This Data Processing Agreement (DPA) applies to all RightsVault customers and governs how we process personal data on your behalf in compliance with GDPR, CCPA, and other data protection regulations.
1. Definitions
- Controller: You (the customer organization) who determines the purposes and means of processing
- Processor: RightsVault, who processes data on your behalf
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, retrieval, deletion, etc.)
- Subprocessor: Third-party service providers engaged by ContractPlan to process data
2. Scope of Processing
Data We Process
- User account information (name, email, role)
- Contract metadata (vendor names, dates, amounts)
- Uploaded contract documents (PDFs, attachments)
- Usage analytics (page views, feature usage)
- Audit logs (user actions, timestamps)
Purpose of Processing
ContractPlan processes data solely to:
- Provide contract management services as described in our Terms of Service
- Ensure platform security and prevent fraud
- Provide customer support
- Comply with legal obligations
3. Your Rights & Obligations as Controller
As the data controller, you:
- Are responsible for ensuring you have lawful basis to process personal data
- Must obtain necessary consents from your end users
- Are responsible for responding to data subject requests from your users
- Must notify us of any data protection concerns or incidents
- Warrant that you have authority to provide data to ContractPlan
4. Our Obligations as Processor
ContractPlan will:
- Process data only on documented instructions from you (via the platform or API)
- Ensure personnel authorized to process data are under confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests (access, deletion, portability, etc.)
- Notify you of any data breach within 24 hours of discovery
- Delete or return all personal data upon termination (unless legally required to retain)
- Provide information necessary to demonstrate GDPR compliance
5. Subprocessors
We engage the following categories of subprocessors to help deliver our services. A complete, up-to-date list is maintained at:
Subprocessor Changes
We will notify you at least 30 days before adding or replacing a subprocessor. If you object to a new subprocessor on reasonable data protection grounds, you may:
- Request we use an alternative subprocessor (if available)
- Terminate your subscription with 30 days notice without penalty
6. Security Measures
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) for all admin accounts
- Regular security audits and penetration testing
- Automated daily backups with 30-day retention
- SOC 2 Type II compliance (in progress)
For detailed security information, see our Security Overview.
7. Data Subject Requests
We provide tools to help you comply with data subject requests:
| Request Type | How We Support You |
|---|
| Right of Access | Export all user data via Settings → Data Export |
| Right to Rectification | Users can edit their profile and data directly in-app |
| Right to Erasure | Settings → Delete Account (permanent deletion within 30 days) |
| Right to Portability | Export contracts and data in CSV/JSON format |
| Right to Restrict Processing | Contact support@rightsvault.studio for account suspension |
8. Data Breach Notification
In the event of a personal data breach, we will:
- Notify you within 24 hours of becoming aware of the breach
- Provide details of the breach (nature, categories of data, estimated number of affected individuals)
- Describe measures taken to mitigate the breach
- Assist you in complying with your obligation to notify regulators (if required within 72 hours)
9. International Data Transfers
All data is stored in AWS data centers in the United States (us-east-1 region by default). For EU/UK customers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers. Enterprise customers can request data residency in EU regions (additional fees apply).
10. Data Retention & Deletion
- Active data is retained for the duration of your subscription
- Upon account deletion, all data is permanently deleted within 30 days
- Backups are retained for 30 days, then automatically purged
- Audit logs may be retained for up to 7 years for compliance purposes
- Enterprise customers can request immediate deletion (contact support)
11. Audits & Inspections
Upon reasonable notice, Enterprise customers may request information about our data processing practices. We provide SOC 2 Type II reports annually. On-site audits may be arranged subject to confidentiality agreements and reasonable fees.
12. Term & Termination
This DPA takes effect when you create a ContractPlan account and remains in effect until all personal data has been deleted or returned. Upon termination:
- You may export all data within 30 days of termination
- After 30 days, all data is permanently and irreversibly deleted
- We will provide written confirmation of deletion upon request
13. Contact Information
Data Protection Officer: dpo@rightsvault.studio
Privacy Inquiries: privacy@rightsvault.studio
Security Issues: security@rightsvault.studio
Mailing Address:
RightsVault
Attn: Data Protection Officer
251 Little Falls Drive
Wilmington, DE 19808
United States