Legal
Data Processing Addendum
Last updated: 2026-06-22
Bottom line
This DPA governs how Deck-Agent processes personal data on your behalf when you use the Service. We follow the EU SCCs and the UK Addendum for international transfers, give 30 days' notice before adding subprocessors, notify you of breaches within 72 hours, and never train AI models on your content. The subprocessor categories, the technical and organizational measures, and the processing details are in the Annexes below; the current named subprocessor list is available on request to [email protected].
This Data Processing Addendum ("DPA") applies when Deck-Agent, Inc. ("Processor") Processes Personal Data on behalf of a customer ("Controller") subject to the GDPR, UK GDPR, Swiss FADP, CCPA, or other Data Protection Laws. The DPA is incorporated into the Terms of Service by reference and applies automatically; no signature is required. Enterprise customers may request a counter-signed copy by emailing [email protected].
1. Scope and order of precedence
2. Definitions
- "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and the UK Data Protection Act 2018 ("UK DPL"), the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act as amended by the CPRA ("CCPA").
- "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Personal Data Breach" have the meanings in GDPR Art. 4. For purposes of the CCPA, Processor acts as a "Service Provider" and Controller acts as a "Business."
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in Decision (EU) 2021/914.
- "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner's Office under section 119A of the UK DPL.
- "Subprocessor" means any third party engaged by Processor to Process Personal Data on behalf of Controller.
3. Roles and scope of Processing
4. Confidentiality
5. Security measures
6. Subprocessors
[email protected] and is provided as part of any counter-signed DPA or SCCs. Before engaging a new Subprocessor, Processor will (a) impose data-protection terms substantially as protective as this DPA, including appropriate technical and organizational measures and the SCCs where relevant, and (b) provide at least thirty (30) days' advance notice to Controller by email to the billing contact. Controller may object on reasonable data-protection grounds by written notice within the notice period. The parties will work in good faith to resolve the objection; if not resolved, Controller may terminate the affected Service on written notice without penalty, whereupon future charges for the affected Service stop and we will apply a service credit for the prepaid, unused portion to a future billing period (fees already paid are not refunded as cash). Processor remains liable to Controller for each Subprocessor's acts and omissions to the same extent it would be liable if performing the services directly.7. Assistance with Data Subject requests
8. Personal Data Breach notification
9. Data Protection Impact Assessments
10. International transfers
- The SCCs (Module 2 — Controller-to-Processor) are incorporated by reference and apply to such transfers, with Controller as "data exporter" and Processor as "data importer." Clause 7 (docking) is included; the optional wording in Clause 11(a) regarding independent dispute resolution is not selected; Clause 17 Option 1 is selected with the governing law of Ireland; Clause 18(b) designates the courts of Ireland. The Annexes to the SCCs are populated by Annexes I, II, and III of this DPA.
- For transfers subject to the UK GDPR, the UK Addendum is incorporated and applies in place of the SCCs as modified by the Addendum. For transfers subject to the Swiss FADP, references in the SCCs to the GDPR are read as references to the FADP, and references to EU supervisory authorities and courts are read as references to the Swiss FDPIC and courts.
- Processor will assess transfer impact in light of the standards described in EDPB Recommendations 01/2020 and will inform Controller if it can no longer comply with the SCCs.
11. Audits
- Controller may conduct one audit per calendar year on at least thirty (30) days' advance written notice, during normal business hours, with reasonable scope and duration, and without disrupting Processor's operations or the security or confidentiality of other customers' data.
- Where available, Processor will satisfy audit requests by providing current third-party reports and certifications under NDA in place of an on-site audit.
- Each party will bear its own costs; if an audit reveals material non-compliance attributable to Processor, Processor will reimburse Controller's reasonable, documented audit costs.
- Audits in regulated industries or by supervisory authorities are permitted as required by law on the timelines required by law.
12. Return or deletion on termination
13. CCPA terms
14. Liability
15. Term, modifications, and notices
[email protected]; notices to Controller go to the billing contact on file or as otherwise specified in the order form.Annex I — Description of Processing
Categories of Data Subjects: Controller's authorized users, end-customers, employees, contractors, and any other natural persons whose Personal Data is included in briefs, voice recordings, transcripts, brand-kit assets, or other materials submitted to the Service.
Categories of Personal Data: identifiers (name, email, phone), authentication identifiers, billing contact details, audio recordings and transcripts of calls placed to Processor's voice number, SMS / iMessage messages exchanged with Processor's messaging number, brief content (which may include any information the Controller chooses to include), generated outputs, brand-kit assets, telemetry, IP addresses and device data, and support communications. Controller is responsible for ensuring it has a lawful basis for any special-category Personal Data it submits.
Sensitive Data: none required by the Service. Processor does not solicit or rely on sensitive Personal Data.
Frequency of transfer: continuous, on demand as the Service is used.
Nature and purpose of Processing: hosting, storage, transmission, transcription, generation of .pptx presentations, account and billing administration, support, security, and product analytics, as described in the Agreement and the Privacy Policy.
Duration: for the term of the Agreement and the retention periods described in the Privacy Policy.
Competent supervisory authority (for SCCs): where Controller is established in the EEA, its lead supervisory authority; otherwise, the Irish Data Protection Commission.
Annex II — Technical and Organizational Measures
- Encryption in transit: TLS 1.2 or higher for all external connections; encrypted, network-isolated channels for internal service-to-service traffic.
- Encryption at rest: AES-256 server-side encryption on object storage and on managed database volumes, using provider-managed keys.
- Access control: single sign-on with multi-factor authentication required for all production access; role-based access control with least-privilege defaults; quarterly access reviews; immediate revocation on role change or departure.
- Tenant isolation: logical isolation of each customer's data, enforced at the application and storage layers.
- Audit logging: append-only audit log of every mutating action and every administrative access to Personal Data; retained for 12 months.
- Vulnerability management: continuous dependency, container, and code scanning, with remediation SLAs by severity.
- Secure SDLC: code review for every change; required automated tests, type checking, and lint; secrets managed outside source control.
- Backups and recovery: encrypted backups retained for up to 35 days; documented restore procedures tested periodically.
- Incident response: on-call rotation, documented runbooks, post-incident reviews, customer notification process aligned with Section 8.
- Personnel: background checks proportionate to role for personnel with production access; written confidentiality obligations; annual security and privacy training.
- Physical security: all production infrastructure runs in audited, enterprise-grade cloud data centers whose operators maintain physical security controls equivalent to ISO 27001 / SOC 2.
- Data minimization: retention schedules enforced automatically; deletion APIs available to Controller and to Data Subjects.
- No model training: Customer Content is not used to train or fine-tune machine-learning models; contractual prohibitions in place with model Subprocessors.
Annex III — Authorized Subprocessors
Personal Data may be Processed by the following categories of Subprocessors, each located in the United States. The current named Subprocessor within each category is available to Controller on request to [email protected] and is provided as part of any counter-signed copy of this DPA or the SCCs.
- LLM provider (United States) — AI text-generation that drafts deck content; receives brief text. Contractually prohibited from training on Customer Content.
- Voice / speech-to-text provider (United States) — voice intake and transcription; receives call audio and transcripts.
- Authentication / identity provider (United States) — authentication and account management; receives email addresses and authentication identifiers.
- Payment processor (United States) — PCI-DSS Level 1 payments; receives billing details and card data.
- Telephony provider (United States) — inbound voice number and voice-agent telephony; receives phone numbers and call audio.
- Messaging provider (United States) — SMS / iMessage / RCS intake and outbound replies; receives phone numbers and message content.
- Transactional email provider (United States) — outbound and inbound email; receives email addresses and message content.
- Webhook delivery provider (United States) — webhook delivery; receives webhook payloads emitted to Controller endpoints.
- CDN / edge-security provider (United States) — CDN, DNS, and edge security; processes traffic metadata and IP addresses.
- Cloud compute provider (United States) — compute hosting; processes Service traffic and ephemeral runtime state.
- Managed database provider (United States) — managed relational database; stores account, brief, deck, and billing records.
- Object storage provider (United States) — stores .pptx files, audio recordings, and brand-kit assets.
- Product analytics provider (United States) — first-party product analytics served from our own domain; receives page-view and click events and opt-in session replay.
Processor will notify Controller at least thirty (30) days before adding or replacing a Subprocessor, in accordance with Section 6.
Contact
For questions about this DPA, requests for the SCCs as a standalone document, or to request a counter-signed copy: [email protected].