Data Processing Agreement

Customer — the contracting business using the platform.
Customer Data — all documents, account information, workspace data, and other information the Customer or its authorized users upload to or generate within the platform.
Personal Data — any Customer Data that identifies or can be used to identify a natural person.
Controller — the Customer, who determines the purposes and means of processing Personal Data.
Processor — The GovCon Advisor, which processes Personal Data on the Customer's behalf.
Sub-processor — any third party engaged by the Processor to process Personal Data on the Customer's behalf.

PlaceholderAdd any jurisdictional definitions counsel recommends (e.g., GDPR-specific terms if you serve EU customers, CCPA-specific terms if you serve California businesses).

The Customer is the Controller of Customer Data. The GovCon Advisor is the Processor and processes Customer Data only on the Customer's documented instructions, as set out in this DPA, the Terms of Service, and the Customer's use of the platform.

• Subject matter: processing of Customer Data necessary to provide the platform's compliance analysis features.
• Duration: the period of the Customer's subscription, plus any agreed retention period after termination.
• Nature: storage, AI-based analysis (via Anthropic Claude), search, retrieval, transmission, and deletion of Customer Data.
• Purpose: providing the platform's features to the Customer, including running compliance analyses on Customer-uploaded documents.

The categories of Personal Data processed under this DPA may include:

• Account holders' names, email addresses, and authentication credentials.
• Names, titles, and compensation information of the Customer's employees included in incurred cost submissions or related documents.
• Names of the Customer's contractors, subcontractors, and other counterparties referenced in uploaded documents.
• Any other Personal Data the Customer chooses to upload as part of its compliance documentation.

PlaceholderIf you anticipate processing special-category data (e.g., Social Security Numbers in payroll documents), call it out here and add the additional safeguards in Section 6.

The Customer authorizes The GovCon Advisor to engage the following Sub-processors to process Customer Data:

• Clerk (authentication and identity)
• Supabase (database and document storage)
• Anthropic (Claude AI model used to analyze uploaded documents)
• Stripe (payment processing)
• Resend (transactional email)
• Vercel (application hosting)

PlaceholderAdd: language about how you notify the Customer of new Sub-processors (typical: 30-day notice via in-app banner + email; Customer may object). Link to a maintained Sub-processor list with each Sub-processor's website and jurisdictional location.

The GovCon Advisor implements the following technical and organizational measures to protect Customer Data:

• Encryption in transit (TLS 1.2+) for all connections to and within the platform.
• Encryption at rest (AES-256) for all database and document storage.
• Tenant isolation at the database layer (row-level security policies scope every query by organization).
• Authentication via Clerk with support for SSO and MFA.
• Role-based access controls within each Customer workspace.
• Routine security review of code changes and dependencies.

PlaceholderAdd: specific compliance certifications (SOC 2 Type II, FedRAMP) once obtained. Add: incident response process, access logging, vulnerability disclosure policy.

The GovCon Advisor will assist the Customer in responding to requests from data subjects to exercise their rights (access, correction, deletion, portability, objection) where the platform's standard self-service controls are insufficient.

PlaceholderSpecify how the Customer submits requests (typical: email a dedicated support alias). State response timelines.

PlaceholderState where Customer Data is processed (e.g., United States via Vercel and Supabase). For Customers in jurisdictions with cross-border transfer restrictions (EU, UK, etc.), describe the legal mechanism (Standard Contractual Clauses, adequacy decisions, etc.). Counsel should draft.

PlaceholderState the breach notification timeline (typical: without undue delay, and in any event within 72 hours of becoming aware). State what information is included in a breach notice (nature of breach, categories of data affected, consequences, remedial measures).

PlaceholderDescribe the Customer's audit rights. Common B2B language: The GovCon Advisor will provide audit reports (e.g., SOC 2 Type II) on request once available; physical on-site audits require advance notice and reasonable cost-sharing.

PlaceholderState what happens to Customer Data after termination (typical: 30-day export window, then deletion within 60 days). Note any backup retention windows. Specify how the Customer can request earlier deletion.

PlaceholderRefer back to the liability cap in the Terms of Service. Note any DPA-specific liability allocations counsel recommends (e.g., breach-notification cost-sharing).

This DPA takes effect when the Customer subscribes to the platform and continues for the duration of the subscription, plus any agreed retention period afterward. It may not be terminated separately from the underlying Terms of Service.

PlaceholderMatch the governing law clause in the Terms of Service unless counsel recommends otherwise.

PlaceholderProvide a dedicated email for DPA-related communications (typical: dpa@yourdomain or privacy@yourdomain) plus a mailing address.