Data Processing Agreement

Last updated: February 10, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Pact ("Processor," "we," "us") and you ("Controller," "Customer") and governs the processing of personal data by Pact on behalf of the Customer.

This DPA reflects the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual to whom Personal Data relates
  • "Sub-processor" means any third party engaged by Pact to process Personal Data
  • "Customer Data" means Personal Data that Customer uploads to or creates using the Services

3. Scope and Roles

3.1 Customer as Controller: Customer is the data controller for Customer Data and determines the purposes and means of processing.

3.2 Pact as Processor: Pact processes Customer Data only as a data processor on behalf of Customer, in accordance with Customer's documented instructions.

3.3 Scope of Processing: The subject matter, nature, purpose, duration, and categories of data are described in Annex 1.

4. Customer Obligations

Customer represents and warrants that:

  • It has obtained all necessary consents and authorizations to provide Customer Data to Pact
  • Its instructions to Pact comply with applicable data protection laws
  • It has provided adequate notice to Data Subjects about processing
  • Customer Data does not include special categories of personal data unless expressly agreed

5. Processor Obligations

Pact shall:

  • Process Customer Data only on documented instructions from Customer
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Customer in responding to Data Subject requests
  • Assist Customer in meeting GDPR obligations (security, breach notification, DPIAs)
  • Delete or return Customer Data upon termination, at Customer's choice
  • Make available information necessary to demonstrate compliance
  • Allow for and contribute to audits conducted by Customer or an auditor

6. Security Measures

Pact implements and maintains appropriate technical and organizational measures including:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience
  • Regular testing and evaluation of security measures
  • Access controls and authentication requirements
  • Employee security training
  • Incident detection and response procedures

7. Sub-processors

7.1 Authorization: Customer provides general authorization for Pact to engage sub-processors. Current sub-processors are listed in Annex 2.

7.2 Notice: Pact will notify Customer of any intended changes to sub-processors at least 30 days in advance.

7.3 Objection: Customer may object to a new sub-processor by notifying Pact within 14 days. If the objection cannot be resolved, Customer may terminate the affected Services.

7.4 Liability: Pact remains liable for sub-processors' compliance with this DPA.

8. Data Transfers

8.1 Transfer Mechanisms: For transfers of Personal Data outside the EEA, Pact relies on:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other lawful transfer mechanisms as applicable

8.2 SCCs: Where SCCs apply, they are incorporated by reference into this DPA.

9. Data Subject Rights

Pact will assist Customer in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection). Pact will promptly notify Customer of any request received directly from a Data Subject.

10. Data Breach Notification

10.1 Notification: Pact will notify Customer without undue delay (and within 48 hours where feasible) after becoming aware of a Personal Data breach affecting Customer Data.

10.2 Information: Notification will include the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed.

11. Audit Rights

Upon reasonable notice and subject to confidentiality obligations, Customer or its appointed auditor may audit Pact's compliance with this DPA. Pact will contribute to such audits and provide relevant information. Audits shall not unreasonably disrupt Pact's operations.

12. Term and Termination

This DPA remains in effect for the duration of the Services agreement. Upon termination:

  • Pact will delete or return Customer Data within 30 days, at Customer's choice
  • Pact may retain Customer Data where required by law
  • Provisions that should survive termination will remain in effect

Annex 1: Processing Details

Subject Matter: Provision of AI-powered contract analysis and legal operations services

Duration: For the term of the Services agreement

Nature and Purpose: Analysis, storage, and processing of legal documents to provide contract review, compliance scanning, and negotiation assistance

Categories of Data: Names, contact information, business information, and content contained in uploaded legal documents

Categories of Data Subjects: Customer employees, Customer's clients and business partners as referenced in uploaded documents

Annex 2: Sub-processors

Current authorized sub-processors:

  • Supabase Inc. - Database hosting and authentication (USA)
  • Vercel Inc. - Application hosting (USA)
  • Render Services Inc. - API hosting (USA)
  • Stripe Inc. - Payment processing (USA)
  • OpenAI LLC - AI processing (USA)

Contact

For DPA-related inquiries, contact: dpa@closepact.com