Data Processing Addendum

• Personal Data means any information relating to an identified or identifiable natural person processed by Saibble on Customer's behalf under the Service.
• Controller, Processor, Data Subject, and Processing have the meanings given in the GDPR. Equivalent meanings under CCPA/CPRA, UK GDPR, and other applicable data protection laws apply where those laws govern.
• Sub-processor means a third party engaged by Saibble to process Customer's Personal Data under this DPA.

Customer is the Controller (or processor on behalf of its own controller) of any Personal Data processed under the Service. Saibble is the Processor. Saibble processes Customer's Personal Data only on documented instructions from Customer — the Terms of Service and this DPA together are those instructions.

• Subject matter: Customer Personal Data uploaded to or generated within the Service.
• Duration: The term of the Terms of Service plus any retention or deletion period set in this DPA.
• Nature and purpose: Hosting, retrieval, AI-assisted analysis and drafting, collaboration features, audit logging, and billing — only as needed to provide the Service to Customer.
• Categories of Data Subjects: Customer's personnel (employees, contractors, teammates with platform access) and any individuals named in documents Customer uploads (e.g., past performance references, project staff, contacts).
• Categories of Personal Data: Names, email addresses, employment titles, organizational affiliations, and any other personal data Customer chooses to include in uploaded content.

• Saibble processes Personal Data only on documented Customer instructions, including with regard to transfers outside the country of origin.
• Saibble ensures personnel authorized to process Personal Data are bound by confidentiality obligations.
• Saibble implements appropriate technical and organizational measures to protect Personal Data — see Section 7.
• Saibble assists Customer, taking into account the nature of processing, in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
• Saibble assists Customer in ensuring compliance with Customer's obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
• Saibble does not sell or share Personal Data, does not retain it outside the Service, and does not use it for any purpose outside providing the Service.
• Saibble does not train AI models on Customer Personal Data or Customer content.

Customer authorizes Saibble to engage the following Sub-processors as of the effective date of this DPA. Each is bound by terms providing at least the same data protection obligations as set out in this DPA:

• Vercel, Inc. — application hosting and edge / serverless compute (United States)
• Supabase, Inc. — managed PostgreSQL database (United States)
• Cloudflare, Inc. — encrypted object storage (Cloudflare R2, United States)
• Clerk, Inc. — identity and authentication (United States)
• Anthropic, PBC — AI inference for extraction, drafting, and review (United States) — under zero-retention API terms
• OpenAI, Inc. — text embeddings and (where used) audio transcription (United States) — under zero-retention API terms
• Inngest, Inc. — background job orchestration (United States)
• Functional Software, Inc. (Sentry) — error monitoring (United States)
• Wildbit, LLC (Postmark) — transactional email delivery and inbound email parsing (United States)
• Resend, Inc. — transactional email delivery (United States)

Saibble will give Customer at least thirty (30) days' notice before adding a new Sub-processor, by updating this DPA and notifying account-owner email addresses. Customer may object to a new Sub-processor by providing reasonable grounds within fifteen (15) days. If the objection cannot be resolved, Customer may terminate the affected portion of the Service for material breach.

All Sub-processors above are located in the United States. For Customer Personal Data that originates from the European Economic Area, the United Kingdom, or Switzerland and is processed in the United States, Saibble relies on the EU / UK Standard Contractual Clauses, the UK Addendum (where applicable), and the Swiss FDPIC's recognized equivalent. Saibble will execute SCCs with Customer at Customer's reasonable request.

Saibble implements appropriate technical and organizational measures including, at minimum:

• Encryption at rest (AES-256 or equivalent) for tenant content stored in Cloudflare R2 and PostgreSQL
• Encryption in transit (TLS 1.2 or higher) for all network communication
• Tenant-level isolation enforced at the database layer via Postgres Row-Level Security with FORCE RLS on tenant-scoped tables
• Multi-factor authentication available for all user accounts (managed via Clerk); step-up reauthentication required for platform-operator (super-admin) actions
• Access controls limiting personnel access to Customer Personal Data to those with a need-to-know basis
• Audit logging of authentication, document access, configuration changes, and AI inference operations, retained for at least one year
• Per-tenant credential encryption (AES-256-GCM) for any third-party API keys Customer provides
• Regular review of access logs, dependency vulnerabilities, and Sub-processor compliance posture

Saibble will notify Customer without undue delay, and in any case within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will describe the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address it.

Saibble provides Customer with in-product tooling to access, export, correct, and delete Customer Personal Data. Where Customer cannot complete a Data Subject request through the product itself, Saibble will provide reasonable assistance within ten (10) business days of a written request from Customer.

Saibble will make available to Customer all information necessary to demonstrate compliance with this DPA. On reasonable prior written notice (no more than once per twelve-month period, absent a Personal Data Breach), Saibble will respond to a reasonable security questionnaire from Customer and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to confidentiality obligations and reasonable scheduling.

At Customer's choice, Saibble will delete or return all Customer Personal Data within thirty (30) days of the end of the Terms of Service, unless retention is required by applicable law. Audit logs are retained for one (1) year for legal-compliance purposes and are then deleted.

To the extent Customer Personal Data includes “personal information” as defined under the California Consumer Privacy Act (CCPA, as amended by the CPRA), Saibble acts as a “Service Provider.” Saibble will not sell or share such personal information, will not retain, use, or disclose it for any purpose other than for the specific business purpose of providing the Service, and will not retain, use, or disclose it outside the direct business relationship with Customer. Saibble certifies it understands these restrictions.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability set forth in the Terms of Service. Any reference in the Terms of Service to the liability of a party means the aggregate liability of that party and its affiliates under the Terms of Service together with this DPA.

In the event of any conflict between the Terms of Service and this DPA, this DPA controls solely with respect to the processing of Personal Data.

Data protection inquiries: sara@sparkdigitalinc.com.