Data Processing Agreement
Last updated: April 2026
1. Definitions
"Controller" means the organization that determines the purposes and means of processing personal data. "Processor" means Deal Matrix, which processes personal data on behalf of the Controller. "Data Subject" means the individual whose personal data is processed.
2. Scope of Processing
This DPA applies to all personal data processed by Deal Matrix on behalf of the Controller. Processing activities include storage, retrieval, modification, and deletion of CRM records, contact information, and associated metadata.
3. Data Processing Details
Categories of data subjects: employees, contacts, clients, and business partners of the Controller. Types of data: names, emails, phone numbers, addresses, company affiliations, and transaction records. Duration: for the term of the service agreement.
4. Obligations of Processor
Deal Matrix shall: (a) process data only on documented instructions from the Controller; (b) ensure persons authorized to process data are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist the Controller in responding to data subject requests.
5. Sub-processors
Deal Matrix uses sub-processors for hosting (Vercel, Supabase), authentication (Clerk), email (Resend), and payment processing (Stripe). A current list of sub-processors is available upon request. We will notify the Controller before adding new sub-processors.
6. Data Subject Rights
Deal Matrix will assist the Controller in fulfilling data subject access requests, rectification requests, erasure requests, and data portability requests. We provide tools within the platform for Controllers to manage these requests directly.
7. Security Measures
Security measures include: encryption in transit (TLS 1.2+), encryption at rest, role-based access control, audit logging, regular security assessments, and incident response procedures.
8. Data Breach Notification
In the event of a personal data breach, Deal Matrix will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, and measures taken.
9. Audit Rights
The Controller has the right to audit Deal Matrix's compliance with this DPA. Audits may be conducted by the Controller or an independent auditor appointed by the Controller, subject to reasonable notice and confidentiality obligations.
10. Data Deletion
Upon termination of the service agreement, Deal Matrix will delete all personal data within 30 days, unless retention is required by applicable law. The Controller may request a data export before deletion.