The departing employee's data, treated like the asset it is.

You (the employer) are the data controller. You decide what to capture, from whom, for what purpose, and how long to keep it. Continuity is the data processor. We act only on your documented instructions, under a signed Data Processing Agreement (DPA) that we provide and you sign before the first capture session begins.

Two bases run in parallel:

• Consent (Art. 6(1)(a)): The departing employee signs a specific, informed, and freely-given consent before Day 2. It covers exact data sources, scope window, retention, and rights. They can withdraw any time — partial withdrawal supported per data source.
• Legitimate interest (Art. 6(1)(f)): Business continuity and organizational knowledge preservation are documented as legitimate interests. We perform and share with you a Legitimate Interest Assessment (LIA) on request.

Where the departing employee's data includes third parties (the people in their inbox), legitimate interest is the basis, balanced against those third parties' expectations of confidentiality. We mitigate via the scoping rules below.

Every capture defines a scope window — by default the 60 calendar days prior to the start of capture, plus the notice period itself. Anything older is invisible to us.

Within that window, with the employee's consent and your authorization, we read:

• Work email (read-only via OAuth — Google Workspace, M365)
• Calendar (read-only)
• Slack / Teams DMs and channels the employee participates in
• Files in Drive / Notion / Confluence that the employee touched in the window

We do not access:

• Personal email, personal calendars, personal devices
• Any data outside the consented scope window
• Other employees' private DMs or files (only what surfaces in the captured employee's view)
• HR files, salary records, performance reviews, medical, demographic data

If captured data inadvertently contains special category data (health, ethnicity, political views, etc.), our extraction pipeline detects and redacts it before it lands in the role's knowledge base. The employee sees the redactions during the review phase and can confirm or override.

• Raw capture data (transcripts, observed email/Slack content): deleted 90 days after handover, by default. Configurable per contract.
• Compiled role knowledge (the SOPs, decision rules, the successor agent): retained for the contracted term. Belongs to you, the controller. You can export or delete on demand.
• Departing employee can request deletion of personal data at any time. We deliver within 30 days, with a written confirmation.
• Backups: 30-day rolling, encrypted at rest. Deletion requests propagate to backups on the next cycle.

Today (private beta): all capture data is processed and stored in our US region (Washington DC). For customers with EU residency requirements, dedicated EU region (Frankfurt) is available on the Enterprise tier with explicit contractual scope.

Where transfers occur (e.g., to sub-processors), we rely on Standard Contractual Clauses (SCCs) and a documented Transfer Impact Assessment per Schrems II.

We notify controllers of any sub-processor changes 30 days in advance. Up-to-date list always available at this page.

• Access: Receive a copy of everything captured about them in machine-readable form, within 30 days.
• Rectification: Correct any inaccurate captured data. The role's knowledge base updates within 24 hours.
• Erasure: Delete personal data. Within 30 days, propagating to backups within 60.
• Portability: Export captured data as JSON.
• Objection: Stop the capture or withdraw consent mid-process, per source.
• Automated decision-making: The successor agent is decision-support, not decision-making. Material decisions remain with humans at the controller.

Requests: book a 20-min call and we'll take it from there. Acknowledged within 5 working days, resolved within 30 days max.

• Encryption: TLS 1.3 in transit, AES-256 at rest.
• Per-tenant data isolation. No cross-tenant model training, ever.
• OAuth scopes always minimum-viable and read-only. No write access to source systems.
• Access logs retained 12 months. Customer-accessible on request.
• SSO via SAML / OIDC for enterprise plans.
• SOC 2 Type I: target Q4. Type II: 12 months following. ISO 27001 evaluation in parallel.
• Annual penetration test by an independent firm. Report shareable under NDA.

If a personal data breach occurs, we notify you (the controller) without undue delay and within 72 hours of becoming aware. The notification includes nature of the breach, categories and approximate number of subjects affected, contact for further information, and remediation measures.

Continuity is not designed for or directed at individuals under 16. The platform processes data on professional employees in their professional context only.