Data Processing Agreement

• “Personal Data” means any information relating to an identified or identifiable natural person
• “Processing” means any operation performed on Personal Data
• “Sub-processor” means any third party engaged by us to process Personal Data
• “Data Subject” means the individual to whom Personal Data relates
• “GDPR” means Regulation (EU) 2016/679

• We process Personal Data on your behalf to provide the Declario service
• Categories of data: client contact information, proposal content, engagement tracking data
• Data subjects: your clients (proposal recipients), your team members
• Processing activities: storage, analytics, email notifications, proposal rendering

We shall:

• Process Personal Data only on your documented instructions
• Ensure persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist you in fulfilling data subject rights requests
• Delete or return Personal Data upon termination of the service
• Make available all information necessary to demonstrate compliance
• Allow and contribute to audits conducted by you or your auditor

• Encryption at rest (AES-256 via Supabase)
• Encryption in transit (TLS 1.2+)
• Row-level security for workspace data isolation
• IP address hashing (SHA-256) for tracking data
• Regular access reviews and security updates
• Incident detection and response procedures

Current sub-processors:

• Supabase Inc. (EU region) — database, authentication, file storage
• Vercel Inc. — application hosting, edge functions
• Paddle.com Market Ltd — payment processing
• Resend Inc. — transactional email delivery
• Anthropic PBC — AI content generation (proposal text assistance)

We will notify you before adding or replacing sub-processors. You may object within 30 days.

• Primary data processing occurs in the EU (Supabase EU region)
• Data is transferred outside the EU/EEA to: Resend Inc. (US) and Anthropic PBC (US)
• For all international transfers, we ensure appropriate safeguards:
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable

We will assist you in responding to data subject requests including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Response timeline: within 72 hours of receiving your request.

• We will notify you of any Personal Data breach without undue delay, and no later than 48 hours after becoming aware
• Notification will include: nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, measures taken

• We retain Personal Data for the duration of the service agreement
• Upon termination: data is deleted within 30 days
• Tracking/analytics data: automatically purged after 2 years
• Backups: purged within 90 days of account deletion

• You may audit our compliance with this DPA once per year
• Audits require 30 days written notice
• We will provide reasonable cooperation and access to relevant documentation

• Our liability under this DPA is subject to the limitations set out in the Terms of Service
• Each party is liable for damages caused by processing that infringes the GDPR

• This DPA is effective for the duration of your use of Declario
• Obligations regarding data deletion survive termination