Data Processing Agreement (DPA)

"Personal Data," "Processing," "Controller," "Processor," and "Data Subject" have the meanings set out in Article 4 of the EU GDPR and in Article 2 of the Taiwan Personal Data Protection Act.

"Service" means the ContractCheck contract-review, lifecycle-tracking, and related features provided to Controller.

Processor processes Personal Data only on documented instructions from Controller, for the purpose of providing the Service (contract risk flagging, deadline reminders, verbal-promise reconciliation).

Duration: the lifetime of Controller's account. Categories of data: employee emails, and whatever Personal Data happens to appear in uploaded contracts (names, company names, government IDs, compensation figures, etc., depending on Controller's content).

Processor implements: TLS 1.3 in transit, AES-256 at rest, pgcrypto on sensitive columns, Supabase Row Level Security at the database layer, least-privilege admin tooling, audit logs retained for 90 days, and quarterly penetration tests.

Admin access to customer data is only permitted via a gated review process (data-subject requests, debugging) with tamper-resistant audit trails.

Processor engages the following sub-processors: Anthropic (USA, AI analysis, Zero Retention), Supabase (Singapore, data storage), Vercel (global CDN, static assets only), Resend (USA, email delivery), and Lemon Squeezy (USA, payments and tax, MoR model).

Any new sub-processor will be announced 30 days in advance. Controller may reasonably object within 30 days of that notice and terminate the DPA with a pro-rata refund.

Certain sub-processors are based in the USA or Singapore. Transfers rely on the EU Standard Contractual Clauses (Chapter V GDPR) with supplementary technical measures (encryption, pseudonymization).

Under Taiwan PDPA, cross-border transfers are not currently restricted by the competent authority. If Controller has jurisdiction-specific restrictions, please notify us before signing.

Processor will assist Controller within 72 hours in responding to data-subject requests (access, rectification, deletion, portability). Technically, Controller can export or delete all data directly from the account page — no intervention required.

If Processor becomes aware of a security incident leading to unauthorized disclosure, loss, access, or alteration of Personal Data, Processor will notify Controller's data-protection contact by email within 72 hours with an incident summary, impact scope, and remediation actions.

Controller may, once per year (or after an incident), request the most recent SOC 2 / ISO 27001 report. For cause, Controller may commission an independent auditor to conduct an on-site audit at Controller's expense, with 30 days' notice, provided other customers' data confidentiality is preserved.

Upon termination, Processor will return or delete Personal Data per Controller's instructions within 30 days, including backups (purged within 72 hours). Processor will not retain any copies unless legally compelled.

Each party is responsible, in proportion to its fault, for any regulatory fines or data-subject claims caused by its breach of this DPA. Aggregate liability is subject to Section 8 (Limitation of liability) of the main Terms of Service.

Processor's data-protection contact: privacy@usecontractcheck.com. Incident reports: security@usecontractcheck.com.