Data Processing Addendum
1. Roles of the parties
For personal data processed in connection with the Services, Customer acts as the controller (or processor on behalf of its own clients) and Perfecta acts as the processor (or subprocessor). Each party will comply with its obligations under applicable data-protection laws, including the GDPR, UK GDPR, and the CCPA/CPRA, as applicable.
2. Scope & subject matter
The subject matter is the provision of the Services. Processing concerns the personal data contained in documents and matter data submitted by Customer (which may include names, contact details, and information about debtors, secured parties, and related individuals) for the duration of the agreement, for the purpose of providing UCC review and preparation functionality.
3. Processing on instructions
Perfecta will process personal data only on Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Perfecta will notify Customer where legally permitted). Perfecta does not use Customer personal data to train its models and does not process it for any purpose other than providing the Services.
4. Confidentiality
Perfecta ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
5. Security measures
Perfecta maintains appropriate technical and organizational measures designed to protect personal data, consistent with its SOC 2 Type II control program, including encryption in transit and at rest, access controls, logging, and regular testing. Single-tenant deployment is available for enterprise customers.
6. Subprocessors
Customer authorizes Perfecta to engage subprocessors to provide infrastructure and supporting services. Perfecta imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA and remains responsible for their performance. Perfecta will make available a list of subprocessors and provide notice of intended changes so that Customer may object on reasonable grounds.
7. Assistance & data-subject requests
Taking into account the nature of the processing, Perfecta will provide reasonable assistance to Customer in responding to data-subject requests and in meeting its obligations regarding security, breach notification, and data-protection impact assessments.
8. Personal data breach
Perfecta will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data and will provide information reasonably necessary for Customer to meet its notification obligations.
9. Return & deletion
Upon termination of the Services, Perfecta will, at Customer’s choice, delete or return Customer personal data and delete existing copies, except where retention is required by law.
10. Audits
Perfecta will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, subject to reasonable confidentiality and security conditions (which may be satisfied through third-party reports such as the SOC 2 report).
11. International transfers
Where personal data is transferred across borders, the parties will rely on an appropriate transfer mechanism, including the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference where applicable.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the agreement and the Terms of Service.
13. Contact
To request a signed copy of this DPA or the current subprocessor list, contact legal@perfecta-ai.com.