Last Updated: January 2025
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service.
1.1 Provider as Processor. You are the Controller and PreVend is the Processor with respect to any Personal Data you provide in connection with the Service.
1.2 Provider as Subprocessor. In situations where you are a Processor of the Personal Data, PreVend will be deemed a Subprocessor of the Personal Data.
2.1 Processing Details. We process your email address and vendor names you submit solely to provide the Service. Processing includes storage, analysis, and delivery of Reports.
2.2 Processing Instructions. You instruct PreVend to Process Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through your use of the Service; (c) as documented in the Terms of Service; and (d) as documented in any other written instructions given by you and acknowledged by PreVend. PreVend will abide by these instructions unless prohibited from doing so by Applicable Laws. PreVend will immediately inform you if it is unable to follow the Processing instructions.
2.3 Processing by Provider. PreVend will only Process Personal Data in accordance with this DPA. If PreVend updates the Service to include new products, features, or functionality, PreVend may update the categories of data processed as needed by notifying you of the updates.
2.4 Duration. We process data only on your instructions and for the duration of your subscription. Upon termination, we will delete your personal data within 90 days, or immediately upon your request.
2.5 Consent to Processing. You have complied with and will continue to comply with all Applicable Data Protection Laws concerning your provision of Personal Data to PreVend, including making all disclosures, obtaining all consents, and implementing relevant safeguards required under Applicable Data Protection Laws.
3.1 Security Obligations. We will:
3.2 Security Incident Response. Upon becoming aware of any Security Incident, PreVend will: (a) notify you without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by you; and (c) promptly take reasonable steps to contain and investigate the Security Incident.
4.1 Approved Subprocessors. We use the following subprocessors: Stripe (payment processing) and Gmail (email communications). By using the Service, you authorize our use of these subprocessors.
4.2 Notice of Changes. PreVend will inform you at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors, whether by addition or replacement of a Subprocessor. You have 30 days after notice of a change to object, otherwise you will be deemed to accept the changes.
4.3 Subprocessor Agreements. When engaging a Subprocessor, PreVend will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of the Terms of Service.
4.4 Liability. PreVend remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Personal Data.
5.1 Authorization. You agree that PreVend may transfer Personal Data to the United States as necessary to provide the Service. PreVend will implement appropriate safeguards for the transfer of Personal Data consistent with Applicable Data Protection Laws.
5.2 Standard Contractual Clauses. If the GDPR or UK GDPR protects the transfer of Personal Data and the transfer is not governed by an adequacy decision, the parties agree to execute Standard Contractual Clauses as required by applicable law upon your request.
6.1 Information Provision. PreVend will provide you with all information reasonably necessary to demonstrate compliance with this DPA upon written request, subject to confidentiality obligations.
6.2 Security Questionnaires. PreVend will respond to reasonable requests for information made by you to confirm PreVend's compliance with this DPA, including responses to information security and due diligence questionnaires. Such requests may only be made once per year.
7.1 Assistance with Requests. If PreVend receives any inquiry or request from a data subject about the Processing of Personal Data, PreVend will notify you about the request and will not respond to the request without your prior consent, unless required by law.
7.2 Data Subject Rights Support. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of your providing of Personal Data to PreVend, PreVend will assist you in fulfilling the request according to the Applicable Data Protection Law.
7.3 Impact Assessments. If required by Applicable Data Protection Laws, PreVend will reasonably assist you in conducting any mandated data protection impact assessments, taking into consideration the nature of the Processing and Personal Data.
8.1 Deletion by Customer. PreVend will enable you to delete Personal Data in a manner consistent with the functionality of the Service.
8.2 Deletion at DPA Expiration. After this DPA expires, PreVend will delete Personal Data within 90 days unless further storage of Personal Data is required or authorized by Applicable Law.
9.1 Liability Caps. To the maximum extent permitted under Applicable Data Protection Laws, each party's total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Terms of Service.
9.2 Exceptions. This DPA does not limit any liability to an individual about the individual's data protection rights under Applicable Data Protection Laws.
"Applicable Laws" means the laws, rules, regulations, and court orders that apply to or govern a party.
"Applicable Data Protection Laws" means the Applicable Laws that govern how the Service may process an individual's personal information or personal data.
"Controller" means the entity that determines the purpose and extent of Processing Personal Data.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" or "Process" means any operation performed on Personal Data, including collection, storage, use, and deletion.
"Processor" means the entity that Processes Personal Data on behalf of the Controller.
"Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Subprocessor" means an entity that assists the Processor in Processing Personal Data on behalf of the Controller.