usage, diagnostic, and log data generated by use of the Services.
Omnovo does not intentionally process special categories of Personal Data (e.g. health, biometric, or government identifier data). Customer agrees not to submit such data to the Services except where expressly supported.
4. Omnovo's Obligations
4.1 Processing instructions
Omnovo will process Customer Data only on documented instructions from Customer, including as set out in the Terms of Service, this DPA, and Customer's use of the Services, unless required to do otherwise by applicable law (in which case Omnovo will inform Customer of that legal requirement in advance of processing unless the law prohibits such notice).
4.2 Confidentiality
Omnovo will ensure that personnel authorized to process Customer Data are subject to binding confidentiality obligations.
4.3 Security
Omnovo will implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex A (Security Measures).
4.4 Assistance
Taking into account the nature of the processing and the information available to Omnovo, Omnovo will provide reasonable assistance to Customer to help Customer meet its obligations under Data Protection Laws, including with respect to Data Subject requests, Personal Data Breach notifications, and data protection impact assessments.
5. Customer's Obligations
Customer represents and warrants that (a) it has all necessary rights, consents, and legal bases to provide Customer Data to Omnovo for processing under this DPA; (b) its instructions to Omnovo comply with applicable Data Protection Laws; and (c) it will provide required notices and obtain required consents from its own Data Subjects. Customer is responsible for the lawfulness of Customer Data and the accuracy, quality, and legality of the instructions it provides to Omnovo.
6. Subprocessors
6.1 General authorization
Customer grants Omnovo general authorization to engage Subprocessors to process Customer Data for the purpose of providing the Services, subject to the remainder of this Section.
6.2 Current Subprocessors
As of the "Last updated" date above, Omnovo engages the following Subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Managed PostgreSQL database, authentication, object storage | United States |
| Cloudflare, Inc. | CDN, DNS, TLS termination, tunnel ingress, Turnstile, Pages hosting, R2 object storage | Global edge |
| Stripe, Inc. | Payment processing and subscription billing | United States |
| Resend, Inc. | Transactional and notification email delivery | United States |
| Twilio, Inc. | SMS notifications and alerts | United States |
| OpenRouter (OpenRouter, Inc.) | Large language model routing for AI content generation (Your Brand, site copy, social, reviews, reports) | United States |
| Anthropic, PBC (via OpenRouter) | Underlying large language model provider routed through OpenRouter for AI inference (engaged as a sub-subprocessor under our agreement with OpenRouter) | United States |
| Spider (A11yWatch LLC / Spider.cloud) | Website crawling and content extraction during getting started | United States |
| Zernio | Social media publishing, review management, and OAuth integrations across connected platforms | United States |
| Porkbun LLC | Domain registration and DNS management on Customer's behalf (where applicable) | United States |
| Hetzner Online GmbH (operating US datacenter in Ashburn, VA) | Virtual private server hosting for the Omnovo application infrastructure | United States (Ashburn, VA) |
| Sentry (Functional Software, Inc.) | Application error and performance monitoring | United States |
| Umami (Umami Software, Inc.) | Privacy-focused website analytics for marketing site and customer dashboard | Self-hosted (United States — Hetzner VPS, Ashburn, VA) |
Omnovo will impose data protection and security obligations on each Subprocessor that are no less protective than those in this DPA.
6.3 Changes to Subprocessors
Omnovo will provide Customer with at least 30 days' prior notice of the addition or replacement of any Subprocessor (by updating this page or by email to the account contact). If Customer has a reasonable, documented objection based on data protection grounds, Customer may notify Omnovo in writing within the notice period; the Parties will work in good faith to resolve the objection, and if not resolved, Customer may terminate the affected Services as its sole remedy.
7. International Transfers
Omnovo processes Customer Data primarily in the United States. Where the Services are used to transfer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the Parties agree that the Standard Contractual Clauses issued by the European Commission (Module Two: Controller-to-Processor) and, for UK transfers, the UK International Data Transfer Addendum, are incorporated by reference and apply to such transfers. Customer acts as "data exporter" and Omnovo acts as "data importer." Docking option, Clause 7, and Clause 11 option are not adopted.
8. Personal Data Breaches
Omnovo will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include, to the extent known at the time, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. Omnovo will cooperate with Customer and provide reasonable assistance to help Customer meet its own notification obligations under applicable Data Protection Laws.
9. Data Subject Requests
Taking into account the nature of the processing, Omnovo will provide reasonable assistance, through appropriate technical and organizational measures, to enable Customer to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. If Omnovo receives a Data Subject request directly, Omnovo will promptly forward the request to Customer and will not respond directly except at Customer's direction or as required by law.
10. Audits
Omnovo will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will, upon reasonable prior written notice and no more than once per calendar year (unless an audit is required due to a Personal Data Breach or is mandated by a supervisory authority), allow for and contribute to audits conducted by Customer or an independent auditor mandated by Customer. Audits will be conducted during normal business hours, subject to confidentiality obligations, and in a manner that does not unreasonably interfere with Omnovo's operations.
11. Return and Deletion of Customer Data
Upon termination or expiration of the Services, or earlier upon Customer's written request, Omnovo will (at Customer's choice) delete or return all Customer Data, and delete existing copies, unless retention is required by applicable law. Omnovo's standard offboarding flow generates a site export (static HTML archive) and a data export (CSV/JSON) retrievable via time- limited presigned URL, followed by tenant archival and hard-delete after a 30-day recovery window. Backups may be retained on standard rotation for up to 30 days after deletion, after which they are overwritten in the ordinary course.
12. Liability
The liability of each Party under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either Party's liability to Data Subjects under applicable Data Protection Laws.
13. Term and Termination
This DPA takes effect on the date Customer accepts the Terms of Service (or this DPA, if later) and remains in effect until the later of (a) termination or expiration of the Services and (b) deletion of all Customer Data in accordance with Section 11.
14. Governing Law
This DPA is governed by the laws of the Commonwealth of Kentucky, USA, without regard to its conflict of laws principles, except that the Standard Contractual Clauses referenced in Section 7, where applicable, are governed by the law specified in those Clauses.
15. Changes to this DPA
Omnovo may update this DPA from time to time to reflect changes in applicable law, Subprocessors, or business practices. Material changes will be communicated by updating the "Last updated" date and, where appropriate, by email to the account contact. Continued use of the Services after such an update constitutes acceptance of the updated DPA.
Annex A — Security Measures
Omnovo maintains the following technical and organizational measures to protect Customer Data:
- Network security: All customer-facing traffic terminates at Cloudflare with TLS 1.2+. Application services run behind a Cloudflare Tunnel; no application ports are exposed to the public internet.
- Access control: Multi-factor authentication on all administrative accounts. Least-privilege role-based access. Supabase Row Level Security enforces tenant isolation at the database layer.
- Encryption: Data in transit is encrypted using TLS. Data at rest is encrypted by the underlying database (Supabase) and object storage (Cloudflare R2, Supabase Storage). Third-party integration credentials are encrypted at the application layer using pgcrypto before storage.
- Tenant isolation: Every privileged database row includes a tenant identifier enforced by RLS. Every write flows through a Command framework that performs authentication, authorization, and audit logging before touching the database.
- Audit logging: All privileged mutations (creates, updates, deletes, state transitions) are recorded in an append-only audit log with actor, tenant, command, and outcome metadata.
- Change management: All production changes go through version control, CI-based validation, and peer or automated review before deployment. Database migrations are additive only.
- Monitoring and incident response: Application errors and performance metrics are tracked in Sentry. Uptime is monitored by an independent uptime service. Security and availability incidents follow a documented runbook with defined severity levels and response times.
- Backups: Supabase-managed automated backups with point-in-time recovery. Backup retention aligns with the Section 11 deletion window.
- Personnel: All personnel with access to Customer Data are bound by written confidentiality obligations and receive training on secure handling of Personal Data.
- Vendor management: Subprocessors are reviewed before engagement for security posture, data protection commitments, and suitability for the processing in question.
Contact
Questions about this DPA may be directed to: privacy@omnovo.com