Login
Request a Demo

ContractPower Data Processing Agreement

Last Updated: August 7, 2025
This Data Processing Agreement (“DPA”) is incorporated into the ContractPower Terms of Service and Privacy Policy. By using or accessing ContractPower’s services, the Customer agrees to this DPA.

1. Parties and Scope

ContractPower, Inc., a company located at 1602 Charro Street, Encinitas, CA 92024, USA (hereafter “ContractPower” or “Processor”), and Customer (the individual or entity using ContractPower’s services under our Terms of Service, hereafter “Customer” or “Controller”), agree to the terms of this DPA. This DPA governs ContractPower’s processing of Personal Data on behalf of the Customer in connection with the services provided. It is binding by reference as part of the Terms of Service. In case of conflict between this DPA and the Terms of Service, the terms of this DPA will prevail with regard to data protection matters.

2. Definitions

For purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Service or applicable data protection laws.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed under this DPA. “Customer Personal Data” means Personal Data that Customer or its end users provide to or upload into ContractPower’s services, or that ContractPower processes on behalf of Customer.
  • “Processing” (and its variants, such as “Process” or “Processed”) means any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, use, storage, disclosure, analysis, deletion, or otherwise handling Personal Data.
  • “Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this DPA. This includes, where applicable, the European Union General Data Protection Regulation (EU GDPR), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, and any other similar laws globally.
  • “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For this DPA, the Customer is the Controller of Customer Personal Data.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller. For this DPA, ContractPower is the Processor of Customer Personal Data.
  • “Sub-processor” means any third-party service provider engaged by ContractPower to assist in processing Customer Personal Data on behalf of the Customer and which is bound by data protection obligations compatible with those of this DPA.
  • “Standard Contractual Clauses” (“SCCs”) means the standard data protection clauses adopted by the European Commission for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. (For purposes of this DPA, the relevant SCCs are the Controller-to-Processor clauses from Commission Decision 2021/914, including any applicable UK or Swiss adaptations.)
  • “Services” means the software-as-a-service products and services provided by ContractPower to Customer under the Terms of Service (e.g. the ContractPower platform for contract upload, analysis, AI agent creation, etc.).

3. Roles of the Parties

Controller and Processor. The parties acknowledge that, as between Customer and ContractPower, Customer is the Controller of Customer Personal Data, and ContractPower acts as a Processor on Customer’s behalf. Customer will determine the purposes and means of the processing of Customer Personal Data. ContractPower will process Customer Personal Data only as instructed by Customer and in accordance with this DPA. ContractPower as Controller of Account Data. The parties further acknowledge that ContractPower may process certain Personal Data as a controller for its own purposes (for example, business contact information for contract or billing management, website analytics, or compliance with legal obligations as described in our Privacy Policy). Such processing is outside the scope of this DPA and is instead governed by our Privacy Policy. This DPA applies solely to Personal Data that ContractPower processes on behalf of Customer as part of providing the Services.

4. Details of Processing

This section describes the subject matter, duration, nature, purpose, and types of Personal Data and Data Subjects involved in ContractPower’s processing on behalf of Customer, as required by Article 28 of the GDPR.
  • Subject Matter: The subject matter of the processing is the Customer Personal Data that Customer uploads to or generates via the ContractPower services, for the purpose of receiving contract analysis and related SaaS services from ContractPower.
  • Duration of Processing: ContractPower will Process Customer Personal Data for the duration of the Customer’s use of the Services and until deletion of all Customer Personal Data in accordance with this DPA. Unless otherwise agreed or required by law, upon termination of Services, ContractPower will delete or return Customer Personal Data as set forth in Section 11 of this DPA.
  • Nature and Purpose of Processing: The nature of processing includes collection, storage, organization, analysis (including AI-driven analysis of contract text), and other use of Customer Personal Data as necessary to provide the Services. The purpose of the processing is to enable Customer to analyze contracts, create AI agents, and otherwise utilize ContractPower’s features for contract management, compliance tracking, and related business purposes as described in the Terms of Service. ContractPower will not Process Customer Personal Data for any purpose other than to provide the Services and as instructed by Customer, except as otherwise required by applicable law.
  • Categories of Data Subjects: Data Subjects include (a) Customer’s authorized users of the Services (such as Customer’s employees, contractors, or other personnel who are given access to ContractPower under Customer’s account); and (b) individuals whose personal information is included in the content that Customer submits to the Services for analysis (for example, individuals who are parties to or mentioned in the contracts that Customer uploads, such as contract signatories, counterparties, or employees referenced in those documents).
  • Types of Personal Data: The Personal Data processed on behalf of Customer may include, but is not limited to:
    • User Account Information: Names, business contact information (such as email addresses and company name), usernames or account IDs, and authentication credentials (e.g. hashed passwords) of Customer’s authorized users.
    • Contract Content Data: Any personal data contained within the contracts or documents that Customer uploads for analysis. This may include names, job titles, signatures, addresses, contact details of individuals (such as parties or signatories to a contract), and any other personal data that appears in the text or metadata of those documents. The exact nature of this data is determined by the Customer’s submissions and may vary by document (potentially including financial account details, identification numbers, or other personal information if such appears in contracts).
    • Support/Communications Data: If Customer interacts with ContractPower’s support or contact channels regarding the Services, Personal Data such as the contact details and content of communications may be processed in order to respond to Customer inquiries or provide support (on behalf of Customer or the relevant data subject).
    • Special Categories of Data: ContractPower does not require or intentionally solicit any special categories of personal data (such as data revealing health, racial or ethnic origin, political opinions, etc.) for the use of its Services. The Services are not intended to be used to process such sensitive data. If Customer chooses to include any special category data in the content uploaded, Customer is responsible for ensuring it has a lawful basis to do so and appropriate measures in place, and ContractPower will treat such data in accordance with this DPA.
  • Lawful Basis: Customer shall ensure that it has an appropriate lawful basis under Data Protection Laws for the processing of Customer Personal Data via the Services. Typically, the lawful basis may be legitimate interests (e.g. the Customer’s legitimate interest in using contract analysis tools for business purposes) or necessity for the performance of a contract (if the data subject is a party to a contract with the Customer), or another basis as determined by Customer. ContractPower relies on Customer to have obtained all necessary consents or established another valid legal ground for the processing of personal data, where required by applicable law.

5. Obligations of Customer (Controller)

The Customer, as Controller, agrees and warrants that:
    • 5.1 Lawfulness of Data Sharing: Customer will comply with all Data Protection Laws applicable to its data (including GDPR obligations as a controller). Customer confirms that it has provided any necessary notices to data subjects and has obtained any required consents or authorizations for ContractPower to Process the Customer Personal Data as outlined in this DPA. Customer shall not use the Services to Process Personal Data in a manner that would violate applicable laws (for example, uploading personal data that has been collected without proper legal basis or in a manner that infringes data subject rights).
    • 5.2 Instructions: Customer will ensure that its instructions for ContractPower’s Processing of Personal Data comply with Data Protection Laws. Customer shall only instruct ContractPower to process Personal Data for legitimate purposes consistent with the Terms of Service and this DPA. If Customer provides additional instructions beyond those in this DPA or the existing agreement, such instructions must be agreed to by ContractPower in writing.
    • 5.3 Data Accuracy and Minimization: Customer is responsible for the quality and accuracy of the Personal Data it provides to ContractPower. Customer should limit the Personal Data it submits to what is necessary for the use of the Services and shall refrain from uploading any Personal Data that is not needed for processing through the Services.
    • 5.4 Customer Assistance to Individuals: To the extent required by law, Customer is responsible for handling any data protection-related requests or communications from data subjects or supervisory authorities regarding the Personal Data that is processed via the Services. (ContractPower will assist as described in Section 8 of this DPA.)
  • 5.5 Use Restrictions: Customer shall not instruct ContractPower to process any data in a manner that would violate applicable laws or regulations. Customer will not use the Services to process personal information that is subject to special legal protections (e.g. children’s data under age 16, protected health information under HIPAA, etc.) unless the parties have expressly agreed in writing to such processing and any necessary additional safeguards.

6. Obligations of ContractPower (Processor)

ContractPower, as the Processor of Customer Personal Data, agrees to the following obligations, in accordance with Article 28 of GDPR and equivalent requirements of other Data Protection Laws:
    • 6.1 Processing on Documented Instructions: ContractPower will only Process Customer Personal Data on behalf of and in accordance with Customer’s documented instructions. The Terms of Service, this DPA, and Customer’s use of the Services constitute Customer’s complete and final instructions to ContractPower for the processing of Personal Data. ContractPower will not Process Customer Personal Data for any purpose other than those instructed by Customer or as necessary to provide the Services, unless required to do so by law. If ContractPower is required by law to process Customer Personal Data for any other purpose, ContractPower will inform Customer of that legal requirement before processing (unless the law prohibits such notice). ContractPower will promptly inform Customer if, in our opinion, an instruction from Customer violates applicable Data Protection Laws, so that the parties can resolve the issue.
    • 6.2 Confidentiality: ContractPower will ensure that any person it authorizes to process Customer Personal Data (including employees and contractors) is bound by a duty of confidentiality. ContractPower limits access to Customer Personal Data to personnel who need access to deliver the Services, and such personnel are subject to appropriate confidentiality obligations and undergo privacy and security training.
    • 6.3 Security Measures: ContractPower will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. These measures are designed to ensure a level of security appropriate to the risk to the Personal Data, including (as appropriate) measures to pseudonymize or encrypt Personal Data, to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, and to restore the availability of Personal Data in a timely manner in the event of an incident. ContractPower’s security measures include, among other things:
      • Encryption of Personal Data in transit (e.g. via TLS/HTTPS) and at rest within our systems or databases.
      • Access controls and authentication measures to ensure only authorized personnel can access Customer data (for example, role-based access and unique user credentials for staff).
      • Network and application security monitoring, including continuous monitoring of systems for vulnerabilities or anomalous activity (utilizing logging and alerting solutions), and regular security assessments or audits (ContractPower aligns with industry standards such as SOC 2 for security and undergoes periodic audits).
      • Physical security measures for any facilities or infrastructure involved in data processing (though ContractPower primarily uses reputable cloud hosting providers with their own robust physical security).
      • Incident response procedures, including detailed protocols to detect, respond to, and mitigate security incidents or breaches.
      • Ongoing evaluation and improvement of security measures, including employee training on data protection and security, and updating practices in light of evolving threats or regulatory requirements.
    • Customer acknowledges that it has reviewed the security measures described above and in ContractPower’s Security Policy (available on our website) and agrees that they provide a level of security appropriate to the risk regarding Customer Personal Data. Customer is responsible for ensuring that its use of the Services (including securing its account credentials and ensuring its systems that integrate with the Service are properly configured) is compliant with Customer’s own security obligations.
    • 6.4 Personal Data Breach Notification: In the event ContractPower becomes aware of a Personal Data Breach (a confirmed incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed by ContractPower), ContractPower will notify Customer without undue delay. Such notification will be made promptly after discovering the breach, and in any case within 72 hours of becoming aware of the breach, taking into account the need to accurately investigate and contain the incident. The notification to Customer will include, to the extent known at the time, relevant details about the nature of the breach, the data compromised, the likely consequences, and the measures taken or proposed by ContractPower to address the breach and mitigate its possible adverse effects. ContractPower will promptly take reasonable steps to contain, investigate, and remedy any Personal Data Breach. ContractPower will cooperate with Customer and provide information reasonably requested by Customer in relation to the breach to assist Customer in fulfilling its own notification obligations (to regulators or data subjects) under Data Protection Laws.
    • 6.5 Assistance with Data Subject Rights: Taking into account the nature of the processing and the information available to ContractPower, ContractPower will assist Customer in fulfilling Customer’s obligations to respond to requests from data subjects to exercise their rights under Data Protection Laws (such as rights of access, rectification, erasure, objection, restriction, or data portability). In practice, Customer may use the features of the Service to access, correct, or delete Customer Personal Data. If a data subject sends a request regarding their Personal Data directly to ContractPower, we will promptly forward it to Customer (and will only respond to the data subject directly if authorized by Customer or required by law). ContractPower will also assist the Customer, upon request, with reasonable measures for Customer to comply with data protection impact assessments (DPIAs) or prior consultations with supervisory authorities, as required by GDPR Articles 35 and 36, taking into account the nature of processing and information available to us.
    • 6.6 Audits and Demonstrating Compliance: ContractPower will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA. This includes maintaining records of processing activities and certifications or audit reports relating to the processing of Personal Data under this DPA. Upon Customer’s written request, and no more than once annually, ContractPower will either (at its choice) (a) provide Customer with a copy of its most recent relevant audit report or certification (e.g. a SOC 2 report or similar, under appropriate non-disclosure protections), or (b) permit and cooperate with an audit by Customer or an independent auditor mandated by Customer (subject to reasonable notice, during normal business hours, and under a confidentiality agreement). The scope of any such audit will be limited to documents and facilities relevant to ContractPower’s processing of Customer Personal Data. Customer is responsible for any costs associated with an audit it initiates. If the Standard Contractual Clauses apply, ContractPower will allow for and contribute to audits as described in the SCCs, subject to the conditions above.
    • 6.7 Data Protection Officer and Contact: ContractPower has appointed personnel responsible for data protection compliance. While ContractPower may not be legally required to appoint a formal Data Protection Officer under GDPR, our Chief Technology Officer (CTO) oversees data protection responsibilities. Customer can contact ContractPower’s privacy team or designated contact (via privacy@contractpower.ai or other contact method provided on our website) with any questions or concerns regarding this DPA or the processing of Personal Data.
  • 6.8 Compliance with Laws: ContractPower will comply with all applicable Data Protection Laws in carrying out its duties under this DPA, including the GDPR to the extent applicable to it as a Processor. ContractPower will inform Customer if it can no longer comply with its obligations under this DPA or Data Protection Laws, in which case Customer may suspend data processing or terminate the Agreement.

7. Sub-Processors

Customer provides a general authorization for ContractPower to engage Sub-processors to assist in the processing of Customer Personal Data in connection with the Services. These Sub-processors are third-party companies that provide elements of the Service (for example, cloud hosting or payment processing) and may process Personal Data on ContractPower’s behalf. The following Sub-processors are currently authorized and engaged by ContractPower:
  • Supabase (USA) – Cloud database and authentication provider for storing user account information and application data.
  • Vercel (USA) – Hosting and content delivery provider for the ContractPower web application (front-end hosting and related services).
  • Render (USA) – Cloud application hosting provider used for ContractPower’s back-end services and processing tasks.
  • Microsoft Azure / OpenAI (USA) – AI processing and language model provider. Used to perform AI-driven analysis on contract text that Customer submits (e.g. via OpenAI’s APIs and Azure cloud infrastructure).
  • Better Stack (USA) – Logging and monitoring service provider for system logs and analytics (used to monitor system performance, detect anomalies and ensure reliability of the Service). Logs may include IP addresses or other usage metadata for security and troubleshooting.
  • Google Cloud/Gemini (USA) – Text generation for app outputs.
  • Stripe (USA) – Payment processing provider. Handles payment transactions and billing information for subscription payments to ContractPower (which can include Customer’s billing contact details and payment card information). Payment information data storage is handled solely by Stripe – ContractPower does not collect any info.
  • Hotjar – Customer app usage analytics. Collects information on customer click and form behavior. Customers can opt out of analytics through DSAR
  • Quickbooks – Financial records handling. ContractPower collects necessary data for recordkeeping, including PII such as names, addresses, and emails.
ContractPower has entered into a written agreement with each Sub-processor imposing data protection obligations that are substantially similar to those in this DPA, to the extent applicable to the services each Sub-processor provides. ContractPower will remain liable to Customer for the performance of its Sub-processors’ obligations to the same extent ContractPower would be liable if performing the services of each Sub-processor directly under the terms of this DPA. In other words, ContractPower will be responsible for any acts or omissions of its Sub-processors that result in a breach of ContractPower’s obligations under this DPA. Notification of New Sub-processors: ContractPower will inform Customer of any intended changes to its Sub-processor list (either by adding a new Sub-processor or replacing an existing one) at least 14 days before the new Sub-processor begins processing Customer Personal Data. ContractPower will provide this notice by updating the Sub-processor list on our website and/or by email notification to the Customer (if the Customer has subscribed to receive such updates). It is Customer’s responsibility to check for any such updates. If Customer objects to a new Sub-processor on reasonable, data-protection-related grounds within the 14-day notice period, Customer should notify ContractPower in writing. The parties will then discuss in good faith to seek a resolution. If no agreement can be reached, Customer’s sole remedy (if the objection cannot be resolved) is to cease using the Services and terminate the Agreement by providing written notice to ContractPower. In such case, ContractPower will refund any prepaid fees for the period after termination. If Customer does not object within the notice period, the new Sub-processor will be deemed accepted.

8. International Data Transfers

ContractPower is based in the United States and may process Customer Personal Data in the United States. In addition, some of the Sub-processors listed in Section 7 (and ContractPower’s own infrastructure) are located in the United States or other jurisdictions outside the Customer’s country. This section addresses the measures in place to lawfully transfer Personal Data from the European Economic Area (EEA), Switzerland, the United Kingdom (UK), or other jurisdictions with data transfer restrictions, to the United States or any other country that may not have an “adequate” level of data protection (as determined by relevant authorities). 8.1 EEA/Switzerland Transfers – Standard Contractual Clauses: To the extent that ContractPower’s processing of Customer Personal Data involves a transfer from the EEA or Switzerland to a country (such as the USA) that the European Commission or Swiss authorities have not recognized as providing an adequate level of data protection, the parties agree that the transfer shall be governed by the EU Standard Contractual Clauses (SCCs) to ensure an adequate level of protection for the transferred data. The SCCs are hereby incorporated into this DPA by reference. Specifically, the Module Two (Controller-to-Processor) SCCs (as approved by EU Commission Decision 2021/914) will apply, with the Customer as the “data exporter” and ContractPower as the “data importer.” The details required by the SCCs (such as categories of data subjects, categories of data, etc.) are as set out in this DPA (in particular, Section 4 above serves as Annex I of the SCCs describing the transfer). The security measures described in Section 6.3 of this DPA shall serve as Annex II of the SCCs. For the optional clauses or variables in the SCCs, the parties agree as follows:
  • In Clause 7 (Docking Clause): the optional docking clause is enabled, allowing additional parties to join the SCCs as needed.
  • In Clause 9 (Use of sub-processors): Option 2 (general written authorization) applies, and the “time period” for prior notice of Sub-processor changes shall be the 14 days mentioned in Section 7 of this DPA.
  • In Clause 17 (Governing law): the parties select the law of an EU Member State in which the data exporter is established. If such law is not specified by the Customer, the parties agree that the laws of Ireland shall govern the SCCs.
  • In Clause 18 (Choice of forum and jurisdiction): the parties agree that the courts of the selected Member State (as per Clause 17) shall have jurisdiction. (If Ireland is selected for Clause 17, the courts of Ireland will have jurisdiction for SCC disputes.)
  • Annex I of the SCCs (List of Parties, Description of Transfer) is deemed completed with the information from this DPA: the data exporter is the Customer (and contact details would be the Customer’s contact information as provided in their account or agreement with ContractPower); the data importer is ContractPower, Inc. (contact info: 1602 Charro St, Encinitas, CA 92024, email: security@contractpower.ai). The categories of data subjects, data, and processing operations are as set out in Section 4 of this DPA.
  • Annex II of the SCCs (Security Measures) is completed with the measures described in Section 6.3 of this DPA (and any additional detail available in ContractPower’s Security Policy).
By agreeing to this DPA, the parties are deemed to have signed the SCCs where required. If needed for evidentiary purposes, ContractPower can provide a separate executed copy of the SCCs upon request. 8.2 UK Transfers – UK Addendum: For data transfers from the United Kingdom, the parties agree that the UK International Data Transfer Addendum (issued by the UK Information Commissioner’s Office, version B1.0, “UK Addendum”) shall be deemed incorporated into this DPA to supplement the SCCs. In the context of the UK Addendum, the information required for the “Tables” is provided by the details of this DPA and the selections in Section 8.1 above (e.g., the SCC Module Two is the “Approved EU SCCs” referenced in the Addendum). Any conflict between the SCCs and the UK Addendum shall be resolved in favor of the provision that offers the greater protection to data subjects. 8.3 Other Jurisdictions: If Customer transfers Personal Data from other jurisdictions with data transfer restrictions (for example, Canada, Brazil, or other countries with data export requirements), the parties will cooperate to implement appropriate transfer mechanisms or agreements as required by law. This may include standard contractual clauses or similar instruments approved for use in those jurisdictions. ContractPower will not refuse to execute additional data transfer agreements reasonably required by Customer to lawfully transfer data, provided that such agreements impose no greater obligations than those in this DPA or are required by law. 8.4 Additional Safeguards: In addition to the SCCs and other transfer mechanisms, ContractPower agrees to maintain additional safeguards to protect Personal Data transferred internationally. This includes measures such as: (i) Commitment to No Mass Surveillance: ContractPower has not purposefully created backdoors or allowed law enforcement access to Personal Data in a manner inconsistent with applicable law; ContractPower will resist and challenge any government or third-party access requests for Customer Personal Data that are overbroad or not legally binding. (ii) Transparency: If ContractPower receives a legally binding request from a public authority (including intelligence agencies) for access to Customer Personal Data, ContractPower will (to the extent allowed by law) promptly notify Customer and provide details of the request to enable the Customer to seek protective measures. (iii) Minimization: ContractPower will only disclose the minimum data necessary to satisfy a request if required by law, after exhausting any available appeals or challenges. These practices are intended to supplement the SCCs by addressing the requirements of GDPR and relevant court rulings for international data transfers.

9. Assistance and Cooperation

In addition to assistance with data subject rights (Section 6.5) and breach notification (Section 6.4) described above, ContractPower will provide reasonable cooperation to Customer in respect of Customer’s obligations under Data Protection Laws. This includes:
  • 9.1 Regulator Inquiries: If a supervisory authority or other regulator makes an inquiry or demand (such as an investigation or audit) regarding the Personal Data processed under this DPA, ContractPower will promptly inform Customer (unless legally prohibited). ContractPower will cooperate with Customer’s reasonable requests to address any such regulator inquiries, including providing relevant information about the processing and compliance measures.
  • 9.2 Data Protection Impact Assessments: ContractPower will assist Customer in conducting data protection impact assessments (DPIAs) and any required prior consultations with supervisory authorities, insofar as such assistance is reasonably necessary and relates to ContractPower’s processing of the Personal Data, taking into account the nature of processing and information available to ContractPower.
  • 9.3 Compliance Documentation: Upon request, ContractPower can provide documentation or certificates demonstrating its compliance with this DPA (e.g., summaries of audit results, security certifications, SOC 2 report, etc., subject to appropriate confidentiality).
Customer shall make any such requests for assistance or cooperation in writing to ContractPower’s contact and allow reasonable time for ContractPower to respond or provide information. ContractPower reserves the right to charge a reasonable fee for providing excessive or onerous assistance that goes beyond the standard services (for example, if Customer requests extensive resources for a DPIA that is not covered by the normal operation of the Services), but any such fee will be agreed upon with Customer in advance.

10. Confidentiality and Data Privacy

All Customer Personal Data processed by ContractPower under this DPA is considered confidential information of Customer. ContractPower will not disclose Customer Personal Data to any third party except as permitted by this DPA, the Terms of Service, or as necessary to comply with a lawful government request (under the conditions of Section 8.4) or other legal obligation. ContractPower’s obligation of confidentiality with respect to Customer Personal Data survives termination of the Agreement and continues for so long as ContractPower retains any Personal Data about Customer or its data subjects. Furthermore, ContractPower’s handling of Personal Data is subject to our general Privacy Policy (to the extent it does not conflict with this DPA). ContractPower will not “sell” personal data or “share” it for cross-context behavioral advertising as defined under applicable US laws (like CCPA/CPRA) and will not use Customer Personal Data for purposes other than providing the Services, in accordance with Customer’s instructions. In providing the Services, ContractPower acts as a “service provider” or “processor” with respect to Customer Personal Data and will not retain, use, or disclose the Personal Data except as permitted in this DPA and the Agreement.

11. Return or Deletion of Data

Deletion or Return Upon Termination: Upon expiration or termination of the Customer’s use of the Services, Customer has the right to decide whether the Personal Data should be returned or deleted. At Customer’s election (to be made in writing prior to or upon termination), ContractPower will either: (a) return to Customer all Customer Personal Data (in a common machine-readable format), and/or (b) securely delete all Customer Personal Data from ContractPower’s systems. If Customer does not request a specific action, the default is that ContractPower will delete the Customer Personal Data after termination of the services. ContractPower will complete such deletion within 30 days following the effective date of termination, except to the extent applicable law requires a longer retention period. For clarity, deletion of data will include erasing or anonymizing Personal Data in live systems; backup copies will be overwritten or destroyed in the normal course of business within an additional reasonable period. Retention for Legal Compliance: Notwithstanding the above, ContractPower is permitted to retain Personal Data after termination only as necessary to comply with applicable laws or regulations, or for legitimate business purposes such as the resolution of disputes, enforcement of agreements, or compliance with tax, audit, or accounting requirements. In any such case, ContractPower will continue to protect all retained Personal Data in accordance with the requirements of this DPA and will not actively process it for any other purpose. Any retained data will be limited to what is strictly necessary for the stated purpose. Once the retention period has expired or the legal requirement is no longer applicable, ContractPower will proceed with deletion or irreversible anonymization of the remaining Personal Data. Certification of Deletion: Upon Customer’s request, ContractPower will provide a confirmation that deletion has been completed in accordance with the above. This may be a written confirmation or certification provided by an authorized ContractPower representative.

12. Liability and Indemnification

12.1 Liability Cap: Each party’s liability arising out of or in connection with this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations and exclusions of liability set forth in the Terms of Service or other main agreement between the parties. The parties agree that any liability of ContractPower arising under this DPA or in relation to ContractPower’s processing of personal data on Customer’s behalf will be subject to the same limitations and exclusions of liability that apply under the main Terms of Service. In no event will either party be liable for any indirect, consequential, punitive, or special damages, or for lost profits, lost revenue, business interruption, or loss of data, arising from or related to this DPA, even if advised of the possibility of such damages. 12.2 Indemnification: Customer shall indemnify and hold harmless ContractPower from any damages, fines, or claims (including reasonable attorneys’ fees) arising from Customer’s breach of its obligations under this DPA or Data Protection Laws, including any processing conducted by ContractPower pursuant to Customer’s instructions that infringes third-party rights or violates law (except to the extent that such claim was caused by ContractPower’s breach of this DPA). ContractPower will likewise indemnify and hold Customer harmless for any fines or third-party claims against Customer that result directly from ContractPower’s breach of this DPA or its violation of applicable Data Protection Laws when acting as Customer’s Processor, provided that ContractPower’s aggregate liability under this indemnity is subject to the limitations in Section 12.1 above. Each party’s duty to indemnify is conditional upon the party seeking indemnification: (i) promptly notifying the other party of the claim (so as not to prejudice the defense); (ii) giving the indemnifying party sole control of the defense and settlement of the claim (provided that no settlement shall be made that imposes liability or admission of fault on the indemnified party without their consent, such consent not to be unreasonably withheld); and (iii) providing reasonable cooperation and assistance in the defense at the indemnifying party’s expense.

13. Term and Termination

This DPA becomes effective between ContractPower and Customer upon Customer’s agreement to the Terms of Service and commencement of use of the Services. It shall remain in effect as long as ContractPower processes Customer Personal Data on behalf of Customer (i.e. for the duration of the Service term) and until all Customer Personal Data is deleted from ContractPower’s systems after termination, in accordance with Section 11. Termination or expiration of the Terms of Service will automatically terminate this DPA. However, ContractPower’s obligations and Customer’s rights under this DPA with respect to the protection of Personal Data shall continue to apply until deletion of the data is completed. Sections of this DPA that by their nature should survive termination (such as confidentiality, data return/deletion, liability, and jurisdiction terms) shall survive.

14. Miscellaneous Provisions

  • 14.1 Incorporation into Agreement: This DPA is incorporated into and forms part of the overall agreement between ContractPower and Customer regarding the use of the Services. No modification to this DPA is binding unless in writing and signed by authorized representatives of both parties, except as provided in Section 14.2 below regarding updates.
  • 14.2 Updates to this DPA: ContractPower may update or modify the terms of this DPA from time to time as needed to reflect changes in law or our Services. If we make a material change to the DPA, we will notify Customers by posting the revised DPA on our website (and/or through an in-app notification or email, where feasible). The updated DPA will become effective and binding 30 days after such posting or notice, unless Customer objects in writing within that period. If Customer objects to the changes in the DPA and the issue cannot be resolved through good-faith discussions, Customer may terminate the Services without penalty for convenience before the changes take effect. By continuing to use the Services after the effective date of an updated DPA, Customer will be deemed to have accepted the updated DPA.
  • 14.3 Conflict with Other Agreements: In the event of any conflict or inconsistency between the provisions of this DPA and any other agreement between the parties (including the Terms of Service or any commercial contract), the provisions of this DPA shall prevail with respect to the parties’ obligations concerning data protection and privacy. Except as modified by this DPA, the Terms of Service (and any associated agreements) remain in full force and effect.
  • 14.4 Severability: If any provision of this DPA is found by a court of competent jurisdiction or regulatory authority to be invalid, illegal, or unenforceable, that provision (or the affected part thereof) shall be deemed modified to the minimum extent necessary to make it valid and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification or deletion of a provision under this section will not affect the validity of the remainder of this DPA, which shall remain in effect.
  • 14.5 Governing Law: This DPA shall be governed by and construed in accordance with the same governing law that is specified in the ContractPower Terms of Service for the principal agreement, except to the extent that the GDPR or other applicable Data Protection Laws mandatorily apply a different law. For clarity, any disputes arising from this DPA will be subject to the jurisdiction and venue stipulated in the Terms of Service, unless required otherwise by applicable law. In cases where the Standard Contractual Clauses apply and mandate the application of an EU member state’s law for the protection of Personal Data, the choice of law and forum for the SCCs is set forth in Section 8.1 above (generally the law of Ireland or the law of the Customer’s EU jurisdiction).
  • 14.6 Entire Agreement: This DPA (including the SCCs incorporated herein) constitutes the entire agreement of the parties with regard to its subject matter (data processing and privacy) and supersedes all prior and contemporaneous understandings or agreements, both written and oral, regarding such subject matter. Each party acknowledges that, in entering into this DPA, it does not rely on any statement, representation, warranty, or understanding that is not expressly set out in this DPA or the broader Terms of Service.
  • 14.7 Signatures and Execution: Binding by Use. This DPA does not require a physical signature to be binding. By using ContractPower’s Services or by agreeing to the Terms of Service online, Customer is deemed to have accepted and executed this DPA in its entirety. If required by Customer’s internal procedures or by law, Customer may countersign a copy of this DPA (including the incorporated SCCs) by contacting ContractPower, but a failure to do so shall not affect the validity of this DPA, which is already in force by virtue of the Customer’s agreement to the Terms of Service and use of the Services.
  • 14.8 No Third-Party Beneficiaries: Nothing in this DPA confers any benefits or rights on any person or entity other than the parties and their respective successors and permitted assigns, except that data subjects may enforce certain provisions of the Standard Contractual Clauses as third-party beneficiaries, where applicable.
  • 14.9 Relationship of the Parties: This DPA does not alter the parties’ independent contractor relationship under the Terms of Service. This DPA does not create any agency, partnership, or joint venture between the parties, and does not expand either party’s liability beyond what is stated in the Agreement.
  • 14.10 Contact Information: If you have any questions or concerns about this DPA or ContractPower’s data handling practices, please contact us by email at privacy@contractpower.ai or by postal mail at ContractPower, Inc., 1602 Charro Street, Encinitas, CA 92024, USA (Attn: Data Privacy). We will be happy to assist and address any issues related to this DPA.
Demo ContractPower Today

Stop reading your contracts, Start knowing them 75% faster

Error: Contact form not found.