DATA PROCESSING ADDENDUM (DPA)

Last Updated: April 26, 2026

This Data Processing Addendum (“DPA”) forms part of the Service Agreement between DealGauge (“Processor”) and the user of the Service (“Controller”).

1. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person contained within Rent Rolls, T12s, or other property documents.
  • "Property Data": Financial and operational documents uploaded by the Controller for analysis.
  • "Sub-processor": Third-party service providers engaged by Processor to deliver the Service (e.g., Airtable, Make.com, OpenAI).

2. Scope and Duration

Processor shall process Personal Data and Property Data only for the purpose of providing commercial real estate analysis, including Rent Roll extraction, T12 financial analysis, and due diligence report generation. The duration of processing shall be transient and limited to the active analysis phase as defined in Section 7.

3. Data Protection Obligations

Process on Instructions: Process data only on the documented instructions of the Controller.

Confidentiality: Ensure that personnel and systems authorized to process the data are committed to strict confidentiality.

AI Training Prohibition: Processor confirms that all AI analysis is conducted via Enterprise-tier APIs. Data transmitted to Sub-processors (OpenAI/Google Gemini) is not used to train, retrain, or improve foundation models.

Volatile Processing: Processor utilizes a zero-persistence workflow. Automation platforms are configured in Confidential Mode to ensure execution logs do not retain sensitive payload data.

4. Sub-processors

Controller grants general authorization to Processor to engage Sub-processors for the purpose of delivering the Service. An up-to-date list of Sub-processors is available upon request. Processor shall notify Controller of any material changes to its Sub-processor list.

5. Security Measures

Processor shall implement industry-standard technical measures:

  • Encryption: Data is protected by industry-standard encryption at rest and in transit, as provided by our infrastructure partners.
  • Access Control: Strict "least-privilege" access; no human access to uploaded documents is permitted during the automated analysis.

6. Data Breach Notification

In the event of a confirmed Personal Data Breach, Processor shall notify Controller without undue delay and within 72 hours, and provide reasonable cooperation in the investigation.

7. Automated Purge & Data Shredding

To minimize risks for the Controller, Processor implements an Automated Data Shredding Policy:

  • 7.1Data Deletion: All uploaded original documents and extracted sensitive data will be permanently deleted from temporary cloud storage within 24 hours of the completion of the analysis. Data is retained during this window solely to facilitate post-delivery support, such as re-running the analysis upon Controller request.
  • 7.2No Permanent Residue: No copies of the original Property Data are maintained by the Processor after the purge interval.

8. Limitation of Liability

The total liability of either party under this DPA shall be subject to the limitation of liability provisions set forth in the Service Agreement (ToS).