Data Processing Addendum
Draft, effective from:
1. Parties and scope
This DPA forms part of the Service Agreement between the Customer (controller) and Pactaly (processor) and governs the processing of Personal Data carried out by Pactaly on behalf of the Customer in connection with the Pactaly application.
2. Subject-matter and duration
Pactaly processes Personal Data submitted through the Service (contract documents, extracted fields, user accounts) for the duration of the Service Agreement and a 30-day grace period afterwards.
3. Nature and purpose of processing
- Storage and retrieval of contract documents and metadata.
- Automated extraction of contract fields using machine-learning models hosted in the EU.
- Generation and delivery of email reminders.
- Incident detection and resolution.
4. Categories of data subjects and personal data
- Data subjects: the Customer’s employees, counterparties to uploaded contracts, named individuals inside contract text.
- Personal data: names, email addresses, business contact details, signatures, and any personal data present in uploaded contract PDFs.
5. Sub-processors
Pactaly uses the following sub-processors, all established in the EU:
- Hetzner Online GmbH — application hosting (Frankfurt, Germany).
- Cloudflare — CDN, DNS, R2 object storage (EU region).
- Upstash — Redis (EU region).
- Resend — transactional email (EU region).
- Stripe Payments Europe, Ltd. — billing (Ireland).
- Mistral AI / Scaleway — LLM inference (EU region). Customer input is not used for model training.
- Sentry — error monitoring (EU region). No contract content is sent.
Changes are announced to the Customer at least 30 days in advance by email.
6. International transfers
All Personal Data is processed within the European Economic Area. Pactaly will not transfer Personal Data outside the EEA without the Customer’s prior written consent and an appropriate legal transfer mechanism (Art. 46 GDPR).
7. Technical and organisational measures
- AES-256 encryption at rest for all files and database fields.
- TLS 1.3 in transit.
- Per-tenant encryption keys rotated every 90 days.
- Role-based access control; two-factor authentication for all staff.
- Annual third-party penetration test (from year 1 onwards).
- Daily encrypted backups with 30-day retention; monthly restore drills.
- Incident response plan with 72-hour breach notification (GDPR Art. 33).
8. Data subject rights
Pactaly will assist the Customer in fulfilling data subject requests (access, rectification, erasure, portability) through self-service tools in the application. Requests that cannot be completed via the application will be answered within 15 business days.
9. Audit
The Customer may, no more than once per year, request a written audit report or a remote audit walkthrough. Pactaly will respond to such a request within 30 days.
10. Return and deletion
Upon termination, the Customer can export all data in a machine-readable format (JSON and CSV) for 30 days. After that period, Pactaly deletes the Customer data, including from backups, within 90 days.
11. Liability and governing law
This DPA is subject to the liability terms and governing law of the Service Agreement.
Last updated: