DATA PROCESSING ADDENDUM (DPA)

Last Updated: March 24, 2026

This Data Processing Addendum (“DPA”) forms part of the Service Agreement between DealGauge (“Processor”) and the user of the Service (“Controller”).

1. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person contained within Rent Rolls, T12s, or other property documents.
  • "Property Data": Financial and operational documents uploaded by the Controller for analysis.
  • "Sub-processor": Third-party service providers engaged by Processor to deliver the Service (e.g., Airtable, Make.com, OpenAI).

2. Scope and Duration

Processor shall process Personal Data and Property Data only for the purpose of providing commercial real estate analysis, including Rent Roll extraction, T12 financial analysis, and due diligence report generation. The duration of processing shall be transient and limited to the active analysis phase as defined in Section 7.

3. Data Protection Obligations

Process on Instructions: Process data only on the documented instructions of the Controller.

Confidentiality: Ensure that personnel and systems authorized to process the data are committed to strict confidentiality.

AI Training Prohibition: Processor confirms that all AI analysis is conducted via Enterprise-tier APIs. Data transmitted to Sub-processors (OpenAI/Google Gemini) is not used to train, retrain, or improve foundation models.

Volatile Processing: Processor utilizes a "Zero-Persistence" workflow. Automation platforms (Make.com) are configured in "Confidential Mode" to ensure execution logs do not retain sensitive payload data.

4. Sub-processors

Controller grants general authorization to Processor to engage the following Sub-processors:

  • Airtable: Transient database for structured data extraction.
  • Make.com: Workflow automation and data routing.
  • OpenAI / Google Gemini: AI analysis via secure API endpoints.
  • Google Cloud / AWS: Secure cloud infrastructure and document hosting.

5. Security Measures

Processor shall implement industry-standard technical measures:

  • Encryption: Data is encrypted using AES-256 at rest and TLS 1.2+ in transit.
  • Access Control: Strict "least-privilege" access; no human access to uploaded documents is permitted during the automated analysis.

6. Data Breach Notification

In the event of a confirmed Personal Data Breach, Processor shall notify Controller without undue delay (typically within 48-72 hours) and provide reasonable cooperation in the investigation.

7. Automated Purge & Data Shredding

To minimize risks for the Controller, Processor implements an Automated Data Shredding Policy:

  • 7.1Immediate Deletion: All uploaded original documents and extracted sensitive data will be permanently deleted from temporary cloud storage within 24 hours of the completion of the analysis.
  • 7.2No Permanent Residue: No copies of the original Property Data are maintained by the Processor after the purge interval.

8. Limitation of Liability

The total liability of either party under this DPA shall be subject to the limitation of liability provisions set forth in the Service Agreement (ToS).