(a) “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR (EU) 2016/679, the UK GDPR, the CCPA, and any other applicable privacy or data protection legislation.
(b) “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Software.
(c) “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
(d) “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
(e) “Sub-processor” means a third party engaged by Processor to process Personal Data on behalf of the Controller.
(a) Controller and Processor. You are the Controller of Customer Data. DealDoctor is the Processor. We process Personal Data only as necessary to provide the Software and related services under the Agreement.
(b) Processing Instructions. Processor will process Personal Data only on documented instructions from the Controller, unless required by Applicable Data Protection Law. The Agreement, this DPA, and your use of the Software constitute your documented instructions.
(c) Purpose Limitation. Processor will process Personal Data solely for the purpose of providing, maintaining, and supporting the Software as described in the Agreement. Processor will not intentionally process Personal Data for any other purpose without Controller’s prior written consent.
(d) Anonymized Data. The Software uses commercially reasonable efforts to anonymize document content before transmission to Cloud AI Providers for analysis. Anonymized data from which individuals cannot be identified does not constitute Personal Data under this DPA. Licensor’s proprietary benchmarking data, which consists solely of anonymized, non-identifiable clause language, is not Personal Data.
(a) Security Measures. Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including: (i) encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+); (ii) dedicated, isolated database per tenant; (iii) role-based access controls; (iv) audit logging of administrative access; (v) regular backup procedures; (vi) restriction of employee access to Personal Data on a need-to-know basis; and (vii) use of HttpOnly, Secure session cookies with automatic expiration for authentication management.
(b) Confidentiality. Processor will use commercially reasonable efforts to ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
(c) Security Reviews. Processor will use commercially reasonable efforts to regularly review and update its security measures to address evolving threats.
(a) Authorized Sub-processors. Controller authorizes Processor to engage the following categories of Sub-processors: Cloud Infrastructure (AWS) for hosting and storage of Customer Data (encrypted); Cloud AI Providers (Anthropic, OpenAI, Google) for AI analysis processing of anonymized document text; and Payment Processor for subscription billing (payment information not stored by Processor).
(b) New Sub-processors. Processor will notify Controller of any new Sub-processors at least thirty (30) days before engagement by posting updates at https://carmai.app/subprocessors. If Controller objects, the parties will discuss in good faith. If no resolution is reached, Controller may terminate the affected services.
(c) Sub-processor Obligations. Processor will impose data protection obligations on Sub-processors that are no less protective than those in this DPA.
(d) Anonymized Data and AI Providers. Cloud AI Providers are designed to receive anonymized document text that has been temporarily processed for analysis through Licensor’s proprietary analysis components. Because this data does not constitute Personal Data, the engagement of AI Providers for processing anonymized text does not create Sub-processor relationships for purposes of this DPA.
(a) Assistance. Processor will use commercially reasonable efforts to assist Controller in responding to data subject requests to exercise their rights under Applicable Data Protection Law (access, rectification, erasure, portability, restriction, objection).
(b) Data Export. The Software provides built-in data export functionality allowing Controller to export Customer Data in DOCX, PDF, and CSV formats to support data portability rights.
(c) Data Deletion Controls. The Software provides Controller with built-in data management tools, including: deletion of individual CARMAlly™ conversations, bulk clearing of conversation history and audit trail data (with confirmation safeguards), configurable automatic retention periods (30, 90, 365, or 1095 days), and data export functionality. Individual users may delete their own conversations.
(d) Account Data Deletion. Upon Controller’s verified written request, Processor will delete Controller’s Personal Data within thirty (30) days, subject to legal retention requirements. Upon termination, Controller has sixty (60) days to export data before deletion.
(d) Benchmarking Data. Anonymized, non-identifiable clause language that has been contributed to Licensor’s proprietary benchmarking data cannot be deleted because it contains no identifiers linking it to any individual, contract, or customer. Controller may opt out of future contributions at any time in Settings.
(a) Categories of Data Subjects. Individuals whose Personal Data may appear in documents processed through the Software, including employees, counterparties, signatories, and other individuals referenced in Customer Data.
(b) Types of Personal Data. Names, contact information, titles, roles, and any other personal information contained in documents uploaded to the Software, as well as, for customers with a database-tier Subscription, any personal information included in CARMAlly™ AI assistant conversations initiated by Data Subjects. For all Subscribers using CARMAgree™ (the Software's electronic signature service): signer names, signer email addresses, signer titles, signer organizations, IP addresses captured for the ESIGN/UETA audit trail, signing timestamps, view timestamps, and consent acceptance timestamps.
(c) Processing Operations. Document analysis, anonymization, AI-assisted review, obligation tracking, compliance assessment, audit support, and related workflow functions as described in the Agreement. Customer Data is temporarily processed for analysis and stored in Controller’s dedicated database instance. For customers with a database-tier Subscription, CARMAlly™ AI assistant conversations (questions and responses) are stored in Controller’s dedicated database instance for the retention period configured by Controller’s administrator (default: 90 days). The Software also maintains an audit trail of user actions and document events, stored in Controller’s dedicated database instance and subject to the same administrator-configured retention period. Plugin-only customers’ CARMAlly conversations exist only during the active session and are not stored or retained by Processor.
(d) Duration. Personal Data is processed for the duration of the Agreement, plus the post-termination export period described in the Agreement. CARMAlly™ conversation data is retained for the period configured by Controller's administrator (default: 90 days; configurable to 30, 90, 365, or 1095 days) and is automatically purged thereafter.
(e) CARMAgree™ Storage Architecture. The Software's electronic signature service (“CARMAgree™”) involves server-side storage of CARMAgree™ signed documents and related data. Storage location depends on the Controller's Subscription tier:
(i) Plugin-only Subscribers. CARMAgree™ data is stored in CARMAsigned™, a database shared across Plugin-only Subscribers with logical separation between each Subscriber's data. This is the sole exception to the general principle, set forth in the Agreement, that Plugin-only Subscribers have no server-side storage of Customer Data.
(ii) Plugin+DB, Professional, and Enterprise Subscribers. CARMAgree™ data is stored in Controller's own dedicated database with physical separation from other Controllers, consistent with Section 3(a)(ii) of this DPA.
(iii) Retention. CARMAgree™ data is retained for the duration of the active Subscription. Upon cancellation or termination, Controller has sixty (60) days to export CARMAgree™ data through the Software. After that period, CARMAgree™ data is permanently deleted.
(iv) ESIGN and UETA Compliance. Electronic signatures captured via CARMAgree™ are intended to comply with the U.S. Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 et seq., and the Uniform Electronic Transactions Act as adopted by each applicable State. Processor preserves an audit record of signer identity, signing actions, and timestamps for each signed document.
(a) Notification. Processor will notify Controller without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Data Breach affecting Controller’s Personal Data.
(b) Content. The notification will include, to the extent known: the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.
(c) Cooperation. Processor will use commercially reasonable efforts to assist Controller in fulfilling its own breach notification obligations under Applicable Data Protection Law.
(a) Transfer Mechanisms. To the extent that processing involves the transfer of Personal Data from the EEA, UK, or Switzerland to the United States, Processor will use commercially reasonable efforts to ensure that appropriate transfer mechanisms are in place, including Standard Contractual Clauses as approved by the European Commission.
(b) Data Residency. Processor will inform Controller of the geographic region in which Customer Data is hosted. Controller is responsible for ensuring the hosting region meets its regulatory requirements.
(a) Information. Upon Controller’s reasonable written request (no more than once per twelve-month period), Processor will provide information reasonably necessary to demonstrate compliance with this DPA.
(b) Audit. Controller may, at its own expense and upon at least thirty (30) days’ written notice, engage a qualified independent auditor to audit Processor’s compliance with this DPA. The audit will be conducted during normal business hours and will not unreasonably interfere with Processor’s operations. The auditor must execute a confidentiality agreement acceptable to Processor.
(a) Precedence. In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
(b) Term. This DPA will remain in effect for the duration of the Agreement and for so long as Processor retains any Personal Data on behalf of Controller.
(c) Governing Law. This DPA is governed by the same governing law as the Agreement.
(d) Amendments. This DPA may be updated to reflect changes in Applicable Data Protection Law. Material changes will be notified through the Software or by email.