Δ
DeltaX
Terms of ServicePrivacy PolicyData Processing Addendum

Data Processing Addendum

Last updated: [DATE] — Draft v0.1

Draft — pending legal review. This document was prepared as a starting point for DeltaX's public legal pages. It has not yet been reviewed or approved by a licensed attorney and should not be relied on as final or binding until that review is complete. Remove this notice only after counsel sign-off.

This Data Processing Addendum ("DPA") supplements the DeltaX Terms of Service (the "Agreement") between Customer and [COMPANY LEGAL NAME] ("DeltaX") and applies where DeltaX processes Personal Data on Customer's behalf in connection with the Service. Business customers who require a signed DPA for their own compliance purposes (e.g. GDPR/CCPA) should request an executable version.

1. Definitions

  • "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Sub-processor" have the meanings given in applicable Data Protection Law (e.g. GDPR, CCPA, as applicable).
  • "Customer Personal Data" means Personal Data contained within Customer Data that DeltaX processes on Customer's behalf under the Agreement.

2. Roles of the Parties

As between the parties, Customer is the Controller (or Processor acting on behalf of a further Controller) and DeltaX is the Processor (or Sub-processor) with respect to Customer Personal Data.

3. Processing Instructions

DeltaX will process Customer Personal Data only (a) to provide, secure, and support the Service in accordance with the Agreement, (b) on Customer's documented instructions (which the parties agree the Agreement and Customer's configuration of the Service constitute), or (c) as required by applicable law, in which case DeltaX will inform Customer of that legal requirement unless prohibited from doing so.

4. Personnel

DeltaX ensures personnel authorized to process Customer Personal Data are subject to confidentiality obligations and receive appropriate training.

5. Security Measures

DeltaX implements technical and organizational measures designed to protect Customer Personal Data, including: per-Organization logical data isolation enforced at the application and database layer; hashed (non-reversible) storage of API keys; role-based access control for administrative functions; rate limiting on programmatic access; and restricted personnel access to production systems. [PLACEHOLDER — attach a detailed Annex 3 security-measures document once finalized, covering encryption in transit/at rest, vulnerability management, incident response, and backup/recovery.]

6. Sub-processors

Customer generally authorizes DeltaX to engage the Sub-processors listed in Annex 2 below. DeltaX will impose data-protection obligations on Sub-processors materially consistent with this DPA, and will provide notice of new or replacement Sub-processors so Customer may object on reasonable grounds.

7. Data Subject Requests

DeltaX will provide reasonable assistance to Customer in responding to Data Subject requests (access, correction, deletion, portability) to the extent Customer cannot reasonably fulfill them using the Service's self-service tools (e.g. Settings → Data Export).

8. Personal Data Breach Notification

DeltaX will notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Personal Data, and will provide reasonably available information to help Customer meet its own notification obligations. [PLACEHOLDER — confirm specific notification SLA, e.g. 72 hours, with counsel.]

9. Return or Deletion of Data

On termination of the Agreement, DeltaX will make Customer Personal Data available for export for at least 30 days, after which it will be deleted from production systems (subject to standard backup-rotation timelines and any legal retention obligations).

10. Audits

DeltaX will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits, including inspections, conducted by Customer or an independent auditor, subject to reasonable notice, frequency limits, and confidentiality protections. [PLACEHOLDER — finalize audit mechanics, e.g. reliance on a future SOC 2 report in lieu of on-site audits, with counsel.]

11. International Transfers

[PLACEHOLDER — describe transfer mechanism (e.g. Standard Contractual Clauses) if Customer Personal Data is transferred outside its region of origin, once hosting footprint and customer base are confirmed with counsel.]

12. Liability

Each party's liability arising out of this DPA is subject to the limitations of liability set out in the Agreement.

Annex 1 — Description of Processing

Subject matterProvision of the DeltaX CRE deal-management platform
DurationTerm of the Agreement, plus the post-termination export/retention window above
Nature & purposeHosting, storage, AI-assisted document/email extraction and summarization, CRM and communications workflow
Categories of data subjectsCustomer's employees/users; Customer's business contacts (brokers, owners, tenants, vendors) as entered or synced by Customer
Categories of Personal DataNames, business contact details, email/calendar/call content and metadata, and any personal data incidentally present in uploaded underwriting documents

Annex 2 — Sub-processors

DeltaX engages sub-processors in the following categories: cloud hosting and databases; object storage; automated content analysis; maps/geocoding; payment processing; and optional email, calendar, or telephony providers that Customer connects. A current named list is available to Customers under this DPA or upon written request, and will be updated with notice as required by the Agreement.

Annex 3 — Security Measures

[PLACEHOLDER — to be completed with counsel/security review; see Section 5 above.]