Data Processing Addendum

1. What I Process

Account information: Your name, email address, and payment details.

Vendor documents: The contract documents you send me (order forms, MSAs, DPAs, etc.). These are business documents between you and your vendor. They typically don't contain personal data, but if they do, I process it solely to analyze the contract and deliver your report.

2. How I Use It

I use your account information to deliver reports, communicate with you, and process payments. I don't sell your information or use it for any other purpose.

3. Subprocessors

I use the following service providers:

• Stripe (payment processing)
• Google Workspace (email communications)
• Supabase (document storage, US region)
• OpenAI (contract analysis)

I'll give you 10 business days' notice before adding a new subprocessor. You can object within 30 days; if we can't resolve your concern, you can terminate your subscription.

4. Security

I maintain commercially reasonable administrative, technical, and physical safeguards. If I discover a security incident affecting your data, I'll notify you within 72 hours.

5. Data Deletion

When you cancel your subscription, I delete your account information within 90 days unless I'm legally required to retain it. You can request earlier deletion at any time.

6. International Transfers

Your data may be processed in the United States. If required by GDPR or UK GDPR, Standard Contractual Clauses apply.

7. Your Rights

If you have questions about your data or want to exercise data subject rights, email me at robin@prevend.ai.