2 full contract analyses, no credit card.

Analyze free

Data Processing Addendum (DPA)

Our Data Processing Addendum for GDPR/UK GDPR–aligned processing. Request a countersigned copy via the contact details below.

Last updated: February 16, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between the Customer (“Controller”) and PactPro (or the applicable PactPro entity providing the Service) (“Processor”) governing the PactPro services (“Service”). Capitalized terms not defined here have the meaning given in the main agreement.

1. Definitions

  • “Data Protection Laws” means, as applicable to each party’s processing of Personal Data: (a) the GDPR and UK GDPR; (b) any successor or implementing legislation; and (c) other applicable data protection and privacy laws.
  • “Personal Data” means any information relating to an identified or identifiable natural person that Controller provides or makes available to Processor in connection with the Service.
  • “Processing” has the meaning given in the applicable Data Protection Laws (e.g., any operation performed on Personal Data).
  • “Subprocessor” means any third party engaged by Processor to Process Personal Data on Processor’s behalf.

2. Roles and Scope

Controller is the data controller and Processor is the data processor with respect to Personal Data Processed under this DPA. Processor will Process Personal Data only on Controller’s documented instructions (including as set out in the main agreement and this DPA) and in accordance with applicable Data Protection Laws. Processor will not sell Personal Data or Process it for its own advertising or other purposes unrelated to providing the Service. Processor does not use Personal Data to train generalized machine learning models that benefit other customers; any model processing is limited to providing the Service to Controller.

3. Subject Matter, Nature, and Purpose

Processing is limited to the following:

  • Subject matter: Contract and commercial documents (and related metadata) uploaded or otherwise provided by Controller or its users in connection with the Service, which may contain Personal Data (e.g., names, contact details, role information).
  • Nature and purpose: Providing contract analysis, collaboration, search, and related features; storing and securing data; enabling access by authorized users; and performing support, backups, and operations necessary to run the Service.
  • Duration: Processor retains Personal Data only as long as necessary to provide the Service and in accordance with Controller’s configuration and documented instructions. After the term of the main agreement, retention is governed by Section 8 (return and deletion).
  • Data subjects: Controller’s personnel, counterparties, and other individuals whose data appears in the processed documents.
  • Categories of data: As determined by Controller (e.g., name, email, job title, and other data contained in the documents).

4. Controller Obligations

Controller is responsible for the lawfulness of its instructions and for ensuring that it has a valid legal basis (and any required notices or consents) for providing Personal Data to Processor. Controller will not instruct Processor to Process Personal Data in a way that violates Data Protection Laws.

5. Processor Obligations

Processor will:

  • Process Personal Data only on Controller’s documented instructions unless required by law.
  • Ensure that persons authorized to Process Personal Data are bound by confidentiality or an appropriate statutory obligation.
  • Implement technical and organizational measures appropriate to the risk, including: encryption in transit (e.g., TLS) and at rest; access controls and role-based permissions; and logging of access and processing where relevant. Further details may be set out in the main agreement or security documentation.
  • Notify Controller without undue delay and, where feasible, within 72 hours of becoming aware of a confirmed Personal Data breach affecting Controller’s data.
  • Assist Controller in responding to requests from data subjects and in meeting Controller’s obligations under Data Protection Laws regarding security, breach notification, and data protection impact assessments, to the extent such assistance is reasonably required and within Processor’s capabilities.
  • Make available to Controller information reasonably necessary to demonstrate compliance with this DPA and allow for, and contribute to, audits or inspections by Controller or its auditor, subject to reasonable notice, confidentiality, and no more than once per year unless required by a supervisory authority or a material incident.

6. Subprocessors

Controller generally authorizes Processor to engage Subprocessors to perform processing activities on Processor’s behalf. Processor will impose on Subprocessors data protection terms that are substantially no less protective than this DPA. Processor remains liable to Controller for Subprocessor performance. Processor will make available a current list of Subprocessors (e.g., hosting, database, email, analytics, and payment providers) upon request at support@pactpro.ai. Processor will give Controller reasonable notice of new Subprocessors and an opportunity to object on reasonable data protection grounds; if Controller objects and the parties cannot resolve the matter, Controller may terminate the affected part of the Service in accordance with the main agreement.

7. International Transfers

Where Personal Data is transferred from the EEA or UK to a country not recognized as providing an adequate level of protection, Processor will ensure appropriate safeguards are in place (e.g., standard contractual clauses approved by the European Commission or UK authorities, or another recognized mechanism). Details of transfer mechanisms can be provided on request.

8. Return and Deletion

Upon termination or expiry of the main agreement, Processor will, at Controller’s choice, delete or return all Personal Data in Processor’s possession, except where Processor is required to retain data by law. Controller may request return or deletion by email to support@pactpro.ai. Processor will complete deletion or return within a reasonable period (and in any event within 90 days) unless a longer retention period is required by law.

9. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the main agreement. Nothing in this DPA excludes or limits either party’s liability for matters that cannot be excluded or limited under applicable law.

10. Order of Precedence

In the event of a conflict between this DPA and the main agreement, this DPA will prevail with respect to the processing of Personal Data. Where Controller has executed a separate signed DPA with PactPro, that signed DPA governs to the extent it differs from this version.

Request a signed copy

If your organization requires a countersigned DPA, email support@pactpro.ai with your company name, primary contact, and any required legal entity details. We will provide the current DPA for review and signature.

Ready to review your document?

Upload a contract now to see what you might be missing.

Upload a contract for a free preview