Data Processing Agreement (DPA)

Last Updated: November 3, 2025

This Data Processing Agreement (DPA) applies to all ContractPlan Inc. customers and governs how we process personal data on your behalf in compliance with GDPR, CCPA, and other data protection regulations.

1. Definitions

  • Controller: You (the customer organization) who determines the purposes and means of processing
  • Processor: ContractPlan Inc., who processes data on your behalf
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, retrieval, deletion, etc.)
  • Subprocessor: Third-party service providers engaged by ContractPlan to process data

2. Scope of Processing

Data We Process

  • User account information (name, email, role)
  • Contract metadata (vendor names, dates, amounts)
  • Uploaded contract documents (PDFs, attachments)
  • Usage analytics (page views, feature usage)
  • Audit logs (user actions, timestamps)

Purpose of Processing

ContractPlan processes data solely to:

  • Provide contract management services as described in our Terms of Service
  • Ensure platform security and prevent fraud
  • Provide customer support
  • Comply with legal obligations

3. Your Rights & Obligations as Controller

As the data controller, you:

  • Are responsible for ensuring you have lawful basis to process personal data
  • Must obtain necessary consents from your end users
  • Are responsible for responding to data subject requests from your users
  • Must notify us of any data protection concerns or incidents
  • Warrant that you have authority to provide data to ContractPlan

4. Our Obligations as Processor

ContractPlan will:

  • Process data only on documented instructions from you (via the platform or API)
  • Ensure personnel authorized to process data are under confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to data subject requests (access, deletion, portability, etc.)
  • Notify you of any data breach within 24 hours of discovery
  • Delete or return all personal data upon termination (unless legally required to retain)
  • Provide information necessary to demonstrate GDPR compliance

5. Subprocessors

We engage the following categories of subprocessors to help deliver our services. A complete, up-to-date list is maintained at:

View Subprocessors List →

Subprocessor Changes

We will notify you at least 30 days before adding or replacing a subprocessor. If you object to a new subprocessor on reasonable data protection grounds, you may:

  • Request we use an alternative subprocessor (if available)
  • Terminate your subscription with 30 days notice without penalty

6. Security Measures

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access control (RBAC) with least-privilege principles
  • Multi-factor authentication (MFA) for all admin accounts
  • Regular security audits and penetration testing
  • Automated daily backups with 30-day retention
  • SOC 2 Type II compliance (in progress)

For detailed security information, see our Security Overview.

7. Data Subject Requests

We provide tools to help you comply with data subject requests:

Request TypeHow We Support You
Right of AccessExport all user data via Settings → Data Export
Right to RectificationUsers can edit their profile and data directly in-app
Right to ErasureSettings → Delete Account (permanent deletion within 30 days)
Right to PortabilityExport contracts and data in CSV/JSON format
Right to Restrict ProcessingContact support@contractplan.com for account suspension

8. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify you within 24 hours of becoming aware of the breach
  • Provide details of the breach (nature, categories of data, estimated number of affected individuals)
  • Describe measures taken to mitigate the breach
  • Assist you in complying with your obligation to notify regulators (if required within 72 hours)

9. International Data Transfers

All data is stored in AWS data centers in the United States (us-east-1 region by default). For EU/UK customers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers. Enterprise customers can request data residency in EU regions (additional fees apply).

10. Data Retention & Deletion

  • Active data is retained for the duration of your subscription
  • Upon account deletion, all data is permanently deleted within 30 days
  • Backups are retained for 30 days, then automatically purged
  • Audit logs may be retained for up to 7 years for compliance purposes
  • Enterprise customers can request immediate deletion (contact support)

11. Audits & Inspections

Upon reasonable notice, Enterprise customers may request information about our data processing practices. We provide SOC 2 Type II reports annually. On-site audits may be arranged subject to confidentiality agreements and reasonable fees.

12. Term & Termination

This DPA takes effect when you create a ContractPlan account and remains in effect until all personal data has been deleted or returned. Upon termination:

  • You may export all data within 30 days of termination
  • After 30 days, all data is permanently and irreversibly deleted
  • We will provide written confirmation of deletion upon request

13. Contact Information

Data Protection Officer: dpo@contractplan.com

Privacy Inquiries: privacy@contractplan.com

Security Issues: security@contractplan.com

Mailing Address:
ContractPlan Inc.
Attn: Data Protection Officer
251 Little Falls Drive
Wilmington, DE 19808
United States

Related Documents

Service Level Agreement (SLA) →Subprocessors List →Privacy Policy →Security Overview →
ContractPlan Inc. - Enterprise Software Solutions | ContractPlan Inc.