Data Processing Agreement (DPA)

1. Definitions

• “Controller” means you, the customer, who determines the purposes and means of processing personal data.
• “Processor” means DealQuary, which processes personal data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person that you input into DealQuary.
• “Data Subject” means the individual to whom Personal Data relates.
• “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
• “Sub-processor” means any third party engaged by DealQuary to process Personal Data.

2. Scope and Purpose of Processing

Nature of Processing: DealQuary processes Personal Data solely to provide the deal modeling and financial calculation services as described in our Terms of Service.

Types of Personal Data: The types of Personal Data processed may include:

• User account information (name, email address)
• Deal participant names or identifiers (if you choose to input them)
• Any other data you voluntarily input into the platform

Categories of Data Subjects: Your employees, contractors, and any individuals whose information you input into DealQuary.

Duration: For the term of your subscription and up to 30 days thereafter (or as required by law).

3. Controller and Processor Obligations

4. Sub-processors

You authorize DealQuary to engage the following categories of Sub-processors to assist in providing the services:

• Cloud hosting providers (e.g., AWS, Vercel, or similar infrastructure providers)
• Payment processors (Stripe)
• Authentication services (NextAuth or similar)
• Analytics providers (only if you have consented via cookie banner)

We maintain a list of current Sub-processors and will notify you of any changes. You may object to new Sub-processors within 30 days of notification. If we cannot accommodate your objection, you may terminate your subscription without penalty.

For the current list of Sub-processors, see our Sub-processors page, or contact privacy@dealquary.com.

5. Data Security Measures

DealQuary implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: Data encrypted in transit (TLS/HTTPS) and at rest
• Access Controls: Role-based access controls and authentication requirements
• Infrastructure Security: Use of industry-standard cloud hosting with SOC 2 compliance
• Monitoring: Regular security monitoring and vulnerability assessments
• Backup & Recovery: Regular backups and disaster recovery procedures
• Confidentiality: All personnel with access to Personal Data are bound by confidentiality obligations

6. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under GDPR, including:

• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object

Contact privacy@dealquary.com for assistance with Data Subject requests. We will respond within a reasonable timeframe to enable you to meet your legal obligations.

7. Data Breach Notification

In the event of a Personal Data breach, DealQuary will:

• Notify you without undue delay after becoming aware of the breach (within 72 hours where feasible)
• Provide reasonable information about the breach, including the nature of the breach, categories and approximate number of affected Data Subjects, and likely consequences
• Describe measures taken or proposed to address the breach and mitigate potential adverse effects
• Cooperate with you to investigate and remediate the breach

Note: As Controller, you remain responsible for notifying supervisory authorities and affected Data Subjects as required by applicable law.

8. International Data Transfers

Your Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer Personal Data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses for data transfers to third countries
• Adequacy Decisions: Where possible, we transfer data to countries recognized by the European Commission as providing adequate protection
• Sub-processor Compliance: We require all Sub-processors to implement equivalent safeguards for international transfers

For a copy of the Standard Contractual Clauses or more information about our data transfer mechanisms, contact privacy@dealquary.com.

9. Audit Rights

Upon your written request and subject to reasonable notice, DealQuary will:

• Make available information necessary to demonstrate compliance with this DPA and GDPR obligations
• Allow for and contribute to audits or inspections conducted by you or an independent auditor mandated by you (subject to confidentiality obligations)

Audit Conditions: Audits must be conducted during business hours, with at least 30 days' advance notice, and no more than once per year unless required by a supervisory authority. You will bear all costs associated with audits, and auditors must sign appropriate confidentiality agreements.

10. Termination and Data Return/Deletion

Upon termination of your subscription or at your written request, DealQuary will:

• At your choice, either return all Personal Data to you in a machine-readable format or securely delete all Personal Data
• Delete existing copies of Personal Data unless EU or Member State law requires continued storage
• Require Sub-processors to delete or return Personal Data as applicable

Timeline: Data return/deletion will occur within 30 days of termination or your request, whichever is earlier.

To request data return or deletion, contact privacy@dealquary.com.

11. Liability and Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in our Terms of Service. Nothing in this DPA limits either party's liability for breaches of confidentiality obligations, violations of data protection laws, or matters for which liability cannot be limited under applicable law.

12. Order of Precedence

In the event of any conflict or inconsistency between this DPA and our Terms of Service or Privacy Policy, the provisions of this DPA shall prevail with respect to data processing matters.