Data Processing Agreement

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679). 'Personal Data', 'Processing', 'Controller', 'Processor', 'Sub-processor', and 'Data Subject' have the meanings in Article 4 GDPR.

2. Subject Matter & Duration

Processor processes Personal Data solely to provide the Service to Controller, for the duration of the subscription plus any post-termination export window described in the Business Terms.

3. Nature & Purpose of Processing

Hosting, indexing, retrieval, AI-assisted drafting, collaboration, and export of Controller's RFP and knowledge-base content. Categories of Personal Data are limited to business-contact information of Controller's users (name, work email, role) and any personal data Controller chooses to upload within documents.

4. Controller Instructions

Processor processes Personal Data only on documented instructions from Controller, including the Order Form, the configured workspace settings, and these terms. Processor will inform Controller if an instruction infringes applicable data-protection law.

5. Data Isolation

Each Controller's data resides in a logically isolated tenant with workspace-scoped encryption keys. Cross-tenant access is technically prevented; no Controller's data is ever served to or visible to another Controller.

Single-tenant deployments additionally isolate database, compute, and vector storage at the infrastructure level.

6. No Use for Model Training

Processor will not use Personal Data, Customer Data, prompts, or outputs to train, fine-tune, or evaluate any large language model or other AI model. Processor's agreements with AI sub-processors (model providers) contractually disable training on Controller content, including the use of "zero-retention" or equivalent endpoints where offered.

7. Data Residency

Controller selects the storage and processing region at workspace creation:

• EU (default for EEA customers) — Frankfurt / Stockholm
• US — Virginia / Oregon
• APAC — Singapore / Sydney

Personal Data is stored and processed only in the chosen region. International transfers outside the chosen region occur only when Controller exports data, when Controller explicitly enables a feature requiring it, or where legally compelled — in which case Processor relies on Standard Contractual Clauses (Module Two) and applicable supplementary measures.

8. Sub-processors

Processor maintains a current list of authorised sub-processors (cloud hosting, model providers, observability). Processor will give Controller at least 30 days' notice before adding or replacing a sub-processor, during which Controller may object on reasonable data-protection grounds.

All sub-processors are bound by written agreements imposing data-protection obligations no less protective than this DPA, including the no-training commitment in Section 6.

9. Security Measures

Processor implements appropriate technical and organisational measures (Annex II), including: encryption in transit (TLS 1.2+) and at rest (AES-256), MFA for production access, least-privilege RBAC, audit logging, vulnerability management, secure SDLC, and annual penetration testing.

10. Personnel

Personnel authorised to process Personal Data are bound by confidentiality and trained on data protection.

11. Data Subject Rights

Processor will assist Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by providing appropriate self-service tools and, where necessary, reasonable technical assistance.

12. Personal Data Breach

Processor will notify Controller without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach, providing the information Controller needs to meet its own notification obligations.

13. Audits

Processor will make available the most recent SOC 2 Type II and ISO 27001 reports. Where these are insufficient to demonstrate compliance, Controller may conduct an audit (or instruct a qualified third party) no more than once per year on reasonable notice.

14. Return & Deletion

On termination, Controller may export all Personal Data for 30 days. Processor will then delete or anonymise Personal Data within 60 days, except for backups which roll off within 90 days.

15. Liability & Order of Precedence

Liability under this DPA is governed by the Business Terms. In case of conflict, this DPA prevails over the Business Terms with respect to processing of Personal Data.