Data Processing Agreement

Need to execute this agreement?

This is a template for reference. To enter into a signed DPA with Proviso, reach out and we'll send you an executable version.

Request a Signed DPA

⚠ Template notice: This document is a template provided for informational purposes. It is not a binding agreement until executed by both parties. Contact [email protected] to execute a DPA.

Contents

Parties & Definitions
Controller / Processor Roles
Processing Details
Processor Obligations
Subprocessors
Security Measures
Data Subject Rights
Breach Notification
Return & Deletion of Data
Audits & Compliance
Liability
Governing Law
Signatures

1. Parties & Definitions

This Data Processing Agreement ("DPA") is entered into between:

Controller: The entity identified in the associated Proviso subscription ("Customer"), acting as the data controller in respect of Personal Data processed in connection with the Service.
Processor: Chris McVety, operating as Proviso, a sole proprietorship organized under the laws of Illinois ("Proviso"), acting as data processor on behalf of the Controller.

This DPA supplements the Proviso Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

Key definitions:

"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection law, including GDPR.
"Processing" means any operation performed on Personal Data, whether automated or manual.
"GDPR" means the EU General Data Protection Regulation (2016/679).
"BYOK Plan" means a Proviso subscription where the Customer provides their own LLM API key, such that contract text is routed directly from the Customer's device to the Customer's chosen LLM provider — not through Proviso's infrastructure.

2. Controller / Processor Roles

The Controller determines the purposes and means of processing Personal Data associated with the Customer's use of Proviso. Proviso acts as Processor, processing Personal Data only on documented instructions from the Controller and only to the extent necessary to provide the Service.

Important — BYOK Plans: On BYOK plans, contract text and document content are not transmitted to or processed by Proviso's systems. Proviso does not act as a processor in relation to that data. The Customer's LLM provider (e.g., Anthropic, OpenAI) is a separate processor under the Customer's direct instruction, and their respective DPAs apply.

Personal Data for which Proviso acts as Processor is limited to: Customer account data (name, email, company), subscription and billing metadata (excluding full payment details, which are processed by Stripe as a separate controller), and license activation metadata (machine IDs tied to license keys).

3. Processing Details

Subject matter

Operation and delivery of the Proviso contract review service, including account management, license enforcement, billing, and support.

Duration

For the term of the Controller's subscription, and thereafter for the period required to comply with legal obligations or as specified in Article 9 (Return & Deletion).

Nature and purpose of processing

Account provisioning, license key generation and validation, seat enforcement, subscription management, transactional email delivery, and aggregate usage analytics.

Categories of Personal Data

Name and email address
Company name
Subscription status and billing history
License key and machine activation records

Categories of data subjects

Employees, contractors, and authorized users of the Controller who have been granted access to Proviso under the Customer's subscription.

4. Processor Obligations

Proviso shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures (see Article 6)
Not engage subprocessors without prior written authorization from the Controller (or as described in Article 5)
Assist the Controller in responding to data subject rights requests to the extent technically feasible
Notify the Controller without undue delay upon becoming aware of a Personal Data breach (see Article 8)
Delete or return all Personal Data to the Controller at the end of the service relationship (see Article 9)
Make available all information necessary to demonstrate compliance with this DPA, including supporting audits or inspections

5. Subprocessors

The Controller grants Proviso general authorization to engage the following subprocessors. Proviso will notify the Controller of any intended changes to this list, providing at least 14 days' notice before any new subprocessor begins processing Personal Data.

Subprocessor	Location	Purpose	Plans
Stripe, Inc.	USA	Payment processing and subscription billing	All
Resend, Inc.	USA	Transactional email delivery	All
Anthropic, PBC	USA	LLM API processing of contract text	Managed only
Cloudflare, Inc.	USA	CDN, DNS, and hosting infrastructure	All

Each subprocessor is bound by data processing obligations no less protective than those in this DPA. Proviso remains liable to the Controller for subprocessors' failure to perform their obligations.

If the Controller reasonably objects to a new subprocessor, the parties will work in good faith to resolve the objection. If no resolution is reached within 30 days, either party may terminate the affected services with written notice.

6. Security Measures

Proviso implements and maintains the following technical and organizational measures:

Encryption

TLS 1.2 or higher for all data in transit
AES-256 encryption for stored sensitive data
Cryptographically random license keys (128-bit entropy, CSPRNG-generated)

Access controls

Role-based access limiting data access to those with a need to know
Multi-factor authentication on administrative systems

Monitoring & incident response

Logging of authentication events and administrative actions
Defined incident response procedures (see Article 8)

Physical security

Proviso's primary infrastructure runs on Cloudflare's network, which maintains SOC 2 Type II certification

Proviso will review and update these measures as necessary to reflect changes in technology, threats, and best practices.

7. Data Subject Rights

Proviso will assist the Controller in fulfilling its obligations to respond to data subject rights requests under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

To the extent technically feasible, Proviso will:

Promptly forward any data subject requests received directly by Proviso to the Controller
Provide the Controller with information reasonably required to respond to such requests
Not respond to data subject requests directly without the Controller's authorization, except as required by law

8. Breach Notification

In the event of a Personal Data breach affecting data processed under this DPA, Proviso will:

Notify the Controller within 72 hours of becoming aware of the breach
Include in the notification (to the extent available at the time): a description of the nature of the breach, categories and approximate number of data subjects affected, categories and approximate amount of Personal Data affected, likely consequences of the breach, and measures taken or proposed to address the breach
Cooperate with the Controller and provide any additional information reasonably required to fulfill the Controller's notification obligations to supervisory authorities and data subjects

Breach notifications should be sent to the email address on file for the Controller's account.

9. Return & Deletion of Data

Upon termination or expiration of the subscription (or upon request), Proviso will:

Provide the Controller with an export of account data upon request within 30 days
Delete or anonymize Personal Data within 90 days of termination, except where retention is required by applicable law
Upon completion of deletion, confirm in writing that deletion has occurred

Proviso may retain anonymized or aggregated data that cannot reasonably be used to identify individual data subjects.

10. Audits & Compliance

Proviso will make available to the Controller, on reasonable written request, documentation and information reasonably necessary to demonstrate compliance with the obligations in this DPA.

Proviso will, at the Controller's reasonable request (and at the Controller's expense), support an audit or inspection of Proviso's data processing activities — subject to reasonable advance notice (at least 30 days), agreement on scope and timing, and appropriate confidentiality obligations.

Any audit will be conducted in a manner that minimizes disruption to Proviso's business operations and is limited to information relevant to the Controller's data.

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Proviso Terms of Service, except where such limitations are prohibited under applicable data protection law.

Nothing in this DPA limits either party's liability for: (a) fraud or willful misconduct; (b) death or personal injury caused by negligence; or (c) any other liability that cannot be limited by law.

12. Governing Law

This DPA is governed by the laws of the State of Illinois, consistent with the Proviso Terms of Service. For customers subject to GDPR, the parties acknowledge their obligations under GDPR and agree to comply with applicable requirements under Article 28 and related provisions.

Where applicable law requires it, the parties agree to incorporate standard contractual clauses or other lawful transfer mechanisms for cross-border data transfers.

13. Execution

This DPA becomes effective when executed by both parties. To receive an executable version, contact [email protected].

Controller (Customer)

Authorized signature

Name & title

Company name

Date

Processor (Proviso)

Authorized signature

Chris McVety

Name & title

Proviso (sole proprietor)

Company name

Date