Data Processing Agreement
Last updated: January 2026 | Version 1.1
For Enterprise Customers: This Data Processing Agreement (DPA) governs the processing of personal data when you use RFP Matrix as a business customer. To execute this DPA, please contact us at enterprise@rfpmatrix.com.
1. Definitions
- "Controller" means the entity that determines the purposes and means of processing Personal Data (typically you, the customer).
- "Processor" means the entity that processes Personal Data on behalf of the Controller (RFP Matrix).
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means the individual whose Personal Data is being processed.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914.
2. Scope and Purpose
This DPA applies to the processing of Personal Data by RFP Matrix on behalf of the Customer in connection with the provision of the Service.
2.1 Subject Matter
The subject matter of processing is the provision of RFP management services, including document parsing, AI-powered requirement extraction, and response generation.
2.2 Duration
Processing will continue for the duration of the Service agreement plus any legally required retention period.
2.3 Nature and Purpose
Processing activities include:
- Storage of uploaded RFP documents
- Text extraction and analysis
- AI-powered processing via third-party services
- Storage of user responses and notes
2.4 Types of Personal Data
- Contact information (names, email addresses)
- Document content (may contain personal data from RFPs)
- User-generated content (responses, notes)
- Usage data (IP addresses, activity logs)
2.5 Categories of Data Subjects
- Customer employees and authorized users
- Individuals mentioned in RFP documents
3. Customer Obligations
The Customer agrees to:
- Ensure lawful basis for processing Personal Data
- Provide any required notices to Data Subjects
- Ensure accuracy of Personal Data provided
- Respond to Data Subject requests where applicable
- Comply with applicable data protection laws
4. Processor Obligations
RFP Matrix agrees to:
- Process Personal Data only on documented instructions from the Customer
- Ensure personnel are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage Sub-processors without prior authorization
- Assist the Customer in responding to Data Subject requests
- Assist with security, breach notification, and impact assessments
- Delete or return Personal Data upon termination (at Customer's choice)
- Make available information necessary to demonstrate compliance
4.1 AI Processing and Model Training
Customer Data processed through AI sub-processors (including Google Gemini API) is subject to the following protections:
- Purpose limitation: Data is used solely to provide the Service (document analysis, requirement extraction, response generation)
- No model training: Customer Data is not used to train, improve, or fine-tune any AI or machine learning models
- No retention for training: AI sub-processors do not retain Customer Data beyond the immediate processing request, except for temporary abuse monitoring as required by their service terms (maximum 55 days, not used for training)
- Confidentiality: Customer Data processed by AI sub-processors is subject to the same confidentiality and security obligations as all other Customer Data
RFP Matrix has verified that its AI sub-processors' terms prohibit the use of API inputs and outputs for model training purposes. Customers may request documentation of these terms by contacting dpo@rfpmatrix.com.
5. Security Measures (Annex 1)
RFP Matrix implements the following technical and organizational measures pursuant to GDPR Article 32:
5.1 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all connections; HTTPS enforced |
| Encryption at rest | AES-256 encryption for database and file storage |
| Password security | bcrypt hashing (cost factor 12); minimum complexity requirements |
| Authentication | Email verification; optional 2FA (TOTP); session management |
| Rate limiting | Redis-based rate limiting on authentication and API endpoints |
| CSRF protection | Token-based CSRF protection on all state-changing operations |
| Input validation | Schema validation (Zod); parameterized database queries |
| Logging & monitoring | Comprehensive audit logging; error tracking (Sentry) |
| Backup & recovery | Automated daily backups; point-in-time recovery capability |
5.2 Organizational Measures
| Measure | Implementation |
|---|---|
| Access control | Principle of least privilege; role-based access; MFA for admin access |
| Confidentiality | NDA requirements for all personnel with data access |
| Incident response | Documented incident response plan; 72-hour breach notification |
| Vendor management | Security assessments for all sub-processors; DPAs in place |
| Data minimization | Collection limited to necessary data; retention policies enforced |
6. Sub-processors
6.1 Authorized Sub-processors
The Customer authorizes the use of the following Sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google LLC (Gemini API) | AI processing for document analysis and response generation | United States | SCCs, DPA, no model training on API data |
| Stripe, Inc. | Payment processing and subscription management | United States | SCCs, DPA, PCI-DSS Level 1 |
| Vercel Inc. | Application hosting and edge delivery | United States / Global Edge | SCCs, DPA, SOC 2 Type II |
| Neon Inc. | PostgreSQL database hosting | United States (AWS us-east-1) | SCCs, DPA, SOC 2 Type II |
| Upstash Inc. | Redis caching and rate limiting | United States / Global | SCCs, DPA, SOC 2 Type II |
| Resend Inc. | Transactional email delivery | United States | SCCs, DPA |
| Sentry (Functional Software, Inc.) | Error monitoring and performance tracking | United States | SCCs, DPA, SOC 2 Type II |
6.2 Sub-processor Changes
RFP Matrix will notify the Customer of any intended changes to Sub-processors at least 30 days in advance. Notifications will be sent to:
- The email address associated with your account
- Enterprise customers: your designated DPA contact
To subscribe to sub-processor change notifications, email help@rfpmatrix.com with subject line "Subscribe to Sub-processor Updates".
The Customer may object to a new Sub-processor within 14 days of notification. If a reasonable objection cannot be resolved, the Customer may terminate the affected services without penalty.
7. International Data Transfers (Annex 2)
Where Personal Data is transferred outside the EEA to countries without an adequacy decision, we ensure appropriate safeguards are in place:
7.1 Standard Contractual Clauses
We incorporate the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) for transfers to all US-based sub-processors. The applicable modules are:
- Module Two: Controller to Processor (Customer to RFP Matrix)
- Module Three: Processor to Processor (RFP Matrix to Sub-processors)
7.2 Transfer Impact Assessments
We have conducted Transfer Impact Assessments (TIAs) for each US sub-processor, evaluating:
- The legal framework in the destination country (US surveillance laws)
- The nature and sensitivity of data transferred
- Contractual, technical, and organizational safeguards
- Likelihood of government access requests
TIA summaries are available to enterprise customers upon request by contacting dpo@rfpmatrix.com.
7.3 Supplementary Measures
In addition to SCCs, we implement the following supplementary measures as recommended by the EDPB:
- End-to-end encryption for data in transit (TLS 1.2+)
- Encryption at rest using AES-256
- Data minimization - only necessary data is transferred
- Pseudonymization where technically feasible
- Strict access controls with audit logging
- Contractual commitments from sub-processors to challenge access requests
8. Data Subject Rights
RFP Matrix will assist the Customer in responding to Data Subject requests including:
- Access requests (Article 15)
- Rectification requests (Article 16)
- Erasure requests (Article 17)
- Restriction of processing (Article 18)
- Data portability (Article 20)
- Objection to processing (Article 21)
Self-service tools are available in user account settings for data export and account deletion. For complex requests, contact privacy@rfpmatrix.com.
9. Data Breach Notification
In the event of a Personal Data breach, RFP Matrix will:
- Notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of the breach
- Provide information about:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Assist the Customer in meeting any breach notification obligations to supervisory authorities and data subjects
- Cooperate with any investigation and remediation efforts
10. Audit Rights
Upon reasonable notice (minimum 30 days), RFP Matrix will:
- Make available to the Customer information necessary to demonstrate compliance with GDPR Article 28 obligations
- Allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer, subject to confidentiality obligations
- Provide copies of relevant certifications and audit reports:
- Sub-processor SOC 2 Type II reports (where available)
- Penetration test summaries (annual)
- Internal security assessment reports
Audit costs shall be borne by the requesting party unless the audit reveals material non-compliance by RFP Matrix.
11. Data Retention and Deletion
Upon termination of the Service agreement:
- At the Customer's choice, RFP Matrix will delete or return all Personal Data
- Deletion will be completed within 90 days of request
- Certification of deletion available upon request
- RFP Matrix may retain data where required by law (with notification to Customer)
- Backup data will be deleted according to normal backup rotation schedules (maximum 30 days after primary deletion)
12. Liability
Each party's liability under this DPA is subject to the limitations set forth in the main Service agreement, except that:
- Neither party excludes liability for breaches of data protection law caused by wilful misconduct or gross negligence
- Liability caps do not apply to regulatory fines imposed on either party
13. Contact
For DPA-related inquiries:
- General inquiries: enterprise@rfpmatrix.com
- Data Protection Officer: dpo@rfpmatrix.com
- Sub-processor updates: help@rfpmatrix.com
- Security incidents: security@rfpmatrix.com
Request a Signed DPA
Enterprise customers can request a countersigned copy of this DPA. Please contact enterprise@rfpmatrix.com with:
- Your company name and registered address
- Company registration number (if applicable)
- Contact person for data protection matters
- Any specific requirements or modifications needed
Standard DPA execution is included at no additional cost. Custom modifications may require legal review.